The internet of things (IoT) has much potential to streamline business processes and provide new ways to interact with customers. But it also opens new frontiers for cyber criminals and hacktivists to exploit.
Quocirca published reports in 2015 (The many guises of the IoT) and 2016 (European perceptions, preparedness and strategies for IoT security) that look at the interplay between IoT opportunities and threats. Some of the findings from these reports are highlighted in this buyer’s guide, which looks at how to secure the IoT in your organisation.
The IoT means different things to different organisations and there is no silver bullet for security. It involves everything from known devices carefully deployed – for example, as part of state-of-the-art infrastructure monitoring systems – through to legacy equipment bought online for ease of access, to rogue unknown consumer devices brought into the workplace by employees.
Good application design, adapting existing IT security and some altogether new ideas contribute to protecting IoT deployments from a diversity of threats.
IoT security threats
There are four main security threats pertaining to the IoT:
- Data protection. Many devices gather sensitive data, the transmission, storage and processing of which needs to be secure for both business and regulatory reasons.
- Expanded attack surface. There will be more devices on networks for attackers to probe as possible entry points to broader IT infrastructure. Unlike user endpoints, many IoT devices are permanently on and connected, making them prime targets.
- Attacks on IoT-enabled processes. Those wanting to disrupt a given business’s activities will have more infrastructure, devices and applications to target, for example, via denial-of-service (DoS) attacks or by compromising and/or disabling individual devices.
- Botnet recruitment. Poorly protected IoT devices may be recruited to botnets, degrading their performance and leading to longer-term reputational damage.
All these threats rely to some extent on the potential weakness of IoT devices. While the devices should be deployed and managed with security in mind, with good design, much of the heavy lifting can be done at a higher level.
Devices numbers, diversity and identity
Quocirca’s 2016 research showed the average European business expects to be dealing with 7,000 IoT devices over the coming 18 months. This figure may sound daunting to smaller organisations, but it is conservative compared with other industry estimates. Managing large numbers of devices must be automated and anyway, there is only so much that can be done on the device itself.
Legacy devices with pre-IoT firmware are likely to be some of the most vulnerable because they may not have been designed with online security in mind. New devices can also be problematic as they often have limited memory, processing and electric power and run IoT-specific operating systems such as TinyOS, Contiki, Nano-RK and RIOT.
Many of these operating systems are open source and adaptable by manufacturers, leading to many variants (it is not all open source – Microsoft has built specific support for IoT devices into Windows 10). All this leads to hundreds of potential device/operating system combinations.
This makes it a challenge to develop portable on-device security software agents. Agentless device security is more practical and has been available for some time to deal with employee-owned and guest endpoints that have increasingly been allowed on to corporate networks. Agentless device management needs to be recognised most in sectors such as healthcare where there is a wide range of unusual devices.
However, it is necessary to continually recognise devices and make sure their identity remains consistent. One way to sabotage IoT deployments is to replace trusted devices with rogue ones. Existing technologies can help here. SSL/TLS encryption not only ensures that data transmitted by devices is secure, it also confirms a device’s identity. To this end, there has also been renewed interest in PKI (public key encryption).
This means more encryption certificates as devices proliferate, which may mean upgrading certificate management capabilities. The encryption suppliers all have new messages around IoT security, including Symantec, Gemalto, Thales, Entrust Datacard, Vormetric and Venafi.
Other approaches are being developed to help with IoT device identification. Third-party registries are gaining popularity. These can be referred to for identifying devices and their expected location and function. DNS service providers such as Neustar list known devices and there are specialist databases such as Xively.
Knowing a device is what it claims to be is all well and good, but practical IoT security requires a higher-level approach where a single security measure can encompass many devices.
IoT security by design
A hub-and-spoke design approach to IoT security, detailed in Quocirca’s Reference architecture for the internet of everything relies on tried-and-tested network security technology.
It recommends that IoT deployments are managed as a series of hubs or gateways that interoperate with spokes (IoT devices) on closed networks using network address translations (NATs). This makes network configuration, management, scalability and security easier.
IoT gateways many be purpose-built or adaptations of existing devices – network routers, set-top boxes, smartphones and so on. These gateways, which control communications with the world at large, need unique IP addresses. However, the devices within their domain, with which only the gateways interact, do not.
Focus at the gateway
With individual devices no longer directly addressable, the focus for IoT security can be at the gateway, rather than on the device itself. There are two primary considerations for building security into IoT gateways:
- That continuous visibility of devices is provided by the gateway. This needs to include real-time agentless assessment of previously unknown devices joining networks via gateways as well as permanently connected devices.
- The ability to apply automated policy-based actions based on a device’s classification. This includes controlling how devices can attach to networks (for example, limited to a given subnet), limiting the resources they can interact with and logging device activity.
There are already quite a few gateway-like products on the market. First, there are smart hardware gateways from the likes of MultiTech, Eurotech, Advantech and Dell. Red Hat, an open source software distributor, points out that its middleware is often being adapted to work as IoT gateways and the necessary capabilities are being built into IoT cloud platforms such as Microsoft’s Azure IoT suite, AWS IoT and GE’s Predix.
Network security technology is being adapted for the IoT, often acting like gateways, for example network access control (NAC) products from suppliers such as ForeScout Technologies, Cisco, HP-Aruba, Pulse Secure and Trustwave.
A good way to attack IoT deployments is to use DoS attacks, and gateways are prime targets. As organisations become more reliant on the IoT, they will need to ensure DoS protection keeps up. On-premise deployments of DoS mitigation hardware from suppliers such as Arbor, Radware, Corero and F5 are one option, but for many, DoS mitigation services from the likes of Neustar and Akamai will be more practical because they only need invoking during actual attacks.
Other security requirements
As with all IT, security risks can be identified by scanning for vulnerabilities before and after deployment of devices and software. This includes devices themselves and, even more importantly, the gateways they sit behind. It should be possible to using the same processes in place for existing IT endpoints.
This should be backed up by the rigorous software/firmware updating procedures that well-secured organisations should already have in place. One problem here is consumer goods that end up on networks. Manufacturers will need to give more consideration to how their IoT-enabled devices are kept secure, in other words, “How do we patch the toaster?”. This underlines the need to continually understand what devices are joining networks.
There will always be a need for orchestration between different IT security tools in order to pre-empt sophisticated threats. Such orchestration enables the enforcement of unified network security policy addressing both traditional and IoT devices. Security information and event management (SIEM) and/or operational intelligence tools have a role
to play here.
Any organisation that believes it will not be impacted by the risks associated with IoT security has its head in the sand. Security must be considered up front before deploying new IoT applications. Plans must also be made for the ad hoc arrival of unexpected, unusual and insecure devices on to networks. No innovation is risk-free, but the risks surrounding the IoT can be reduced to a level where the opportunity it represents can be explored with confidence.
Bob Tarzey is an analyst and director of Quocirca.