Security specialists at RSA have warned that too many companies have implemented IoT “security through obscurity”
Security specialists have warned that a high number of companies around the world are embracing the Internet of Things (IoT) without fully understand the risk IoT devices, putting their customers’ data in great danger.
“From a security perspective, the world is simply not ready for IoT,” said Rob Sadowski, director of market insight and technology solutions at RSA – the security arm of EMC.
“It’s just another thing that’s absolutely continuing to expand what we call the attack surface. It’s just another place where an attacker can find a vulnerability or can find a foothold an get in. It’s expanding the number of things that we need to defend or at least understand from a policy perspective.”
Speaking at EMC World in Las Vegas this week, Sadowski said there are a few important questions companies need to ask themselves if they are to utilise IoT devices securely.
Do you know what devices are on your network? Do you know who should have access to those devices? And what can those devices actually do? Can you make sure that those devices are deployed securely and maintained in a secure operating fashion?
“A lot of that has to do with patching and vulnerability management,” he explained. “Some of it has to do with the infrastructure that’s around the devices and how often that changes. That’s all fairly basic hygiene, blocking and tackling-type stuff. But given the scale of the amount of things that might show up on someone’s network in the future, that’s a big problem. Just look at the challenges that exist today.
Sadowski believes that there are plenty of companies working in the energy and chemicals sectors that are great examples of how not to embrace IoT.
“These are companies that have industrial controls that are automated. Security on their networks tends to not be very good and it’s security through obscurity in a lot of cases. There’s an assumption that devices have been deployed securely and that companies know who has access to them and what they’re doing with them. But when you go into many organisation they can’t actually answer those very fundamental questions.”
Jeff Carpenter, principal product marketing manager, RSA, agreed that the world is far from prepared for IoT, and is adamant that IoT frameworks must be urgently put in place.
He said: “We already have tens of thousands of manufacturers creating these devices and very few of them are security aware, security optimised or have anything to do with security.
“I’ve even seen security products out there for IoT that have very low security, so go figure. I think what we need is a framework so that you can class IoT devices by certain classifications. For example, a motion detector or a SIM chip that goes with your refrigerator. The framework would create a class of those ‘things’. Then you can manage security by class versus trying to have to manage and address policies for every device on your network.”
However, like many other innovations that are happening in IT, IoT adoption is not something that can be stopped, Sadowski said.
“There’s just so much potential for productivity benefits, cost benefits etc. But people working in security and risk have to get their heads around what the influx of connected devices is going to mean for the security of their company.”
Are you an IoT expert? Take our quiz to find out!