Tackling the security of 'things'
High-profile incidents of hackers compromising connected devices have given some CIOs pause when it comes to embracing the Internet of Things.
By now you’ve probably read dozens of predictions about the growth of connected devices that make up the IoT. If you’ve somehow managed to miss these prognostications, here’s one of the more recent ones: in its Predicts 2015: The Internet of Things research paper, analyst firm Gartner forecasted that by the year 2020, a total of 25 billion ‘connected things’ will have been shipped.
With the UN’s Department of Economic and Social Affairs predicting the world’s population will reach 7.76 billion people by that year, Gartner’s forecast means that the number of these internet-connected things that will have shipped will outnumber the world’s population by more than three to one. These devices will appear in a variety of industries ranging from automotive to food and beverage services.
But IoT isn’t a thing of the future; these devices are well and truly already here. As Gartner analyst James F Hines pointed out, the connected car (ie, one “connected to an external network”) is already a reality, and “in-vehicle wireless connectivity is rapidly expanding from luxury models and premium brands to high-volume midmarket models”.
“During the next five years, the proportion of new vehicles equipped with this capability will increase dramatically,” Hines wrote, predicting that about by 2020, about 20% of vehicles on the road around the globe will have some form of wireless network connection.
The risks
These predictions have been accompanied by news reports (sometimes amusing, almost always worrying) of hackers compromising IoT devices. The stories are varied and indicate that many types of IoT devices are open to attack. As one example, Wired reported earlier this year on hackers who were able to wirelessly send commands to a target Jeep Cherokee’s steering, brakes and transmission — potentially from across the globe.
In a sense, IoT seems quite contrary to that old security adage, that the only way to secure a networked server is to disconnect it from the network. So what sorts of security risks exist for a business that adopts IoT devices?
Ovum Senior Analyst, IT Infrastructure Solutions Rik Turner said that IoT shares several types of threats with cloud services generally, because “a lot of IoT networks will themselves [rely] on a cloud-based back end for collection, aggregation, processing and storage of the data”.
“If you think of the Cloud Security Alliance’s Notorious Nine threats, several of them apply to IoT as well,” Turner said.
These include, the analyst said:
Data breach. Perhaps not too critical if all you’re doing is collecting data on the health of trees in a forest, but definitely to be avoided if you are a hospital monitoring the health of heart patients or police tracking tagged sex offenders.
Data loss. If a freak lightning storm or an IT failure somewhere in the network takes a whole slew of sensors offline, your business is going to be affected, but do you have contingency plans in place to bring them back in a timely fashion? How about if data already collected is rendered inaccessible because of something that happens in the back end where it is stored?
Account/device hijack. Researchers are continually pointing out how easy it is to hack into domestic IoT devices such as the connected fridge or washing machine, particularly via Wi-Fi connections. The potential for a malicious person taking control of appliances that deal with water and electricity in a home is an obvious issue. If Wi-Fi-enabled devices can also be used as a bridge into a broader home network, there is also the potential for the theft of credit card data and other important personal information.
Frost & Sullivan Industry Analyst, ICT Practice, Asia Pacific Vu Anh Tien added that there’s also the danger of compromised IoT devices becoming points in botnets and being used to drive “massive” distributed denial of service (DDoS) attacks. With 25 billion IoT devices expected to have shipped by 2020, that’s a lot of potential bots.
Geoff Johnson, an Advisor at IBRS, explains how the scale of IoT impacts security.
“Securing IoT is a practical challenge, from the most remote and basic networked transducer/sensor, through all the aggregation devices that make sense of the whole fleet of devices, right through to the core systems that run the industry application in a data centre or cloud,” he said.
“A modern car has 400 to 500 sensors; an Airbus A380 has over 250,000, so there are multiple levels of security and management required. Complex industrial security is required rather than the ubiquitous approach found in modern administrative organisations,” Johnson said.
Mitigation
It would seem, then, that organisations wanting to get involved with IoT devices have quite a task on their hands when it comes to security.
Johnson noted that the IoT “is not really a generic network of devices but a series of industry-specific vertical solutions for, say, wearables/consumer; aviation/avionics; utilities (electricity, oil, gas, water); telecoms and media; automotive/transport” and so on.
As such, “Every security plan will be prepared and evaluated based on industry-vertical norms and their own exquisite foibles,” he said.
For example, railways are “intensely” aware of the necessity for track safety, and have their own physical signalling networks, Johnson said. “That becomes more complex as trains are automated into a driver-less convoy of trucks.”
As another example, Australia’s mining industry “is investing in robotics for remote driverless trucks and offshore drilling platforms that use a wealth of industrial network protocols for SCADA, telemetry, capital asset management and vehicles”.
Turner said mitigating IoT security risks requires what he calls “security by design”. This involves “thinking of security from the moment an IoT network is being conceived and building it in at the network and the individual device level. Default passwords such as 0000000 or 1234567 are clearly part of the problem, as are unpinned certificates and communications across a network in plain text.”
