IoT went quickly from buzzword to mainstream, and connected devices have become common in households and enterprises around the globe. A worrying lack of regulation has fueled a plethora of security problems causing headaches to security teams and endangering end users.
A recent survey found that security and LoB leaders are experiencing high levels of anxiety due to IoT/OT security concerns, largely due to the negative business ramifications a security failure can have on critical business operations.
Here’s what infosec experts think about the current state of IoT security, and the many security initiatives that have emerged in the past few years.
Steve Mulhearn, Director Enhanced Technologies UKI & DACH at Fortinet
The biggest challenge here is that every IoT device was designed with functionality not security in mind, so therefore, the underlying mechanisms for the intended connectivity are inherently insecure. This has led to devices being used in a number of ways to breach security systems. It doesn’t necessarily matter whether it’s as a gateway or access point, or if the devices are utilised as an army against a network or service. The security required is the same.
There are three routes organisations can take when implementing security into the Internet of Things; the first being around governance and standards – the biggest challenge here will always fall back on cost. The second option involves ensuring devices are built with some form of Open standards OS – which is effectively a cut down version (that has been tested and approved by a body) which is then made freely available. Vendors can take an IoT device and apply an underlying OS to ensure its security.
Finally, the last option is to essentially barrier off the devices through internal segmentation from the rest of the organisation’s ecosystem. It’s worth noting that where IoT security currently sits, there are no guarantees that they will have no vulnerabilities, however through these initiatives, said vulnerabilities are considerably less.
The most important thing with IoT initiatives is understanding your critical services. Organisations will need to identify what devices they utilise, and what possible risks the devices pose to their organisation. It’s also worth noting there cannot be one standardised route, every organisation’s requirements will be different – a financial services company will need to secure fewer devices than a retail organisation for example.
Are we doing enough? The answer at the moment is no. Breaches are still happening and IoT continues to play a considerable role in these breaches. Organisations looking to take IoT security seriously, should look at internal segmentation as a starting point. The goal here has to be to minimise risk or at least bring it down to an acceptable level.
Jason Hart, VP and CTO for Data Protection at Gemalto
A new IoT botnet, called Reaper, surfaced recently, infecting thousands of webcams, security cameras and DVRs, and providing a fresh reminder of the persisting security issues with the IoT. In response, we need to implement the lessons learned a year ago from the Mirai attack. One of the shocking revelations at that time was that so many devices had hardcoded, unchangeable passwords. Many others were protected only by unchanged default passwords.
IoT manufacturers, cloud providers and third-party vendors need not only to better protect these devices with dynamic passwords and to patch known vulnerabilities, but also to encrypt communication between the devices and to create an infrastructure of trusted identities that can be authenticated virtually. A recent Gemalto survey found that just 62 percent of organizations currently encrypt data as soon as it reaches their IoT devices. Two thirds of organizations admitted they don’t have complete control over the data that IoT products or services collect as it moves from partner to partner.
The same survey found that 96 percent of business organizations and 90 percent of consumers are looking for government-enforced IoT security regulation. Currently, without any such law, companies are managing it on their own and falling short. Security in IoT is not a patch or quick fix. There are too many devices and users, and the cost associated with a traditional security patching approach would be too great.
Hopefully the “distributed consensus” capabilities of blockchain will soon come into play and give us an even better way to secure IoT communications. Multiple organizations are working on ways to use blockchain to improve how we do authentication and non-repudiation for the IoT.
Daniel Miessler, Director of Advisory Services at IOActive
The remarkable growth and mainstream success of the IoT industry today has been built upon wholly insecure foundations. Unfortunately, most companies are more concerned with getting their product to market than whether or not it is secure. We have seen security issues in connected devices ranging from smart lighting to pacemakers, all because the manufacturer has seen security as an afterthought. Regulators are still playing catch up but we urgently need stronger IoT security initiatives to ensure security best practice is followed during every stage of development. Only then can you ensure that the final product is safe to go to market. After all, it’s much harder to fix the foundations once the walls are up.
When purchasing an IoT device today, it’s impossible to assess its security credentials from the marketing materials. This needs to change. We need initiatives to enforce greater transparency in the market as IoT manufacturers won’t take it upon themselves to change unless there are commercial benefits in doing so. The industry could learn a lot from the food industry, which has mandated that food products display nutritional content, and I would welcome similar approach to IoT security rankings.
There are many initiatives to pick from, and there are many that are being added constantly or being shutting down. A few that have been somewhat consistent are The CSA Internet of Things Working Group, OWASP IoT Project, and I am The Cavalry.
The Cloud Security Alliance group is probably the largest and best organized. The OWASP project is simple and approachable. And the Cavalry group is a great community of experts you can reach out to for help on multiple IoT related issues.
Geoff Webb, Vice President, Strategy for Micro Focus
The whole basis for IoT security is still extremely unclear – partly because there are many vendors, many elements to the IoT overall, and many competing agendas. Remember that the IoT will inherit all the current crop of security problems we face (in the Internet itself, end points, enterprise systems, and so on), and it will add to them a whole new slew of challenges associated with the actual smart devices themselves.
Any IoT security initiative must recognize that and establish some way of deploying more secure devices in a highly uncertain, and deeply insecure landscape if it’s going to be successful in any measureable way.
For CISOs who want to get involved and help, I would still recommend many of the existing professional bodies (such as the ISSA or the CSA) who can bring together enough interested and committed parties to actually drive real change. Recognize, however, that it’s going to be a long, hard slog to move the needle – the complexity and rapidity of change in the IoT world means that the target is often moving quickly.
Ultimately, the IoT is where all our security chickens come home to roost – lack of security in the ‘net, lack of secure systems for services in the enterprise, lack of standards for devices, and even the specter of poor supply chain security in which the very O/S or hardware of the devices might already be compromised, mean that building a secure IoT is going to be herculean task. However, it’s also one worth pursuing.
Srinivas Kumar, VP of Engineering at Mocana
There are several IoT security initiatives driven by the Industrial Internet Consortium (IIC) and Information Sharing and Analysis Centers (ISACs) to address emerging attack vectors in the industrial, automotive and home automation sectors. Threats in IoT relating to smart factories, smart cities, smart cars, and mission critical applications impact the safety of operations and may cause loss of lives.
Therefore, in sharp contrast with IT security controls, detection methods are inadequate. Protecting the IoT ecosystem requires attention to supply chain provenance from the silicon up to the device, operating platform, applications and connected services. IoT devices must be protected and tamper resistant from power-on to firmware, software and configuration updates over the air, network or removable media. The provisioning, administration, and management of device operations requires quantum resistant, scalable and automated protections.
Past initiatives focused on point solutions and isolated security controls have been proven ineffective against breaches in the IT world. A holistic approach is required to bake trusted controls across the supply chain and entire software stack from bootloaders to the operating system, transport protocols and applications. This requires use of a root of trust with a secure element, high assurance cryptography and scalable management of key cryptographic artifacts.
The level of protection required varies by industry and line of business. Sector specific ISAC initiatives are necessary to address the protection profile for that sector. Security budgets must be appropriated for lifetime protection of IoT devices early in the manufacturing cycle to avoid after-market reengineering and service disruption.