February 9, 2015 By Diana Kelley 3 min read

The other day, a colleague was musing about whether we need new security tools for the Internet of Things (IoT). If a watch or car navigation console runs Android 5.0 (Lollipop) or apps from the Google Play Store that use a cellular or Wi-Fi connection, what makes securing those devices different from securing an Android tablet?

Not a lot. Though some threat models may differ (for example, a tablet can be taken with you, while the console in the car is fixed in place), the underlying core architectural components — platform, network communication and applications — are the same. Analyzing an Android app for vulnerabilities may depend on the Android version, but in general, if the app is using an insecure transmission on the tablet, it is using it on the watch, too. Enterprises are maturing their mobile device protection programs by implementing stronger controls, including mobile app reporting analysis, mobile application and policy management and aggregation of mobile device log data into the corporate security information and event management (SIEM) the security operations center.

‘IoT’ Is a Broad Term

At the end of George Orwell’s “Animal Farm,” the Seven Commandments of Animalism are reduced to one: “All animals are equal, but some animals are more equal than others.” While that sentiment is rather depressing in the context of Orwell’s allegory, it’s quite apt for the IoT because not all devices and applications in the IoT world are equal.

The exact definition of what constitutes the “T” in the IoT world is still in flux, but IBM has posited an IoT framework that draws a distinction between smart devices (such as tablets, phones and watches running Android or iOS and loaded with mobile apps from Google Play or the App Store) and other “things,” such as pacemakers and oil level sensors in cars. This is illustrated in the graphic below:

While it’s true the “things” at the top need some kind of operating system (OS) and application software that communicates with a local or public network, there is no requirement that these “things” run a full-blown version of iOS or Android. This means standard enterprise mobile application and policy management agents won’t run on them.

Testing mobile apps is fairly straightforward. Download the app from the Play or App Store and run it through an analyzer. However, IoT apps running on the “things” may not be freely available for testing and may not be testable with analyzers designed to assess Android or iOS apps.

Watch the on-demand webinar to learn more about securing the internet of things

The Propriety Problem

Remember the early days of cell phones, when there seemed to be as many OSs as there were phone manufacturers? The splintered OS issue is alive and well in the IoT today. In addition to iOS and Android, there are competing systems for IoT dominance, including Ubuntu, mBed and Contiki — not to mention vendors that are writing their own custom OS for very small “things” and sensors.

Application testing and protection agents are purpose-built for a platform, which means vendors need to create a specialized version for each OS. While this isn’t an impossible task, it requires significant investment that may not be cost-justified. With so many IoT OS options, strategic vendors will have to wait to see which ones gain market share before they develop security solutions for them.

How about monitoring the data and communications from those things and apps? Proprietary app logs don’t need to follow a standard format, which could mean new parsers and rule sets for SIEMs. The same goes for unique communications protocols. This is already a reality in the industrial control systems space, where protocols such as DNP3 and Modbus are used.

Other must-haves for security, such as the ability to discover devices, manage them remotely and interconnect with them via networking and data exchange, are equally up in the air, with at least six different groups working on standards.

Time Will Tell

The IoT is broader than smart devices running iOS and Android, and new security solutions, or versions of existing solutions, will need to be created to extend security controls and monitoring. However, until the market shakes out and winners emerge in the OS and standards race, it will be hard for security vendors to know which platforms and protocols to build for.

In the meantime, there is a lot you can do, starting with designing your IoT sensors, instruments, applications and hardware with security in mind.

More from Intelligence & Analytics

What makes a trailblazer? Inspired by John Mulaney’s Dreamforce roast

4 min read - When you bring a comedian to offer a keynote address, you need to expect the unexpected.But it is a good bet that no one in the crowd at Salesforce’s Dreamforce conference expected John Mulaney to tell a crowd of thousands of tech trailblazers that they were, in fact, not trailblazers at all.“The fact that there are 45,000 ‘trailblazers’ here couldn’t devalue the title anymore,” Mulaney told the audience.Maybe it was meant as nothing more than a punch line, but Mulaney’s…

New report shows ongoing gender pay gap in cybersecurity

3 min read - The gender gap in cybersecurity isn’t a new issue. The lack of women in cybersecurity and IT has been making headlines for years — even decades. While progress has been made, there is still significant work to do, especially regarding salary.The recent  ISC2 Cybersecurity Workforce Study highlighted numerous cybersecurity issues regarding women in the field. In fact, only 17% of the 14,865 respondents to the survey were women.Pay gap between men and womenOne of the most concerning disparities revealed by…

Protecting your data and environment from unknown external risks

3 min read - Cybersecurity professionals always keep their eye out for trends and patterns to stay one step ahead of cyber criminals. The IBM X-Force does the same when working with customers. Over the past few years, clients have often asked the team about threats outside their internal environment, such as data leakage, brand impersonation, stolen credentials and phishing sites. To help customers overcome these often unknown and unexpected risks that are often outside of their control, the team created Cyber Exposure Insights…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today