Securing the world of things
As IoT becomes ubiquitous, organizations are facing new security challenges on a vast scale. We ask industry experts how they should be preparing to combat the threat.
There are an estimated 8.4 billion IoT devices in the world today, offering varying degrees of value and utility – from device-rich connected cars to smart egg trays that enable owners to remotely check the freshness of their eggs. Industry researchers at Gartner predict a rise to 20.4 billion devices by 2020; that’s more than three for everyone on the planet.
With adoption set to soar, having the correct security measures in place has become an imperative for businesses and government agencies. As cybersecurity expert and consultant CISO Vince Warrington warns: “An IoT device can open a large hole in your security perimeter. In the past, your IT team only had to worry about computers, laptops and printers being a security risk. Then along came smartphones and BYOD, but at least these still required some configuration by your IT team. Now any one of your employees could go out and buy an IoT device – maybe a smart kettle – potentially connect it to your internal network and open up a security hole.”
IoT devices by their nature often have very weak security. Many are designed to do one thing efficiently and cheaply, which means their processing power is limited. The more security that’s built in, the more capacity they need, slowing performance and raising unit costs. So, in many cases, the current practice is to build little or no security into many of the IoT devices themselves.
This has already led to a number of high-profile breaches. In October 2016, the Mirai malware was used to turn thousands of IoT devices around the world into botnets in order to mount an attack on Dyn, Oracle’s internet performance and DNS management offshoot. The DDoS (distributed denial of service) assault saw consumer devices such as digital video recorders, web cameras and home routers ‘hijacked’ and used to flood Dyn with so much traffic that it disrupted services for some of its largest customers, including Twitter and Netflix.
Increased spend on security
Such incidents are only likely to drive greater investment in IoT security. Gartner calculates that organizations will spend $1.5 billion on IoT security products and services in 2018, up 28% on last year. But its analysts warn that the market potential is being severely inhibited by the failure of organizations to prioritise and implement security best practice, immature standards and a lack of industry regulation. These will reduce potential spend on IoT security by as much as 80%.
As well as thwarting growth in the IoT security segment, these factors will have negative consequences for business and society as many devices are left open to attack.
Security experts, however, are clear about the action CIOs need to take, the role regulation can play and the potential for breakthrough technologies, such as blockchain, to improve security.
Advice for CIOs
Warrington’s first piece of advice for CIOs is not to be afraid to challenge IoT usage. “Ask yourself: ‘Why do we need this smart device in the first place?’ While IoT-enabled products might make your company seem modern, does it really need smart door locks when the swipe-card system, with well-understood vulnerabilities that can be mitigated, works well? Do you need a smart TV in your boardroom, which could be manipulated by external agents to record all the conversations going on in that room?”
IT executives need to use the greater prominence that they have built within their organizations in recent years. “If you are going to have smart devices in your company, make sure your IT department knows about it and can veto the installation of any device – no matter what its intended purpose is – if the security risks are too high,” advises Warrington.
The arrival of such shadow IoT can cripple a business. It is part of the CIO’s role to know what is happening on the business network and be aware of potential vulnerabilities. But the business can help by respecting their decision.
Gary Cox, technology director for western Europe at network management software company Infoblox, believes getting basic security right is an obvious but vital place to begin. “Assess the risk and deal with what’s on your network quickly and automatically. Do you need to have IoT devices on the business network or can you isolate them on their own logical network? Efficient IoT security will involve an increasing compartmentalization of networks,” he says. “If something can be accessed from the internet, then it probably shouldn’t be on your network. If it needs to be, then appropriate monitoring/controls should be in place. The CIO, CISO and CEO need to work together and assess risk based on what’s important to the business.”
Jamie Bennett, VP of engineering, devices and IoT at open source device operating system company Canonical, encourages IT leaders to adopt an agile and always-on approach to IoT security. “If CIOs adopt a mindset in which software is untrusted until proven trusted, then approaches to IoT security become a lot more coherent. The industry needs to move away from a model whereby businesses launch a product or roll out internal systems and then forget about them,” he says.
“Mirroring the DevOps culture, which has been so successful in other spheres, may provide some answers,” Bennett suggests. “You need to be able to distribute security updates automatically every day, because the number of reported critical bugs has exploded in recent years. You have to have a system in place where you can quickly react, rolling out new versions of the software but also rolling back to previous versions if that’s required.”
