Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Network Security

The Massive Challenge of Securing the Internet of Things

Internet of Things Security

Internet of Things Security

If the buzz last year was all about software defined networking (SDN), this year’s buzz is about the Internet of Things – everyday devices that are IP-enabled, can communicate over the Internet and can transmit what may be very confidential and important data. In fact, according to data from Cisco, there are now more “things” connected to the Internet than there are people on Earth, and these “things” are not just smartphones and tablets. For example, a Dutch startup, Sparked, is using wireless sensors on cattle so that when one of them is sick or pregnant, it sends a message to the farmer.

While devices that are used in the Internet of Things (IoT) can address either consumer or enterprise needs, its use within enterprises and critical infrastructure such as manufacturing plants or transportation hubs may pose the biggest security risks, and the biggest targets for criminal organizations and nation states.

There are a number of reasons why there is so much concern about IoT security today:

Massive number of devices means massive ways to target an organization – Gartner estimates that the number of IP-enabled devices will reach 26 billion while IDC projects 212 billion installed devices by the end of 2020. The Federal Trade Commission (FTC)’s chairwoman, in a conference on the Internet of Things last year, predicted 50 billion devices will be connected to the Internet by 2020. Whichever analysis you believe, give or take a couple of billion devices, that’s still a lot of devices that will form new networks, communicate with other devices and share data. The massive number of devices now translates into massive number of ways for targeted attacks.

Low-cost devices using a variety of protocols – The majority of IoT devices will be low-cost, low margin devices developed by vendors without much security expertise. As a result, security features may not be embedded in the device or considered in the architecture. These devices may perform different functions, run different operating systems and interact with a variety of different systems or network. All these variables make it really challenging to secure the devices and the communications between devices.

Confidential data that is difficult to secure – In an IoT world, a myriad of smart, IP-enabled devices will be connected to cloud-based applications and services, and new data will be uploaded, processed and stored in this cloud. It is not always clear how the data will be collected, who has access to it, and how it will be processed. In addition, data leakage laws do not currently apply to IoT data today. This data may also be difficult to segment and secure because of the vast volume.

But are attacks to IoT truly plausible? The Federal Trade Commission recently announced charges against a company called TRENDnet because it misrepresented its security capabilities on its IP camera, and allowed the private feeds of 700 consumers to be hacked and shared on the Internet. So, yes, in fact, attacks have occurred.

The framework for securing the Internet of Things

Advertisement. Scroll to continue reading.

However, the good news is, the world of IoT intersects devices/endpoints, cloud/datacenter and the network, and the best practices for securing these elements today can extend to IoT. For example—identifying and managing IoT devices, protecting them, and controlling access to the data, along with the proper security of the data in the cloud.

Understanding and identifying which types of devices are part of the network of Internet of things is the first step. Similar to mobile endpoints, the information about the IoT device, or its state could be used in making decisions to protect the device and control the data. For example, a device that has malware can be blocked from accessing the IoT network.

IoT devices will also have to be protected against a spectrum of threats, including exploits and new, unknown forms of malware. The protection of these IoT devices is likely better performed at a network level rather than an endpoint level due to the variety of devices that may exist and the limited endpoint security functions that can be supported. Many existing network security solutions like firewall and IPS can extend to IoT, assuming inspection of the communications protocol for IoT is supported. Finally, IoT data and application access should be secured using the Zero Trust principles of least privilege access with granular segmentation.  

As we embark on the dawn of the Internet of Things, these building blocks and principles provide the right foundation for security. The biggest barrier that remains will be regulation around privacy of the data collected by IoT devices, how it is used and shared. This will likely require the cooperation of enterprises, governments and standards organizations before we can fully tap into the true potential of IoT.

Written By

Danelle is CMO at Ordr. She has more than 20 years of experience in bring new cybersecurity technologies to market. Prior to Ordr, she was CMO at Blue Hexagon (acquired by Qualys), a company using deep-learning to detect malware, and CMO at SafeBreach where she helped build the marketing organization and define the Breach and Attack Simulation category. Previously, she led strategy and marketing at Adallom, a cloud security company acquired by Microsoft. She was also Director, Security Solutions at Palo Alto Networks, driving growth in critical IT initiatives like Zero Trust, virtualization and mobility. Danelle was co-founder of a high-speed networking chipset startup, co-author of a Cisco IP communications book and holds 2 US patents. She holds an MSEE from UC Berkeley.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.