In one sense, the Internet of Things has been around since the early days of the Internet. The geekiest of early Internet users found that it was child’s play, for instance, to discover and interact with – unauthorized of course – thousands of unprotected Windows PCs and their peripherals. The IP addresses of these devices were easy to find on public hack lists.
The State of Today’s IoT Security
Unfortunately, for much of what constitutes the IoT today, security is hardly better. In fact, there is a website, Shodan, that lets anyone search for networked devices, many of which are unsecured, across the globe. The majority of these are webcams, but there are many scanners, printers, control devices, routers, ftp sites and more that are exposed.
Clearly, if IoT is to meet growth expectations and survive a series of inevitable high-profile hacker attacks along the way, it needs to start looking a lot less like a sitting duck.
Steps to Improve Enterprise IoT Security Now
The current paucity of IoT security means that enterprises must augment IoT vendor security with some common sense precautions. The first step is for IT to use the network management system to scan for all exposed IP addresses and set alerts when new ones are detected.
Additionally, it is good practice to verify that each device is actually what its network profile says it is and determine if it should be network accessible at all. Its authorization protocol should be evaluated for sufficiency compared to the asset being protected. It is common, for instance, for network device username/password pairs to have never been changed from their defaults.
Imagine the Problem Scaled Out Exponentially
A quick survey of enterprise IoT devices may cover dozens, hundreds or even thousands of devices. Now, imagine this task at the scale of the 10s of billion connected IoT devices expected to be in place by 2020.
To extract additional value from IoT, there will be layering apps that aggregate data and control streams from a large diversity of such devices to look for patterns that might legitimately be useful for predicting, say, the weather or the velocity of a particular market sector. Illegitimate uses of such data that violate the privacy of individuals and groups of individuals in this manner are not difficult to imagine however.
Such a scenario is bad enough, but it gets worse. Future IoT edge devices will collaborate among themselves through data sharing and behavior modification of fellow edge devices, which may come from different manufacturers. Robust communication and API standards will make this possible and it is generally a good thing. However, such inter-device activity makes an already humungous hacker attack surface exponentially bigger.
Approaches to a Secure IoT
Best practices, standards and technology with regard to security are already in place for the computational, storage and networking resources in the Internet, but these will need serious upgrades in the context of IoT. One hundred percent security will never be achieved, but applying risk management techniques will mitigate the potential for catastrophe.
As IoT matures, manufacturers of edge device packages, network providers, middleware vendors and analytics software producers all must contribute expertise and tools:
- Privacy and security measures must be built into all layers from sensors to dashboards. Since IoT devices are essentially nano-computers, more security must be built into the hardware. A full-stack approach will provide defense-in-depth that could contain attacks within any single tier.
- Analytics must take into account security risks in addition to business algorithms. This additional functionality should be aimed at detecting unexpected or suspicious network behavior. This ability could, for instance, detect malicious traffic indicative of a distributed denial-of-service attack.
- In much the same way that lost or stolen devices in an enterprise BYOD environment are handled, IoT endpoints that have “gone rogue” should be disabled. Of course, a disablement interface must be managed as a security risk also.
- End users at both the edge and the analytics tier must be thoroughly educated in how to protect their privacy, which behaviors to avoid and the signs to watch out for that may indicate a security or privacy breach.
As with any new technology, there are benefits and there are risks. In the case of IoT, it seems that both sides of the coin are equally gargantuan. Until IoT security standards and practices catch up to the impending explosion of networked edge devices now being deployed, individuals and organizations have to be the first line of defense in ensuring reasonable security and privacy through the use of IoT.
IT security teams need to review their own security best practices and update them to account for the new world of millions or even billions of independent, connected, smart devices that are able to communicate with one another and are delivering torrents of unstructured data back to the enterprise.