The Internet of Things holds tremendous promise. However, having so many connected devices presents significant security issues, and companies that fail to properly secure their devices place themselves at tremendous risk
In their latest report, entitled “The Internet of Things (IoT): A New Era of Third-Party Risk,” the Ponemon Institute found that companies are acutely aware of potential risks of IoT adoption. In total, 97 percent of respondents believed a data breach or cyberattack caused by an unsecured IoT device could be catastrophic. This comes in an era where IoT technology is growing rapidly and attacks are becoming more common. In fiscal year 2017, 15 percent of companies reported experiencing a data breach due to unsecured IoT devices; this number jumped to 21 percent in 2018. Similarly, cyberattacks caused by IoT devices rose five percent, from 16 to 21 percent.
Although awareness of the potential dangers posed by IoT devices in general, and third-party devices specifically, has risen significantly, security practices have been slow to increase. Only 29 percent of survey respondents claim to actively monitor IoT devices used by third parties. This stands in contrast to further fears respondents expressed, as 81 percent of respondents believe their company is likely to be a victim of a data breach caused by improperly secured IoT devices, and 82 percent believe IoT devices will lead to cyberattacks, including denial-of-service attacks.
In all, the report expressed a mixed state of affairs regarding third-party IoT risk and IoT security management in general. Although approximately two-third of those surveyed believe taking a strong tone regarding security from the top is important, 58 percent also stated that it is currently impossible to uncover whether IoT and third-party safeguards are appropriate. Furthermore, 53 percent of those surveyed rely on contracts, while 46 percent already have policies allowing them to disable devices that might pose a security threat. However, fewer than half can monitor compliance in these scenarios, which can increase the risk of data breaches and cyberattacks.
Perhaps most surprising was how frequently companies fail to inventory their IoT devices. Among the 56 percent of those surveyed who don’t keep an inventory of their IoT devices, 88 percent blamed the lack of centralized tools for managing IoT devices. In all, less than 20 percent of respondents are able to identify a majority of their IoT devices.
Finding in the report indicate that companies can improve their security by treating third-party IoT devices similarly to their internal devices. Although 50 percent of respondents report monitoring their internal IoT devices, only 29 percent monitor third-party devices. There were also signs of progress: The number of respondents who require third parties to identify IoT devices connected to their network increased from 41 percent to 46 percent.
So how do businesses offset the risk and ensure their adoption of IoT devices is secure? Properly defending the IoT requires using multiple technologies. Here are some of the most popular.
Traditional Networking Security
In some cases, tried and true solutions are still the best. IoT devices often connect through the public internet, and standard network security should be used wherever the IoT and public internet meet. Firewalls can prevent a broad class of attacks, and antivirus and antimalware products can determine if devices have been affected. One of the benefits of combining the IoT with the public internet is the maturity of security suites. Cisco, for example, has decades of experience crafting appropriate tools that are great options for securing IoT devices. Intrusion detection technology is especially useful, as it has the potential to detect attacks before they can cause harm.
Symantec EMEA CTO & VP Darren Thomson sees traditional security methods as “absolutely valid” in the age of IoT. Below he explains why security should be front of mind when making IoT buying decisions.
— TechNative (@TechNative) March 5, 2018
Again, tested technology is often the most effective, and encrypting data can prevent many popular attacks. All data should be encrypted as it’s sent over any network, even propriety and internal networks. However, it’s also worth encrypting data as its being used on the device itself, as preventing physical access to extensive IoT networks can be difficult. Not all data sent over IoT infrastructure is critical; sensor data relating to the temperature of hardware, for example, doesn’t present a risk. However, any data leaked to hackers can present further risks, so leave no data unprotected. Major vendors, including HPE, have extensive experience with using encryption. Symantec also offers a number of encryption tools.
Public Key Infrastructure Security
When it comes to control, PKI security is a step above other available options. Although it will take some time to set up, baking PKI security into an IoT installation will provide a degree of assurance unmatched by more ad hoc solutions to security. Furthermore, PKI technology is mature, and popular implementations, including X.509, have proven successful in critical environments. Fortunately, there are ample options for PKI security on IoT networks, and vendors are already familiar with the technology. DigiCert and Entrust Datacard are well known in the field, and large vendors including HPE and Symantec can provide proven solutions as well.
We sometimes fall into the trap of thinking IoT devices are simpler than they really are. Nearly all IoT devices are full-fledged computers capable of general purpose tasks, and their processors are often surprisingly powerful. The operating systems on IoT devices are substantial in size, and they’re likely to have bugs on occasion. Furthermore, the software they run can also potentially be hijacked. Because IoT networks are so large, releasing patches for all devices can be especially difficult, but it’s essential for preventing your infrastructure from becoming a zombie network. Make patching capabilities a key element of your network from day one to avoid potentially expensive problems down the line.
The scalability of IoT technology accounts for much of its appeal, but it’s easy to lose track of just how large the network is and how many devices it contains. Because of this, visualization software has become a critical part of managing IoT networks. When picking tools for monitoring performance and visualizing the network, it’s worth picking up tools that also provide security feedback as well. Solutions from Kaspersky Lab, SAP, and others can use machine learning and other technology to detect potential threats and send alerts, letting your respond in a timely manner. IoT protection requires vigilance, and 24/7 monitoring is essential.
Focus on the APIs
Although lower-level security is key to designing a safe network, higher-level security is important as well. The most popular area to focus on is the APIs used to protect data while it’s in transit. Again, encryption plays an important role, but API-level security provides another means of ensuring data isn’t rerouted or compromised while in use. Furthermore, APIs provide a means for developers to make their software secure from the beginning, so programming mistakes, which are inevitable, are far less likely to lead to intrusions. There are ample options to choose from with picking an API, including options from Google, CA Technologies, and Akana.
The Internet of Things is transforming companies of all sizes, and this transformation shows no signs of slowing. With the opportunities provided by the IoT, however, comes a set of new obligations, as the many potential attack vectors on IoT infrastructure will prove tempting for malicious actors. Fortunately, there are plenty of options available for ensuring your IoT infrastructure is secure, and investing in security early on can allow you to reap the benefits of the IoT while keeping you critical data safe.