Piers Wilson, head of product management at Tier-3 Huntsman examines the main security issues being introduced by IoT, and outlines three basic steps that can help to overcome them
The Internet of Things (IoT) has the potential to produce a headache for the future, as manufacturers race to bring out the latest generations of connected TVs, kitchen appliances, cars and home automation systems ahead of their rivals.
Sensors and control systems are being embedded into all manner of devices and components; equipping them with wireless connectivity and cloud-based command and control capabilities that enable remote interaction with them through users’ mobile devices. On the one hand, this is all adding ease and convenience to our lives.
On the other, it is also creating a new generation of issues for enterprises and their security teams as this uncontrolled proliferation of technologies becomes more prevalent in the workplace. As with a number of previous technologies, such as mobile devices, there is an inevitable link between the rate of adoption, an exponential increase in security weaknesses and the presence of consumer-based technologies on the enterprise network.
Who’s been in my fridge?
Fears of fridges being hacked might initially have seemed a little alarmist, but became a sobering reality late in 2013, when an IT security company reported that a connected fridge had sent out more than 750,000 spam and phishing emails. Similarly, experts from Context Security in the UK recently demonstrated how easy it is to hack network-enabled LED light bulbs to gain access to the underlying wireless network. Cases such as these thankfully remain few and far between for the time being, but they raise some obvious considerations for the future as IoT technologies become more widespread in the business environment. A key concern as this trickle of devices becomes a flood is the lack of regulations in the sector. While efforts are being made by a number of industry participants to introduce standards, the IoT space remains largely devoid of security controls and protocols:
1. IoT technologies, whether intended for the domestic or enterprise market, will increasingly be connected to enterprise networks.
2. Many IoT deployments will originate from business or user communities; not from within (or under the control of) the IT function.
3. Many IoT devices or applications will have security vulnerabilities, which will have knock-on effects, including the exposure of corporate data, systems, networks and users.
4. When IoT technologies are attacked, the implications will be “real” and potentially serious; even life threatening, in the case of medical devices.
Unfortunately, securing these embedded devices isn’t easy because they often don’t run traditional anti-malware solutions or allow secure configuration. IoT device manufacturers simply don’t see it as their responsibility to develop these technologies with security in mind. Indeed, four researchers from EURECOM France conducted the first large scale analysis of firmware in embedded devices and found that over 140,000 devices in existence today contain zero-day vulnerabilities, backdoors and poor methods of authentication. When this laissez faire approach to IoT device security enters the enterprise, the risks magnify and go way beyond the traditional security implications of data loss, fraud, damaged reputations or privacy infringements. The nature of an exploit through an insecure IoT device means businesses will have to be able to deal with the very real challenge of detecting and dealing with these threats, or face potentially severe consequences.
Securing the IoT
Far from being a dystopian security nightmare, there are a number of proactive steps that can be taken to ensure that effective security is maintained as IoT and device-based technologies spread through the enterprise.
Step 1: Plan an IoT-aware enterprise network – Thought needs to be given to how a network is structured, how users and end-point devices connect and how servers, applications and critical platforms are protected. Techniques like network segmentation, network access control and internal traffic management are important. IoT also means, consciously or not, embracing cloud access, as well as the adoption of mobile and wireless technologies. As such, traditional security approaches will rapidly become less effective, meaning that businesses must adopt more protective security policies and controls, along with continuous monitoring of cloud and mobility initiatives.
Step 2: Get the business engaged – Just as with BYOD, adoption of IoT is largely being driven by enterprise workforces, leaving IT departments and security teams racing to keep up. However, without the IT department being involved during the early stages of adoption, security and risk-reduction protocols for the use of IoT devices, control systems and appliances are often being added as an afterthought, or neglected altogether; creating weaknesses in the security posture. To combat this, IT teams must seize the initiative and work with vendor and user communities within the business to develop guidelines that govern how these technologies can be used to benefit the enterprise. Those who fail to act now run the risk that IT security considerations will become an impediment to business activities in the future once IoT has become widely adopted by the workforce.
Step 3: Strive for “IoT visibility” – Rather than trying to define a set of patterns or rules that constitute “IoT Access Lists” or “Device Vulnerability Signatures,” businesses should have a network and system monitoring capability that is able to detect any IoT technologies deployed on their networks and identify how they are behaving. This will enable them to ensure that if and when those technologies are attacked, exploited or malfunction; the resulting incident can be quickly detected, investigated and dealt with appropriately. To make this seamless, security teams must automate responses and network security controls, pre-create scripts and build timely failsafe responses to prioritised threats.
Bring it back to basics
In all this, it shouldn’t be forgotten that the IoT doesn’t change the core objective of the security function: Protect the enterprise network environment and the sensitive data it contains whilst maintaining and protecting services, safeguarding reputations and complying with regulations. However, in a similar way to cloud computing, mobile devices and social media before it, any connections between IoT type solutions and the enterprise will require security monitoring and control techniques where existing policies and standards cannot be easily followed or enforced.
In the absence of security standards and with the ubiquity of IoT devices, rules-based policy engines are grossly inadequate in detecting and analysing potential security threats. Organisations must update their approach to IT security; enforcing a proactive management regime, with the ability to observe, monitor and detect any behavioural anomalies in real-time. This approach will be critical as the rise of the machines continues; enabling security teams to respond quickly to both traditional risks and emerging IoT threats. With a solid foundation to support these types of technologies, security teams can become an enabler rather than a deterrent for innovation, and reduce the risk of “shadow IT” creeping in through the cracks.
Are you all clued up on the Internet of Things? Take our quiz!