When I do media spots, interviewers often ask me, “What is the best single thing you can do to prevent cyberattacks?” I jokingly respond, “Unplug and turn off all your devices — it’s a 100 percent security solution!” Ironically, when discussing Internet of Things (IoT) security, some people believe turning all devices off is an actual strategy.
Absolute IoT Security Is Not Practical
According to Dan Lohrmann, chief strategist and chief security officer (CSO) at Security Mentor, Inc., we should be aware of three things. First, just as with Wi-Fi, cloud computing and bring-your-own-device (BYOD) programs, the global IoT boat has already left the dock. Don’t be the naysayer who simply opposes all IoT devices in the name of cybersecurity concerns.
Second, you’ve got to know what is connected to your networks. Learn what IoT devices are being used, both openly with management approval and in shadow IT. Is sensitive data being protected? Are security features enabled and sufficient? Have default passwords been changed? Is encryption needed?
Finally, some IoT devices probably do need to be disconnected. But this should be a last resort after you’ve done your homework and worked with customers on offering business answers.
Industry Experts Weigh In
Tyler Carbone, COO, Terbium Labs:
At this point, I think disconnecting IoT devices would be like trying to put the genie back in the bottle. We need to move past thinking of IoT as a completely separate kind of problem. At the end of the day, these are computers, and they’re on the internet for the same reason our desktops are: It adds a lot of value.
I don’t think we should any more disconnect the entire IoT than we should disconnect the rest of the internet. That said, we do need to start thinking of this connectivity with security in mind. Again, think of desktop computers. Some should absolutely be air gapped. Others need to be on a network, but their security is critical enough that access must be severely restricted. Others can be more permissively configured, but those shouldn’t have permission to touch mission-critical systems.
We’re used to thinking about these problems for computers. With the IoT, because the market is still fairly young, there is a fair amount of, frankly, sloppy decision-making and one-size-fits-all network connectivity. That’s what we need to address to improve IoT cybersecurity — disconnecting everything would be too blunt an instrument here.
Shahid Shah, CEO, Netspective Communications:
We need to consider working on a consensus standard that would only allow IoT devices or data into our networks that could be minimally validated to be secure. This is difficult to define, but necessary. Any devices that haven’t passed minimal cybersecurity checks should be taken off the network until they’re shown not to cause harm to other participants in the network.
Scott Schober, President and CEO, Berkeley Varitronics:
I always encourage users to think before plugging in to the internet. They need to weigh convenience against security because, invariably, the more convenient an IoT device is, the less secure it is.
This is especially true of low-cost consumer IoT devices and sensors that cut corners on security in order to sell to the consumer masses. These consumer-driven IoT devices are easy to plug and play, but have no means to update or handle firmware upgrades when vulnerabilities eventually surface. So my advice extends all the way back to the point of purchase: Ask yourself if you even need such a connected device before you buy it. Then, if you’ve gone ahead with the purchase, think again before connecting it to the internet.
A Delicate Balance
When it comes to IoT security, like all other parts of cybersecurity, there is always a balance between usability and safety. The security practitioner’s goal should be to constantly balance this equation against the risk of a breach.
Listen to the podcast series: 5 Indisputable Facts About IoT Security
Global Offering Manager, IBM
Bob Stasio is a contributor for SecurityIntelligence.