One of the fundamental questions we ask at IoTSF is “who owns security in IoT?” – it’s not a simple answer as IoT includes a large eco-system of providers, adopters and end-users.
It is clear that there is no silver bullet and security will vary by vendor, application and vertical market – there will be a great deal of choices. Regardless of your position in this eco-system it is important to have a security mindset and an approach which is future-proof.
This blog post, originally posted here on CSO Forum by David Braue, provides a perspective and an approach to IoT security.
Thank you David
The breakneck growth of the Internet of Things (IoT) has taken many technology prognosticators by surprise – but there will be other, far less pleasant surprises in store if IoT manufacturers can’t improve their security practices quickly enough to avoid a data disaster.
Those practices are slowly maturing as security vendors – having only recently come to grips with the security implications of an explosion of smartphones, tablets, laptops and other endpoint devices – are faced with a much faster growth curve as businesses adopt all manner of networkable devices and the technology goes mainstream at rapid pace. Gartner, for one, has predicted that the 6.4 billion connected devices in use this year will nearly double, to 11.4 billion, by 2018.
While ubiquitous networking offers untold potential for delivering new services, network effects also make that connectivity a massive security threat as devices gain the ability to access each other – and the Internet – without intervention or control through a central point. This creates untold new vectors for attack and compromise of devices that users may not even realise are communicating sensitive information online.
For now, IoT weaknesses are being discovered on a largely ad hoc basis for now as researchers probe the security of all kinds of high-tech new devices – and they inevitably fail to measure up. Recent warnings about one model of Internet-connected home thermostat, for example, highlighted the poor security controls built into the devices while another study identified 86,000 Internet-connected printers that have many ringing alarm bells. Cars, appliances, wearable health sensors and fitness trackers, drones, security cameras – the list of potentially exposed IoT elements goes on and on, each promising its own set of consequences in the case of a breach.
Efforts to secure these devices are expected to explode in coming years, with Gartner forecasting in April that the $US231.9m spent on IoT security in 2014 would grow by 23.7 this year over last – and nearly double, to $US547.2m, by 2018.
Early “moderate” growth in spending will give way to a “faster rate” after 2020 as early work around IoT security gives way to broader frameworks and IoT security infrastructure, the company’s analysts said – while noting that by 2020, more than 25 percent of cyber attacks on enterprises will involve IoT.
“The effort of securing IoT is expected to focus more and more on the management, analytics and provisioning of devices and their data,” said Gartner research director Ruggero Contu, who highlighted the growing role of cloud-based security infrastructure that, by 2020, would be used by half of all businesses to impose security controls over IoT environments.
“IoT business scenarios will require a delivery mechanism that can also grow and keep pace with requirements in monitoring, detection, access control and other security needs,” he explained. “The IoT’s fundamental strength in scale and presence will not be fully realized without cloud-based security services to deliver an acceptable level of operation for many organizations in a cost-effective manner.”
Just as vendors of networking equipment previously missed many of the loopholes that allowed hackers to bypass their security protections, IoT makers are similarly overlooking many of the intricacies and compromises that their devices necessarily introduce. Whether due to coding flaws or design decisions explicitly made for simplicity of user experience, lack of experience and lack of standardisation are already jeopardising the future security of the IoT world.
Vendors are racing to provide cloud-based frameworks to provide this control, but until those frameworks are widely used and adopted by IoT vendors there will still be a yawning gap between IoT device security and corporate security policies that apply to other types of information.
Filling this gap will take years as security-conscious customers wait for vendors to not only lift their games, but to working constantly to identify and patch security vulnerabilities before hackers do. And a key part of this effort, says Gigamon’s ANZ security virtual field team lead Ian Farquhar, is to deploy powerful monitoring technology capable of extending current network visibility into cloud-based IoT environments.
“It’s just not possible to figure out in milliseconds whether something is bad or safe,” Farquahar explains. “By moving security to a cloud provider you haven’t lost responsibility for the workload. What you have lost is the visibility you need to properly deal with that responsibility.”
“That means we’ve also got to step away from the concept of controls that block, to embracing constant vigilance and operational security. It shouldn’t matter where the network traffic is; you should be able to see it.”
Applying that level of operational security to IoT environments will take time – and flexible, widely adopted standards. Efforts such as the OWASP Internet of Things project, for example, have moved to help IoT vendors improve their security game by offering resources such as guidelines around IoT security, IoT testing, and IoT framework assessments. The International Telecommunications Union (ITU), for its part, last year ran a global standards initiative, known as IoT-GSI, whose scope includes security standards and was recently rolled into the ITU-T SG20 group.
Yet while such standards will be important in the long term, in the short term it has become clear that management tools will not be able to compensate for IoT vendors’ poor security design. Corporate IoT echnology adopters will need to scope out and implement their own solutions that combine cloud-based management capabilities with the management visibility of security-focused monitoring tools. This approach will abstract IoT security away from the devices and bring the new, malleable security perimeter in towards the more-controllable corporate network.
“One of the challenges with advanced threats is that attackers always play around the margins,” Farquhar says. “They are looking for the way in that you are not looking at. To get this, we need situational awareness in the cloud – and the first step to get that is visibility.”
The views and opinions expressed in this article are those of the authors and do not necessarily reflect the official policy or position of the IoT Security Foundation.