Securing the IoT – Problems, solutions, and next steps
A recent study by Hewlett Packard showed that about 90% of devices collect some form of personal information. This means that the privacy of the customer is always at risk, and that the threat level will keep growing with the Internet of Things (IoT). With an increase in security awareness there are now secure development practices being employed, however, identifying vulnerabilities in commonly deployed architectures is still a key concern. Companies have started to look at protecting not just their IoT ecosystem but their customers’ as well. This model means that companies can ensure end-to-end security for customer data (especially important in light of the new EU regulation) as well as opening a new revenue stream by offering IoT Security as a service.
Impacts and challenges of IoT Security
Attacks on the IoT Ecosystem have grown exponentially in recent years. Malware such as Mirai has shown that trying a device’s default username and password, or a simple dictionary attack, can grant access to millions of devices. With smart home devices such as TVs sending over 600,000 malicious spam emails, and hackers remotely hijacking a car, any connected device is vulnerable.
The challenges faced by the Internet of Things ecosystem are very different from traditional IT. Just understanding the technical aspects of attack surfaces may not be sufficient, one should be aware of the domain, purpose and, motive behind using these purpose-built devices to disrupt an entire network. These devices have limited computational power, so they cannot always run robust protection mechanisms like antivirus, two-factor authentication, and key certificate exchanges. This makes it easier to target consumers as most end users are not security aware, they do not apply strong passwords, and devices are not frequently patched. Enterprises may not regularly investigate devices deployed within their customers’ network to keep password policies and firmware updated, opening up the whole network to bad actors.
Because IoT devices are usually purpose-built, universal security standards are difficult to develop and have not been ratified internationally. Unlike typical IT endpoints such as laptops, desktops, tablets, and smartphones, IoT devices are designed to be deployed unsupervised in remote environments, meaning they are also susceptible to physical tampering.
Whereas baked-in security might seem to be the best way to address security concerns, this can leave devices with the same protocols for years without an update, and also adds to deployment costs as ‘secure’ chips cost between $7 to $17. With the device itself costing an average of $10, baked-in security could considerably increase overall costs.
Opportunity to use IoT security
Traditionally, operators provide connectivity to mobile phones and tablets in one vertical channel. But with the introduction of IoT and M2M technologies, various device types, models, and variations are introduced to the network, most of which are constrained and prevent security agents being run from within. The best approach to secure these devices is to overlay agentless, agnostic protection to monitor ingress and egress traffic of these devices.
CSPs are able to monitor the behavior of the devices they provide connectivity to, as traffic to and from these devices flows through their network. This provides Telcos an opportunity to not only enable connectivity but to provide essential security services to their users, as a value-added service, or productize IoT security in one of the ways shown below.
Why Do Organizations need IoT Focused Security?
The amount of information being generated out of endpoints and exchanged between IoT and IT networks continue to grow. There are not yet any substantial standards designed to be followed in an IoT deployment. Though there are many organizations working together to build new technologies and new standards, it may take at least a couple of years for the industry to adopt or accept these standards. With millions of data points being generated outside of an organization’s network, securing this information, the data channels, and the endpoints should be treated with the importance it deserves.