If the buzz last year was all about software defined networking (SDN), this year’s buzz is about the Internet of Things – everyday devices that are IP-enabled, can communicate over the Internet and can transmit what may be very confidential and important data. In fact, according to data from Cisco, there are now more “things” connected to the Internet than there are people on Earth, and these “things” are not just smartphones and tablets. For example, a Dutch startup, Sparked, is using wireless sensors on cattle so that when one of them is sick or pregnant, it sends a message to the farmer.
While devices that are used in the Internet of Things (IoT) can address either consumer or enterprise needs, its use within enterprises and critical infrastructure such as manufacturing plants or transportation hubs may pose the biggest security risks, and the biggest targets for criminal organizations and nation states.
There are a number of reasons why there is so much concern about IoT security today:
Massive number of devices means massive ways to target an organization – Gartner estimates that the number of IP-enabled devices will reach 26 billion while IDC projects 212 billion installed devices by the end of 2020. The Federal Trade Commission (FTC)’s chairwoman, in a conference on the Internet of Things last year, predicted 50 billion devices will be connected to the Internet by 2020. Whichever analysis you believe, give or take a couple of billion devices, that’s still a lot of devices that will form new networks, communicate with other devices and share data. The massive number of devices now translates into massive number of ways for targeted attacks.
Low-cost devices using a variety of protocols – The majority of IoT devices will be low-cost, low margin devices developed by vendors without much security expertise. As a result, security features may not be embedded in the device or considered in the architecture. These devices may perform different functions, run different operating systems and interact with a variety of different systems or network. All these variables make it really challenging to secure the devices and the communications between devices.
Confidential data that is difficult to secure – In an IoT world, a myriad of smart, IP-enabled devices will be connected to cloud-based applications and services, and new data will be uploaded, processed and stored in this cloud. It is not always clear how the data will be collected, who has access to it, and how it will be processed. In addition, data leakage laws do not currently apply to IoT data today. This data may also be difficult to segment and secure because of the vast volume.
But are attacks to IoT truly plausible? The Federal Trade Commission recently announced charges against a company called TRENDnet because it misrepresented its security capabilities on its IP camera, and allowed the private feeds of 700 consumers to be hacked and shared on the Internet. So, yes, in fact, attacks have occurred.
The framework for securing the Internet of Things
However, the good news is, the world of IoT intersects devices/endpoints, cloud/datacenter and the network, and the best practices for securing these elements today can extend to IoT. For example—identifying and managing IoT devices, protecting them, and controlling access to the data, along with the proper security of the data in the cloud.
Understanding and identifying which types of devices are part of the network of Internet of things is the first step. Similar to mobile endpoints, the information about the IoT device, or its state could be used in making decisions to protect the device and control the data. For example, a device that has malware can be blocked from accessing the IoT network.
IoT devices will also have to be protected against a spectrum of threats, including exploits and new, unknown forms of malware. The protection of these IoT devices is likely better performed at a network level rather than an endpoint level due to the variety of devices that may exist and the limited endpoint security functions that can be supported. Many existing network security solutions like firewall and IPS can extend to IoT, assuming inspection of the communications protocol for IoT is supported. Finally, IoT data and application access should be secured using the Zero Trust principles of least privilege access with granular segmentation.
As we embark on the dawn of the Internet of Things, these building blocks and principles provide the right foundation for security. The biggest barrier that remains will be regulation around privacy of the data collected by IoT devices, how it is used and shared. This will likely require the cooperation of enterprises, governments and standards organizations before we can fully tap into the true potential of IoT.