Security Experts:

Why it's So Hard to Implement IoT Security

Harmonizing Security Across IoT Infrastructures that are Connected to Both Brownfield and Greenfield Systems is Easier Said Than Done

The Internet of Things (IoT) is integrating the physical world and computer-based systems more and more through a vast network of electronics, software, sensors, actuators and connectivity. According to Statista, the IoT juggernaut is growing nearly 20-percent annually and on track to hit $8.9 trillion by 2020. All the while, a quarter of all IoT remains devoted to industrial settings — the Industrial Internet of Things (IIoT).

Unfortunately, as the new opportunities for innovation, efficiency and convenience multiply, so do the IoT-related vulnerabilities and attack surfaces for malicious actors to exploit. And because cyber attacks take advantage of the weakest link in a chain, organizations can’t just pick and choose which IoT vulnerabilities to address — they have to deal with them all, in real-time. 

The reality is: IoT security is a tough challenge — involving everything from hard to implement standards; hard to reach industrial components; and hard choices on how to integrate security seamlessly around both older “brownfield” and newer “greenfield” IoT systems and equipment.

Lots of Guidance, but Not Enough of it is Practical

IoT and IIoT security challenges range from insecure web and mobile interfaces and network services, to poor encryption, authentication and physical security. Especially in industrial settings, organizations are realizing they must address the entire IoT ecosystem, including: operational technology (OT) running on factory floors; new devices connected to IIoT cloud platforms; IT systems that link to business systems; new devices and sensors, and everything in between. 

Groups like the National Institute of Standards and Technology (NIST) and International Society of Automation (ISA) have tried to help by issuing IoT and IIoT cybersecurity standards  — but such guidelines are complex, difficult to understand and hard to implement because they often lack clear implementation recommendations. Equipment manufacturers and integrators are left to determine how to achieve the appropriate safety, reliability, resilience and privacy for the requisite security levels for their devices. Oftentimes, this means that standards are not put into real-world practice because the perception is that they are too complex.

The Trusted Computing Group’s TPM 2.0 standards, for instance, give guidance for embedding a unique secret key into microchips and firmware to help prove the identity of IoT devices, but the technical documentation runs more than 3,000 pages. 

Securing Internet of Things (IoT) DevicesThese challenges have left the industry unprepared for IoT-focused attacks. In fact, a recent survey found that 97 percent of respondents believe unsecured IoT devices represent a significant risk for their organizations.  

The Industrial IoT is Especially Mission Critical — and Even Harder to Secure

From Stuxnet in 2010, all the way to expanded Triton-style attacks of 2018, industrial systems have become prime targets — a fact that’s particularly troubling and consequential. While a data breach at Target or Equifax can be devastating and compromise the privacy and finances of millions of customers, a cyber attack on critical infrastructure can cause incalculable damage, operational breakdowns and even the loss of life. 

Consider accidents like 1979’s Three Mile Island nuclear meltdown and the 2010 BP Deepwater Horizon Oil Spill; they may have both been accidents, but the control system breakdowns involved are the same kind that could easily be caused by a well-executed cyber attack. In fact, a purported 2014 hack at a German steel mill sabotaged a blast furnace — causing it to malfunction and create significant damage to the facility. 

Keep in mind that, for refineries and some other complex industrial operations, emergency shutdowns can take a year or more to recover from. This means lost revenue, damaged reputations and even the possibility of bankruptcy. 

Unfortunately, IIoT security is especially hard to implement. Many industrial components were built long ago and designed to run continuously. This makes it tough to retrofit systems for security; some industrial control systems have been in place for decades, with maintenance windows as fleeting as four hours every year.  

The Right Approach to IoT Security  

Enterprises are increasingly realizing that, to protect the organization and maintain operations, they must implement security across the entire IoT ecosystem — and especially in industrial settings.  

A top challenge is to overlay security onto “brownfield” problem spaces involving older equipment and legacy systems. At the same time, it’s critical for manufacturers to bake in security from the beginning for new “greenfield” devices that are being developed. 

Harmonizing security across IoT infrastructures that are connected to both brownfield and greenfield systems is easier said than done. On the brownfield side, some systems simply can’t be upgraded — meaning your only choice is to replace the system or find a way to place a secure gateway in front of it. Other brownfield elements may be incrementally upgraded with stronger authentication, more encryption or better web, mobile or physical security. On the greenfield side, security should be incorporated into the design of all the devices and components as early as possible in their development and production cycles. 

Finally, developers should understand that even if a brand new system is stamped secure from the factory, its operational capacity could still be compromised if it’s going into an environment that doesn’t have security across the board.

Implementing Better IoT Security in Your Own Organization

By now, it should be clear that there’s no one-size-fits-all solution that someone can simply buy and turn on with the flip of a switch. Instead, IoT security is something that must be implemented with the right strategies and industry partnerships tailored to your organization and its vulnerabilities. 

Whatever your specific implementation approach may be, it should involve a security stack that can address requirements across a diverse landscape of endpoints. Also, make sure your security solution is powerful enough to enhance security of storage, communications and containerized applications. And ensure any industrial devices meet requirements for US NIST 800-63B AAL3 — the highest level of authentication assurance. 

Most of all, your ability to implement these high levels of security should not be bogged down by reams of complex standards and guidance manuals. The right industry partners can package up that complexity to ensure you’ve got the proper security and compliance in place — without drowning in documentation. Demand comprehensive security from your vendors that is still simple enough to understand and implement.

Developing stronger IoT security has become a primary focus across all organizations —  especially those dealing with critical infrastructure. Whether you’re an equipment manufacturer or service provider, everyone benefits from a better understanding of the existing IoT security landscape, and how to strengthen it. 

view counter
Dean Weber is Chief Technology Officer (CTO) at Mocana. He previously served as director and CTO at CSC Global CyberSecurity, and CTO at Applied Identity, which was sold to Citrix. Earlier, he was Chief Security Architect at Teros; a manufacturer of application security gateways. He was responsible for developing and implementing solution deployments including assessment and intelligence gathering at TruSecure/ICSA Labs (now Verizon Business Security Solutions). Mr. Weber helped found a large Midwestern reseller-integrator specializing in secure architectural design and deployment for both public- and private-sector clients, and he served for many years as its technical vice president. Additionally, he spent several years in the U.S. Navy working in physical and electronic security.