From Speakers to Centrifuges: Security in the Age of IoT

Print Friendly, PDF & Email

john-smith-saIn this special guest feature, John Smith, Principal Solutions Architect for ExtraHop Networks, outlines the new security challenges in the age of IoT and provides tips on ways companies can bridge the gap between IoT adoption and security maturation. John Smith is a Principal Solutions Architect at ExtraHop and author of the blog. He is a Citrix Technology Professional with more than 20 years of experience in IT. John’s areas of expertise span application delivery, event correlation, security, web applications, and application virtualization. Prior to joining ExtraHop, John was a Cloud Architect at both Philips and McKesson and was previously a Principal Architect at the Centers for Disease Control.

Just five years ago, BYOD was the hottest topic in IT security. iPhone and Android had rapidly usurped the mobile market from Blackberry, ushering in a wave of connectivity and unsecured access to enterprise resources that was not issued, configured, or controlled by IT.

Fast-forward half a decade, and “device” means a lot more than a mobile phone. The rise of connected devices – known as IoT – has exploded the number of endpoints connecting to and communicating on the network, from personal fitness trackers to drug infusion pumps to industrial equipment. Although security for mobile devices matured after some hard lessons, IoT security is still in its infancy.

While IoT devices do not always have the burden of being “mobile” (thus reducing the risks associated with theft and loss), IoT security can have a significantly greater and more far-reaching impact on IT operations. In most cases, the breach of a mobile phone or tablet device impacts only the device owner. Contrast this with IoT, where an expensive piece of equipment can be rendered non-functional in a factory assembly line, or a payment dongle can be compromised to steal customer payment information, will have far-reaching effects on sales, productivity, customer satisfaction and ultimately, the business’ bottom line.

Furthermore, market demand forces IoT solutions to market without established security disciplines or regulatory frameworks in place, making them a greenfield for hackers. IoT system owners who want to have systems accepted and promoted into production will need to innovate to provide the necessary auditing and compliance that is present in existing production systems. Functions around logging, agents, SNMP MIIBs are not inherent in IoT.

Feeling the Pain

While businesses and consumers clamor toward IoT to streamline and accelerate everything from production to payment processing, the lack of baked-in security has resulted in painful, and in some cases, life-altering, results. Hacks of IoT systems have led to stolen identities, fraudulent credit card charges, and leaked insurance and medical records. Consumers are left scrambling to reclaim losses and businesses spend millions to restore customer trust.

But the damage runs deeper than initially meets the eye. Breaches made via IoT devices in the infrastructure, manufacturing, and healthcare sectors may not be as pervasive as they are in retail and insurance, but the possibilities are terrifying. The damage STUXNET caused to the Iranian nuclear program demonstrates the potential loss of life resulting from critical infrastructure impacts. A large-scale breach in a hospital setting could shutdown critical testing and diagnostic equipment, delaying patient care and impacting outcomes. Under increasing pressure to get to market first, many companies find themselves in an environment that more closely resembles the Internet of Threats, not things.

Closing the Gap between IoT and Security

To bridge the gap between IoT adoption and security maturation, information security teams, their broader businesses, and consumers alike need to become more proactive. Here are three keys to move the needle forward on IoT security:

  1. You Can’t Manage What You Can’t See: IoT is a connected fabric of devices and systems that lack native auditing and accountability among one another. To truly understand the interactions taking place within IoT systems, particularly those at scale, it’s important to holistically monitor the pieces of your infrastructure that underpin IoT, particularly your network. When you’re able to get a full-stack picture of IoT activity, you can much more easily correlate IT and business data, and in turn make better decisions about how to move your business goals forward.
  1. Consumer Awareness through Business Policies: Consumers need to make themselves aware of the risks to their privacy when they opt into IoT-based devices. And businesses need to help them. Enterprises need to move beyond the regulatory framework and actively test the security of IoT devices, implement and enforce login and authentication policies, and customize security policies for specific IoT devices in different environments. Incumbent policies that may work for existing shared services are not necessarily appropriate at the device level.
  1. Standardized Encryption and Protocols: IoT systems need to be standardized on what protocols and encryption levels are acceptable. While a regulatory framework is not the only solution, some standardization based on the types of data being transferred, the likelihood of a breach, and its potential impact will be critical. While hacking a neighbor’s Bluetooth-enabled speaker system is annoying, it has nowhere near the impact of an Iranian centrifuge spinning out of control, or a hospital unable to perform diagnostic testing or administer life-saving treatments.

In the late 1990s and early 2000s, many in the security industry earned battle scars working to harden solutions to meet the changing threat landscape.  IoT represents a new greenfield opportunity for cybercrime, delivering a brand new set of technologies written with small, low impact kernels that may not have room for the lines of code it will take to secure them.

The time to begin planning for this is now, while the worst harm is still primarily financial. Proactive policy development and enforcement, comprehensive monitoring, protocol and encryption standardization, and awareness on the part of businesses and consumers, will all go a long way towards securing our connected world.


Sign up for the free insideBIGDATA newsletter.


Speak Your Mind