Re-engineering security for the IoT
Klaus Gheri, Barracuda Networks
From delivery vehicles to ATMs, air conditioning systems to CCTV cameras, the scope for commercial IoT appears to be as big, if not bigger than, the comparable consumer opportunity, writes Klaus Gheri, the vice president and general manager for network security at Barracuda Networks. However, for the business world, the IoT faces a major barrier to adoption: in their current state, the tools that help businesses deploy and secure IoT devices are simply not fit for purpose.
In order to secure and roll-out large networks of connected devices, the security industry has had to rethink and re-engineer existing technologies. Likewise, businesses must also go back to the drawing board to determine the best network architecture to meet their IoT security needs.
How secure are IoT devices?
The sheer number of IoT devices and use cases makes it difficult to say exactly how secure or rather, how insecure the IoT really is. However, with its rapid evolution, it has certainly become more and more difficult for businesses to stay up-to-date with the latest IoT security threats. Typically, when companies decide to create an IoT device, the focus is placed on functionality and remote control. This leaves a critical gap when it comes to security, as there are often weaknesses in the system’s design and architecture. This makes it possible for hackers to easily get access to the device itself and the data it stores and communicates back to control systems.
The IoT creates new challenges
One of the main issues in today’s connected devices is the use of weak encryption and authentication, which leaves the IoT vulnerable to data theft. The device systems might also be closed, meaning they are hard to remotely maintain and update. This is a key consideration when it comes to the IoT, because once organisations have a large number of devices, it becomes very difficult from an operational standpoint to get physical access to each device to fix any flaws. When the size of the IoT network goes into the hundreds or thousands, deploying both the device and a security solution for it becomes a logistical challenge – how do you deploy the equipment? how do you manage its lifecycle? how do you implement security policies?
The crux of the matter is that businesses require the sophisticated security of state of the art firewall technology, with all its advanced traffic inspection options, but the traditional firewall products were never designed with mass rollouts in mind. This has forced security vendors to rethink some of the traditional design paradigms in order to improve on scalability and ease of use from an operations standpoint, whilst not giving up on any of the required technical capabilities. Take ransomware as an example. Given that the newest variants can also spread to devices, companies are demanding more advanced technologies than the basic network-layer firewalling to secure their IoT devices.
There is no one size fits all solution
Many startups in the machine communication space have come up with products that meet the form factor requirements, the need for very simple handling and support for wireless WAN connectivity. However, most of these products fall short of meeting many of the advanced security requirements and sustainable scalability throughout the product lifecycle. On the other hand, the current security solutions available today are so expensive that it is simply not feasible to implement them at every connected device. Other technologies attempt to run an application that encrypts the data. In this case, there is no Denial of Service protection so the infrastructure is not properly secured.
One of the barriers to securing the IoT is simply that there’s not a one size fits all solution. At one end of the spectrum, we’re talking about tiny equipment such as CCTV cameras and intelligent lightbulbs, on the other we’re talking about large machine equipment. Depending on what the IoT device is, there will be a different approach to security that is economically viable. The challenge is finding the right security solution for each use case. This has meant that today, companies either have nothing securing their IoT network, or have something that is not really fit for purpose.
So how do you approach IoT security?
As there is no one size fits all solution, companies need to approach IoT security in a case-by-case manner. A good place to start is to build a clear picture of all the network components – how are the various machines connected? what sits between the machines? and is there any remote monitoring taking place? If you take a photocopier as an example, it could be hooked up the local network, or the 3G network and it may have a third party monitoring its supply levels. The larger the network, the more complex this task will become. For the more complex IoT networks, it makes sense to create a full inventory that can be kept up-to-date, as additional devices or machines are added.
Next up, companies should look at segmentation. This will ensure that only those who really need access to certain zones have access. If the company doesn’t have enough segmentation, this could present a serious security risk, particularly when third parties have access to connected devices. In this case, it will be essential to place firewalls at the transition points between the various zones that need securing.
After looking at these elements, the IT team should create a plan for the network and security architecture. Look at the existing security technologies, the connected devices or machines and their built-in security. If, for example, a company needs to guarantee the security of telemetry data from a device, the built-in security capabilities may need to be hardened with additional layers of security. For many commercial use cases, there will be a balance to be struck between the cost of the device versus the cost of the security measures that could feasibly be placed around it. This means that the IT team will need to decide exactly what levels of security they require and at what cost.
Only at this point is it then possible to assess suitable security tools. For use cases with high-volume, relatively low cost devices, such as an ATM, or a managed industrial refrigerator, any tool designed to provide secure, scalable connectivity will need to be relatively small, inexpensive, lightweight and mountable. It will also need to be easy to ship in large numbers and easy enough to implement and manage so that organisations don’t need to hire a whole new team of security or IT specialists. And, as IoT deployments scales, businesses will increasingly need security solutions that are purpose-built.