The role of regulation
CIOs’ efforts to counter IoT security issues should also be supported by regulation that applies pressure on manufacturers so they build security into products from the ground up. But the prospect of stifling innovation and regulators’ lack of knowledge of the fast-evolving IoT field means any regulation invariably lags behind industry developments.
Warrington highlights how many manufacturers see IoT security as an unwelcome overhead. And it is something that is often ignored in the desire to get a product to market quickly.
“We do need regulation in this area. As a society, we have managed to bring in, for example, a European standard for the toy industry to prevent unnecessary deaths and injuries to children from dangerous toys,” he says. “We can do the same for IoT. It just takes time for regulation to catch up with business.”
The UK government, for instance, has published an IoT security code of practice that it wants manufacturers to adopt so strong security is built into consumer IoT products by design. But it’s voluntary.
With a wider remit, the European Commission’s IoT group created an IoT security certification framework in September 2017. The proposal is being reviewed by member states and the European Parliament. It aims to avoid fragmented regulation and make it easier for businesses that embed IoT in their products to trade them freely across member states. But the certification scheme would also still be voluntary.
Stateside, the National Institute of Standards and Technology (NIST) has issued a draft report on the status of international cybersecurity standardization for IoT. It says: “Cybersecurity for IoT is unique and will require tailoring of existing standards, as well as the creation of new standards to address pop-up network connections, shared system components, the ability to change physical aspects of the environment and related connections to safety.”
While regulation and standards seem to be moving in the right direction, it is at a much slower pace than either the IoT industry itself or the cyber-criminals intent on exploiting vulnerabilities.
Christopher Littlejohns, EMEA engineer at Synopsys, a leading design automation software company, believes that alongside legislation the key to encouraging good practice lies in the commercial realities of customers boycotting products or companies. “Product developers need to be forced to apply good practice by one or both,” he says. “Unfortunately, the general populace is always tempted by cheaper products and has a short memory about problems. Therefore the government must act if the industry itself cannot create a credible certification mechanism that attests to security/quality.”
One technology being heralded as a potential silver bullet for IoT security issues is blockchain. As Warrington explains: “Currently, and somewhat ironically, so-called smart devices are not considered smart enough to make their own decisions on security. They need a centralized authority (i.e. your IT department) to do so. By using blockchain, it’s hoped that smart devices can protect themselves by forming a ‘group consensus’ about what is normal IoT activity within a given network, and then quarantine any devices that exhibit unusual behaviour.”
Owing to the sensitive nature of much of the data collected by IoT devices, some businesses are already using private blockchains. Canonical’s Bennett explains: “There’s the potential for blockchain to bring real scalability and decentralized security to the IoT ecosystem. Geographically distributed IoT devices fit well with the similarly decentralized peer-to-peer ledger of blockchain. But, it’s likely that businesses will go for private blockchains over their public counterparts. Private blockchains, which allow only a preselected group of people to maintain the integrity of the ledger, can empower businesses to be more intuitive in the way they manage and secure IoT devices.”
There will never be a watertight solution to any cybersecurity problem, so, despite the positive feelings about blockchain’s ability to improve IoT security, there are still areas of contention.
Private blockchains are less secure than their public counterparts as they rely on a greater level of trust between participants, and that’s compounded by the fact blockchain technology is still in its infancy. Even organizations designed to promote its use for IoT security, such as the Trusted IoT Alliance, say the industry needs several more generations of blockchain before it’s completely fit for purpose.
Nonetheless, IoT is a priority for most organizations. Research by the Wireless Smart Utility Network Alliance found that two-thirds of companies have it in their top two priorities. But alarmingly it also revealed that “only 38% of respondents reported that their organization included protecting the network from the threats posed by IoT devices in their IoT strategy. Barely more than half (51%) said considering how to secure the data collected by IoT devices was a part of their strategies.”
As that suggests, many organizations are not taking IoT security seriously enough. Bennett reminds leaders that they need “to see IoT security not as a one-off decision, but as a conscious effort rooted in an ongoing culture of protecting every device. When security is treated as an afterthought, patching vulnerabilities becomes a never-ending battle. Just one security flaw can have real business implications. A continual stream of breaches will have irreversible costs. The easiest way, therefore, to guarantee security is to start from the OS and work your way up, tailoring your software with IoT in mind from the beginning.”