To secure the Internet of Things and to build trust with customers, the way that vendors approach manufacturing, distributing and supporting devices and solutions must change, a panel of security pros said Monday at the National Cyber Security Alliance's (NCSA's) Cybersecurity Summit held at Nasdaq.
“Business models will have to change. We used to build them [products], ship them and forget about them until we had to service them,” said John Ellis, founder and managing director of Ellis & Associates. “We've moved to a new world where we have to ship and remember.”
That's in part because as devices become smarter and hackers become more creative and persistent, the reams of data collected and passed around in cyberspace are more at risk and need greater protections. Companies must build in security and regularly update and patch their products.
Legacy and dumber devices prove to be a big challenge for the industry, the panelists noted, because although they don't have the “smarts” of their newer peers, they still can be used to control and communicate other devices.
“If you've got an old heat pump with unencrypted legacy protocol, you've got a real problem,” said Ed Amoroso, senior vice president and chief security officer (CSO) at AT&T. “Do you really care what signal is sent from a heat pump? No. But you absolutely care if it's secure.”
Even if all the devices on the Internet of Things (IoT) were secure, “that wouldn't solve our problem because they'd still all communicate with each other,” said Sven Shrecker, chief architect, IoT Solutions, at Intel, who called data the currency of privacy and security on the IoT. “And even if we solved that, they degrade and need to be managed and monitored.”
Organizations, he said, need a reservoir of security knowledge to make better business decisions.
And users need to know that they can trust their devices, apps and vendors. “How do consumers know that the products and services are protected,” asked David Kleidermacher, CSO at Blackberry.
Or even that a device on the IoT is what it claims to be.
Miller Newton, CEO of PKWare, noted that “there's not a lot of authentication on the IoT. It is easy to impersonate.”
He recommended ramping up security by creating a guest network to segregate certain devices.
The panelists agreed that the IoT presents an opportunity to lay the foundation for improved security and privacy going forward.