By 2020, Gartner estimates there will be 20.4 billion connected devices in the global Internet of Things. When the Internet of Things (IoT) is augmented with sensors and actuators, this technology becomes an example of the more general class of cyber-physical systems, including smart grids, virtual power plants, smart homes, intelligent transportation and smart cities. While I’m excited by the potential of this technology, as a security researcher I cannot avoid asking myself: “What happens when these interconnected devices get hacked?”
The scale of security risks in the IoT era is much greater than in the pre-IoT environment, and the “attack surface” is much larger. Therefore, there is a need to protect ALL IoT devices from unknown vulnerabilities. Consider how many of these devices collect and store sensitive user data such as email addresses and credit card numbers. If that isn’t problematic enough, read this nightmarish scenario imagining how a coordinated cyberattack could bring New York City to its knees.
It’s critical for any business who wishes to take advantage of IoT technology to have a detailed plan for how to secure these devices and systems. Choosing the right security solutions and/or vendors is an important part of any IoT plan. In this post, I will outline some guidelines to help you make the right decisions about how to pick the best security systems and vendors for your IoT strategy.
How to Choose an IoT Security Vendor
First, the good news: consulting services in the IoT security market can help companies of all sizes secure a variety of functions at the endpoint and in the cloud. The bad news is most IoT security products from established IT security vendors or small/midsize new consultancies are only in their development or proof-of-concept stage. That in mind, here is my advice on how to get the best value and fit from potential IoT security vendors.
Lead with Security Assessments
While vendors work on improving their security product and service offerings, you can still rely on experienced consultants to assess your IoT vulnerabilities. It’s worth hiring outside companies to assess integration points in your networks for IoT implementations, and to determine gaps in capability and infrastructure. You could also have these consultants assess your risk exposure from IoT-related initiatives or your organization’s security posture.
Rely on a Cloud-Based Security Service
Because of the IoT’s dependence on cloud-enabled devices, you can’t go wrong by working with a proven cloud-based security service. These cloud consultants can help you monitor, detect, and respond to security concerns whether they’re related to your IoT deployments or more conventional computing devices. So while contractors figure out how to protect all these new interconnected devices, we can safely assume cloud-based services will play an indispensable role in IoT security.
Choose IOT Product Vendors with a Hardware Foundation
Finding the right IoT security product vendor is more challenging. You want a vendor that will provide a hardware root of trust, which is essentially a technical foundation to secure a wide variety of functions at the endpoint. Also important: if a vendor promises real-time visibility and oversight over every network-connected IoT device, make sure they can show you an easy-to-understand interface capable of fulfilling that promise. You want to be able to identify a potential breach or problem with minimal delay.
How to Select an IoT Security Solution
When it comes to IoT security systems and technology, cost is not an insignificant factor. When you evaluate possible IoT security solutions alongside your budget, pay attention to how improved visibility and device control with impact your organization’s risk exposure. This also suggests you want security solutions that come with technical support so you will achieve the best possible value from these systems. Here are other key considerations:
Cryptographic Key Provisioning and Management for IOT
The first place to start with IoT device management is encryption. You want secure cryptographic key provisioning when you deploy a large number of IoT devices simultaneously. This means having a process for provisioning new IoT devices by downloading software, patches, or other updates regularly to keep up with threats. That in mind, I recommend IoT leaders use a scenario-driven approach in selecting discovery and provisioning solutions, and not attempt to acquire a “one size fits all” product or service at this stage.
Detect IoT Devices in Enterprise Networks
You also need a system to detect IoT devices in your enterprise network when they are part of proprietary or non-IT-standard engineering networks or if they aren’t continuously connected. Use this system to build an effective IoT “asset database” complete with attributes and entitlements for access by those devices. By defining device access credentials in this way, you can better recognize when a device exhibits abnormal behavior suggesting a possible breach or security risk.
Secure Your Endpoints
This is a classic data security best practice, and even more important in the IoT era. You need to protect endpoints across your organization in cases which traditional authentication and cryptography cannot be implemented, whether due to resource constraints or long device life cycles that outlive encryption effectiveness. In high-risk environments or activities, you should also set up anti-tampering functions for your interconnected devices to ensure strong device identity and security. And do not forget to safeguard sensitive data from any humans who interact with interconnected devices!
Hackers Are Ready for the IoT. Are You?
Now that you have some guiding principles to understand IoT, I want to leave you with a sense of what you’re facing in terms of cyberattackers. In the first six months of 2017, IoT attacks increased by a staggering 280% over the previous six months. This means that malicious actors are already hard at work finding vulnerabilities in your interconnected devices and systems—and I want you to be ready for them.
For more information about security and the Internet of Things, please view this BrightTalk webinar I presented with two other security experts. We covered:
- 2017 trends in Cyber attacks for IoT
- Security Metrics for IoT
- Oversight of third parties in IoT
- How to measure cybersecurity preparedness for IoT
- Automated approaches to integrate Security into IoT