Anh Tien said that organisations need to adopt a holistic and risk-/role-based approach to manage and address IoT risks. A holistic strategy involves establishing “a multiple-layered defence at both network and endpoint levels to prevent the threats from spreading from an endpoint to the entire networks”.
“It should be an interconnected ecosystem between the network and endpoint so that the threat intelligence can be pushed and correlated within the whole ecosystem of an organisation to make sure that no threats are residing in the network or any endpoint,” he said.
Such a holistic strategy will help organisations eliminate the risks of IoT devices being exploited by zero-day threats and other hacks, according to Anh Tien.
“A risk- or role-based management policy will help organisations minimise the risk of data leak as only certain people with certain roles can access the sensitive data. By taking the zero-trust policy, enterprises can easily manage and control their IoT landscape with the minimum of data leaks,” he added.
There’s a variety of technologies that can help with IoT security. Briefly, Anh Tien lists access management (including identity access management, privileged identity management and network access control); mobile device management; data loss prevention; and malware protection (particularly that which uses both signature-based and signature-less detection technologies).
“All of these technologies/solutions should be placed in a connected architecture that can communicate with other infrastructure security solutions such as NGFW, ISA or IPS, and others,” he said.
Constant vigilance
Many of the IoT breaches that have been in the news reflect shortcomings in the engineering of the device in question. In many of these cases, the hackers were able to successfully compromise the device because of fundamental flaws that were overlooked during the device’s design and development.
Anh Tien said that “most IoT devices are not well designed for security, as most IoT manufacturers will put more priority on product quality and production efficiency. Not many IoT devices are well equipped with security technologies that are good enough to counter cyber attacks.”
He said that moving forward, IoT manufacturers need to put a greater focus on securing these devices.
But according to the experts, organisations that implement these IoT devices can’t rely solely on manufacturers getting better at designing secure devices; organisations must themselves take an active and constant role in IoT security.
“These IoT devices will require constant security maintenance and updates to avoid penetration or exploitation. Security providers need to find ways to help enterprises manage and control those IoT devices easier and more effectively,” Anh Tien said.
Johnson explained that for IoT devices, while security “is usually a part of the original and fundamental design rather than an afterthought that is ‘bolted on’ as in some corporate networks”, security “also needs to be applied to daily operations for multiple reasons including cyberwarfare against critical infrastructure”.
Turner emphasised that regular penetration testing can help to “make sure some new vulnerability hasn’t been introduced into the network by a new node, network route [or] additional process”.
Budgetary issues
Given the mature security posture that appears to be required in order to avoid IoT breaches, it seems to follow that properly securing the use of these sorts of connected devices requires a rather healthy security budget. Does this mean that organisations without such a juicy security budget should steer clear of the IoT?
“I’m afraid so,” Turner said.
Not mincing words, he added: “There is absolutely no point deploying some half-arsed IoT network that can and almost certainly will be attacked, causing who knows what damage, at the very least to your company’s reputation and, in some cases, potentially even more serious actual physical damage.”
While Anh Tien doesn’t rule anyone out from getting involved with the IoT, he does stress the importance of allocating resources to security.
“Having a proper IoT security strategy is necessary for every single business,” whether they’re an SMB or a large business, he said.
Large businesses with good security budgets will find it “easier to have a broad security infrastructure at both network and endpoint levels, which will enable them to avoid security risks”.
Anh Tien stressed that in small and medium-sized businesses, it’s of the utmost importance to determine which areas to focus on when it comes to IoT security.
By determining which areas and business needs are the highest priority, “they can have a proper plan for IoT security strategy in a cost-effective manner that suits them best. It is not always required for them to deploy all costly security solutions from security vendors, as engaging with a managed security service provider seems to be a best choice for them to manage and monitor all the potential threats throughout their infrastructure, be it at network and endpoint levels,” he said.
Don’t go it alone
Hugh Ujhazy, director at IDC Australia, said that enterprises looking to go into the IoT space can lessen their risk by “using good security protocols, applying lessons learned over the past decades of digital security practice and working with partners who bring expertise in this area”.
“Going it alone and refusing to learn the lessons of securing data, access and applying good authentication and testing processes is a recipe for disaster. Fortunately, there is a wide ecosystem of security suppliers in the mature IT markets… Australia being one.”
Enterprises that don’t learn from the other entrants to this arena are prone to repeat their mistakes, Ujhazy said.
Strategies for navigating Java vulnerabilities
Java remains a robust and widely adopted platform for enterprise applications, but staying ahead...
Not all cyber risk is created equal
The key to mitigating cyber exposure lies in preventing breaches before they happen.
How AI can help businesses manage their cyber risks
Artificial intelligence can be a powerful ally in the fight against cyberthreats.