Is IoT Security a Ticking Time Bomb?
Ready or not, the Internet of Things (IoT) is here. No longer just a buzz term, it’ll continue to grow at an unprecedented pace over the next few years.
IoT Security Is an Afterthought
History shows that most fast-growth technology solutions focus on solving business problems first; security is an afterthought. Web applications, which have grown dramatically – to hundreds of millions in number over the last decade, still have major security problems, and cybercriminals continue to attack through this low-hanging fruit. Mobile apps, numbering around 4 million and counting, are still easily exploitable, leading to major losses from cyberattacks.
Unfortunately, IoT is following the same trend. Most IoT devices, apps and infrastructure were developed without security in mind and are likely to become targets of cybercriminals.
IoT Will Allow for Attacks We Can’t Even Imagine
To put it bluntly, IoT security concerns are critically serious. According to some security experts, major cyberattacks against IoT devices are looming. From connected cars to connected medical devices to smart buildings and cities, security implications are huge.
Bruce Schneier painted a very gloomy picture in a recent article. Schneier said that “the Internet of Things will allow for attacks we can’t even imagine” and noted that “the next president will probably be forced to deal with a large-scale internet disaster that kills multiple people.” He added that “today’s threats include hackers crashing airplanes by hacking into computer networks, and remotely disabling cars, either when they’re turned off and parked or while they’re speeding down the highway.”
This may be a dark view of the IoT, but many organizations fear the worst when it comes to their security. Business executives consistently cite security as a major barrier to adopting IoT technology:
IoT Threat Vectors
Today’s IoT software applications are entrusted to securely manage your organization’s health care, transportation and other critical functions without fail. However, IT and security executives must be aware of safety and security risks that connected products pose as they rapidly evolve from unintelligent point objects into fully autonomous, IoT-enabled smart devices. They must also understand that fundamental security protection begins with controls built into devices and applications, and takes the ecosystem in which those devices and applications operate into consideration.
At a very high level, a typical IoT framework consists of edge devices (such as sensors, adapters, beacons, etc.), a gateway to communicate with these devices and a back-end server in the cloud or on-premises. You have to take each section separately and address security issues for each. Conduct a security penetration test, for example, to find out if endpoint devices can be hijacked and exploited.
If you need certificates for devices to communicate, ask your device manufacturer or find a security certificate vendor to provide the solution. For the gateway and the back-end server, make sure that besides the network security and data encryption issues, you address application security issues by performing security testing and fixing vulnerabilities. You should also harden binary code to protect your environment. An effective organizational security plan should incorporate basics such as network security protection and data encryption as well.
Securing IoT Infrastructure, Piece by Piece
Most companies lack the resources to protect every single aspect of the IoT infrastructure, so it’s important to prioritize the various assets based on exposure and liability issues. Fundamentally, it’s about risk management.
A medical device manufacturer, for example might have various IoT initiatives that could include smart buildings with lighting and thermostat controls, security cameras, logistics automation and actual products being sold to medical facilities. Clearly, from a liability perspective, it has to ensure the security of its medical device products that are communicating with each other over the internet before it looks at other internal IoT projects. Similarly, automotive manufacturers would want to make sure their connected car infrastructure can operate securely between the consumer’s mobile device, the dealer’s software and the telematics system.
Governments across the globe need to start taking IoT security seriously and create standards for companies to follow. Some discussions have already begun; Director of National Intelligence James Clapper and NSA Director Mike Rogers testified before Congress last year, warning of these threats, Schneier noted.
Although organizations don’t always welcome new regulations, minimal oversight opens doors and budgets for security teams. CEOs and boards of directors are more inclined to create budgets for compliance-related issues because they don’t have a choice. They might get complacent if there is no regulatory standard with specific deadlines. Many companies naturally tend to wait until they get attacked, which is absolutely the wrong practice to follow.
As a security manager and executive, you have to start by educating yourself on the concepts of IoT, various vulnerable vectors and the solutions available to protect your infrastructure.