IoT Security – Strategies to Protect “Your Things” and “Networks”
According to Wikipedia, the Internet of things (IoT) is the network of physical devices with unique identifiers. Experts estimate that the IoT will consist of about 30 billion staggering objects by 2020, suggesting that standard PC security and anti-virus solutions are not sufficient to counter future cyber security threats. IoT is a network of “unmanaged or rogue devices”, wired or wireless (RF), connected over the Internet and therefore securing the device from attacks becomes paramount. According to a survey sponsored by ForeScout Technologies, only 30% are confident that they know what IoT devices are on their network. While only 44% had a known security policy for IoT.
Often these devices run IoT protocols that fit into the OSI model. For an avid technical enthusiast, I recommend reading Postscapes summary on various IoT protocols like 6LowPAN, RPL, EPC, uCode, LPWAN, mDNS, DNS-SD, and data protocols (ex: MQTT, CoAP, AMQP, Websocket, Node). Forrester's TechRadar research defined use cases, business value, and outlook for the 13 most relevant and important IoT security technologies.
The task of securing these devices is like trying to protect endangered wild species in a sub Saharan desert or an Amazon forest. Unfortunately, no single protection strategy exists. Device manufacturer, consumer, operator or cloud provider, or an enterprise need different strategies. IoT security solutions also generate a large volume of security events, making it even more difficult to prioritize and remediate risks.
A defense-in-depth strategy that will eliminate blind spots and makes the wired and wireless (NB-IoT) IoT devices and the network resilient in the event of an attack is the need of the hour.
Device Manufacturer: IoT devices sit at the foundation of many business networks providing real-time data. Device manufacturers must validate the security posture of new designs against real-world attacks and threats.
A security testing solution that can generate real world attacks and pinpoint potential issues in your devices will help ensure that the devices are ready for use by consumers and networks.
Consumers: Hackers can take control of cars, gadgets, toys, and home automation systems and can totally lock you down and may kill people. The device manufacturers or nefarious criminals could be collecting “sensitive” personal data without your consent. A form of IoT security warning with security rating on the product would benefit consumers.
The best strategy is to raise public awareness about the pitfalls of buying hardware that connects to the unsecure Internet. To protect consumers, should IoT devices come with public safety warnings like the ones on alcohol bottles?
Operators and Cloud: Most IoT devices and applications deployed in a cellular or a cloud provider environment require low latency and because of that operators tend to move functionality and content to the edge (Edge Computing (EC)) of networks to automatically respond to IoT devices instantaneously. It’s much easier to embed virtualized compute and storage elements closer to these devices.
Gain security and visibility, Take Control and Orchestrate and Automate: However, the architecture inherent in EC improves security. Moving apps and content to the edge of these networks shortens the distance proprietary information must travel between client and server. Traffic will transverse less elements in a large network, reducing its exposure to spoofing, MITM (Man-In-The-Middle-Attack), rerouting and other threats. There’s a shorter chain, and therefore, less of an attack surface. Operators and enterprises (that run on cloud) need their own visibility into these networks to ensure they are getting the security that is promised to them. Checkout Azure IoT Hub, AWS IoT, Verizon’s Thingspace and IBM Watson IoT security offerings.
Enterprises: It is difficult to enforce cyber security policies across the enterprise as IoT devices (industrial robots, utility and agricultural controllers, and supply chain logistic sensors) come and go from the network at will and are largely undetected by periodic real-time vulnerability scans. This break in security policy enforcement puts the enterprise network in danger. Some enterprises may need to adhere to regulations like the NIST Risk Management Framework (RMF) and FISMA requirement to protect unclassified systems.
Gain Security and visibility, Take Control and Orchestrate and Automate: Enforcing a unified network security policy to detect and monitor these unmanaged devices is key for protecting critical enterprise assets. An agentless solution that can allow, deny or limit network access based on device posture (should not require previous device knowledge) and security policies with automatic security and compliance policy enforcement will help identify attacks for quick resolution. The solution must help orchestrate and automate system-wide threat response using real-time security intelligence. They also need to have network visibility to “see” what is going on across this network.
Having the right IoT testing, security and visibility infrastructure in place can protect your “things” and the network that supports these “things”.