The other day, a colleague was musing about whether we need new security tools for the Internet of Things (IoT). If a watch or car navigation console runs Android 5.0 (Lollipop) or apps from the Google Play Store that use a cellular or Wi-Fi connection, what makes securing those devices different from securing an Android tablet?

Not a lot. Though some threat models may differ (for example, a tablet can be taken with you, while the console in the car is fixed in place), the underlying core architectural components — platform, network communication and applications — are the same. Analyzing an Android app for vulnerabilities may depend on the Android version, but in general, if the app is using an insecure transmission on the tablet, it is using it on the watch, too. Enterprises are maturing their mobile device protection programs by implementing stronger controls, including mobile app reporting analysis, mobile application and policy management and aggregation of mobile device log data into the corporate security information and event management (SIEM) the security operations center.

‘IoT’ Is a Broad Term

At the end of George Orwell’s “Animal Farm,” the Seven Commandments of Animalism are reduced to one: “All animals are equal, but some animals are more equal than others.” While that sentiment is rather depressing in the context of Orwell’s allegory, it’s quite apt for the IoT because not all devices and applications in the IoT world are equal.

The exact definition of what constitutes the “T” in the IoT world is still in flux, but IBM has posited an IoT framework that draws a distinction between smart devices (such as tablets, phones and watches running Android or iOS and loaded with mobile apps from Google Play or the App Store) and other “things,” such as pacemakers and oil level sensors in cars. This is illustrated in the graphic below:

While it’s true the “things” at the top need some kind of operating system (OS) and application software that communicates with a local or public network, there is no requirement that these “things” run a full-blown version of iOS or Android. This means standard enterprise mobile application and policy management agents won’t run on them.

Testing mobile apps is fairly straightforward. Download the app from the Play or App Store and run it through an analyzer. However, IoT apps running on the “things” may not be freely available for testing and may not be testable with analyzers designed to assess Android or iOS apps.

Watch the on-demand webinar to learn more about securing the internet of things

The Propriety Problem

Remember the early days of cell phones, when there seemed to be as many OSs as there were phone manufacturers? The splintered OS issue is alive and well in the IoT today. In addition to iOS and Android, there are competing systems for IoT dominance, including Ubuntu, mBed and Contiki — not to mention vendors that are writing their own custom OS for very small “things” and sensors.

Application testing and protection agents are purpose-built for a platform, which means vendors need to create a specialized version for each OS. While this isn’t an impossible task, it requires significant investment that may not be cost-justified. With so many IoT OS options, strategic vendors will have to wait to see which ones gain market share before they develop security solutions for them.

How about monitoring the data and communications from those things and apps? Proprietary app logs don’t need to follow a standard format, which could mean new parsers and rule sets for SIEMs. The same goes for unique communications protocols. This is already a reality in the industrial control systems space, where protocols such as DNP3 and Modbus are used.

Other must-haves for security, such as the ability to discover devices, manage them remotely and interconnect with them via networking and data exchange, are equally up in the air, with at least six different groups working on standards.

Time Will Tell

The IoT is broader than smart devices running iOS and Android, and new security solutions, or versions of existing solutions, will need to be created to extend security controls and monitoring. However, until the market shakes out and winners emerge in the OS and standards race, it will be hard for security vendors to know which platforms and protocols to build for.

In the meantime, there is a lot you can do, starting with designing your IoT sensors, instruments, applications and hardware with security in mind.

More from Intelligence & Analytics

2022 Industry Threat Recap: Manufacturing

It seems like yesterday that industries were fumbling to understand the threats posed by post-pandemic economic and technological changes. While every disruption provides opportunities for positive change, it's hard to ignore the impact that global supply chains, rising labor costs, digital currency and environmental regulations have had on commerce worldwide. Many sectors are starting to see the light at the end of the tunnel. But 2022 has shown us that manufacturing still faces some dark clouds ahead when combatting persistent…

Cybersecurity in the Next-Generation Space Age, Pt. 3: Securing the New Space

View Part 1, Introduction to New Space, and Part 2, Cybersecurity Threats in New Space, in this series. As we see in the previous article of this series discussing the cybersecurity threats in the New Space, space technology is advancing at an unprecedented rate — with new technologies being launched into orbit at an increasingly rapid pace. The need to ensure the security and safety of these technologies has never been more pressing. So, let’s discover a range of measures…

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…

The 13 Costliest Cyberattacks of 2022: Looking Back

2022 has shaped up to be a pricey year for victims of cyberattacks. Cyberattacks continue to target critical infrastructures such as health systems, small government agencies and educational institutions. Ransomware remains a popular attack method for large and small targets alike. While organizations may choose not to disclose the costs associated with a cyberattack, the loss of consumer trust will always be a risk after any significant attack. Let’s look at the 13 costliest cyberattacks of the past year and…