IoT and security: Hype, hysteria or cause for concern?
Mary Beth Hall, Verizon
Any new technology is bound to have its share of challenges and barriers — for example the initial security concerns around cloud computing — and the Internet of Things (IoT) is no different, writes Mary Beth Hall, the director of product management and development at Verizon. IoT currently connects millions of devices, and our commissioned research predicts there’ll be more than five billion IoT devices by 2020.
With smart devices adding billions of new access points into enterprise systems and communicating with the network, IoT security will be key. A number of studies have looked at IoT device security, such as recent research by HP that shows that 70% of IoT devices it tested contained security flaws. But just how big are the security threats?
Potential targets
In the Verizon 2015 Data Breach Investigations Report (DBIR), we looked at IoT from a security perspective and found there were actually very few incidents and little data disclosure to report for 2014. However, with IoT still in its infancy, it’s difficult to say with certainty what we’re facing. But we can look at what we do know. Of the projected five billion enterprise devices that will be around in 2020, not all of them will necessarily be internet-visible, and not all devices will be sending sensitive data. In fact, many of them will be simple devices that have a single function — like a light sensor.
That said, any device that is connected, regardless of whether it’s IoT-enabled, is a potential target for a cyber-attack. The devices themselves may not be the end target (they could be used to carry out malicious activity as part of a botnet attack), but they could be used as a gateway into the broader enterprise network and critical systems.
Don’t panic — the same rules apply
IoT is all about making the things around us smarter, but many sensors, especially those embedded in assets, must be frugal. Limitations on space mean that processing power and battery life are often limited. This means that many sensors aren’t capable of running the endpoint protection capabilities we’re used to seeing in more sophisticated assets, like laptops. But while some familiar security rules — such as applying anti-virus to all endpoints — don’t relate to IoT systems, many do:
- Authenticate all IoT connections. Digital certificates provide a robust solution without compromising practical operation.
- Ensure that patches are applied to IoT devices promptly. The 2015 DBIR found that most attacks exploited known vulnerabilities where a patch has been available for months, often years. You don’t want to have to rely on manual methods to keep hundreds or thousands of devices up to date. Investigate secure methods to deploy updates automatically.
- Only collect the information that you need from IoT devices, and dispose of it securely when you no longer need it. If you don’t have it, it can’t be stolen.
- Encrypt sensitive IoT data. Encryption won’t stop criminals from stealing your data, but it will make it a lot harder for them to do anything damaging with it.
- Segment IoT networks and systems to limit the spread and damage of any attack. You don’t want a breach of a relatively innocuous sensor to lead to the compromise of your connected device or enterprise systems. Segmentation will also help reduce the amount of sensitive information criminals can exfiltrate.
Don’t cut corners
As IoT devices become more widespread and more closely integrated with core enterprise systems, the more important it is that security is made paramount from the start. Just as with any other IT system, organisations should regularly assess the risk, apply appropriate security measures, and test their effectiveness.