Maybe I am a bit of a skeptic, but having lived through a few security market transitions, the IoT Security challenge is the most daunting challenge I have ever seen. It will test us beyond anything we have ever faced.
IoT is entering the market at a pace that outstrips any shift in business since we became an industrial society. By 2020, there will be nearly three connected IoT devices for every man, woman and child across the globe. While PCs and the Internet brought computing power to the masses, IoT is enabling the intelligent automation of machines that run things.
Consumer IoT – the connected items we buy to entertain us, improve our health, monitor our children, bodies and anything else product companies can think of – has invaded our lives.
At the same time, Industrial IoT or OT (Operational Technology) has been utilized
“behind the scenes” in products and services across a wide range of industries to include manufacturing, distribution, utilities, transportation, health clinics, government and more.
The power of IoT lies in its ability to create autonomous systems by interconnecting disparate networks and utilizing advanced technologies such as artificial intelligence and block chains. From autonomous vehicles to smart cities to advanced medical solutions, IoT holds the promise of changing the way we live our daily lives.
IoT security is truly only as strong as the weakest link – which can be dozens of degrees of separation from your enterprise or devices.
This makes it all the more frightening when you realize that consumer and industrial IoT lack the security we've come to expect in our computers and mobile devices. Yet we willingly accept it into private and important areas such as our workplaces and homes. As the first anniversary of the Mirai botnet attacks approaches, we should be reminded the potential for major problems has been realized, and the impact, potentially devastating.
The largest DDoS attack in the history of the Internet, Mirai showed IoT devices have opened a massive security gap allowing cybercriminals to create backdoors into organizations around the world. In Understanding the Mirai Botnet, the authors describe it well writing, “Mirai has brought into focus the technical and regulatory challenges of securing a menagerie of consumer-managed, interfaceless IoT devices.”
Pwnie Express' survey of security professionals from earlier this year shows the security challenge and gap persist in a very serious way. Months after the attacks, Pwnie Express researchers found 66 percent of InfoSec pros said they still hadn't checked or didn't know how to check their devices for Mirai.
The findings should set off all sorts of alarm bells, but it can't solely be on IT departments to solve this issue.The lack of IoT security is more of an organizational problem than a technology problem. Corporate leaders responsible for IT security too often are not involved in the IoT acquisition and pre-occupied by the management of traditional network security solutions to focus on IoT. Meanwhile, business leaders only focus on the speed, quality and production benefits of IoT. They view any focus on security as a speed bump that will limit revenue growth.
The combined negligence of security business leaders will eventually lead to catastrophe. It has become obvious that these systems have been installed with security as an afterthought or no thought.
We have seen this movie before. The PC, Internet, and Mobile Computing revolutions were not driven by IT, but by the users and line of business managers. Fortunately, IT professionals had the time to catch up and enforce good practices and policies to support these movements and protect their organizations. In the case of IoT, the cow is so far out of the barn at this point that we need to wake up quickly.
What to do?
Come out from the IT cave. Find out what IoT projects are underway in your organization. Assume there are systems that you are not privy to and don't act shocked when you find them.
Be helpful and proactive. I know you have a lot to do and are already underappreciated! Start with a simple task; offer to take inventory of “things' that are running these systems. Much of this may not be subject to security policies and compliance audits you do today. For example, there are both old and new systems that may be under the label of IoT, OT, or otherwise not managed by IT. Think HVAC systems, conference room smart TVs, security cameras and door locks.
Understand the IoT system context. Especially pay attention if the effort has executive and board level support. Is it in the annual report if you are a public company? I am shocked at how often I hear how many IoT automation projects are underway without the involvement of IT Security.
Think differently in terms of mitigating risk. You will never have control! You will likely never be able to install AV, use agents, control users, etc. Think about how to create the situational awareness, understand connections across networks and apply real time monitoring techniques (vs. point in time assessments). In some instances, you might have to be replace your devices, based on risk, or just get it offline altogether!
Insist that new IoT be visible, identifiable, trackable and updatable. Using more common IoT operating systems that are becoming more standard will only put you in a stronger position when problems inevitably occur.
The benefits of IoT are too valuable to risk. We have to stop viewing security as a barrier to deployment. Until enterprises realize that security actually enables IoT to reach its promise, I'll continue to be a skeptic. I want to be proven wrong.