Sunil Sharma, VP, Sales and Operations at Sophos, said the world of Internet-of-Things (IoT) or M2M (machine-to-machine) communications is set to emerge an all-pervading reality.
In mature ICT markets, IoT deployments have already made their presence felt in several verticals, particularly in automotive and industrial control industries.
We all have heard about connected cars. IoT has arrived in India too. While I was reading news stories with my morning cuppa today, I spotted a print commercial of an automaker announcing the arrival of connected cars for Indian consumers! IoT, for long has been a buzzword, appearing on tech journals, making headlines in analysts’ articles and has been both celebrated and cautioned by several tech evangelists.
IoT essentially consists of an ecosystem of multiple connected devices that bring identities as well as physical and virtual attributes, which are seamlessly integrated into the Internet infrastructure using varied communication protocols. IoT progress and emergence is underpinned by advances seen in the fields of radio-frequency identification (RFID), machine-to-machine (M2M) communication, wireless sensors and web driven internet infrastructure.
While IoT poses a promising opportunity with Internet-enabled things, bringing tremendous benefits to both businesses and individuals alike, security concerns associated with IoT may offset all the benefits that come with this new technology. As IoT progress advances, billions of devices will connect to the Internet, and we are not talking merely smartphones and tablets here; among plethora of IoT devices will include connected cars, home appliances, surveillance devices, smart grids, smart meters and more.
I would like to offer my two cents on some useful security considerations which any business should understand before getting aboard IoT gravy train.
Understanding IoT traffic – IoT traffic is different from data traffic within a typical enterprise network. It consists of information traffic emanating from a multitude of devices. And this traffic generates from several new Operating Systems, Communication Protocols and Devices. These can be easily targeted as new potential attack vectors. A lot of security standardization is still pending for IoT.
This is primarily due to the fact that the multiplicity and volume of connected devices is overwhelming and the standard security protocols across the IoT ecosystem are lacking. And present day security protocols vary from manufacturer to manufacturer, and even device to device. This not only results in fragmentation but can also cause poor network security policies and may lead to weak links, hence causing undue risk. Understanding and controlling IoT traffic is of critical essence to ensure devices connect securely and are not subject to any possible exploit or malicious influence.
Let me offer an example here. Several manufacturers have inundated the market with connected and wireless lighting systems that can be managed remotely for house or work locations. Some of these products are reportedly carrying a vulnerability in code, which can be exploited by a hacker. Using a website interface, a hacker can cause drive-by blackouts!
Keeping authorization transparent yet secure
I already shared my thought on the need to expedite and augment efforts on standardizing security for IoT. Well, we can’t wait until someone volunteers to do this. IT security managers who are overseeing IoT deployments must deploy security by building a framework that keeps Authorization, Authentication and Encryption in sync. This would allow them to ensure fine-grained access control while ensuring end-to-end data protection while providing opportunity to adjust security policy to user or device behavior.
IoT devices run on customer firmware and in the event of a critical patch update, security teams will have tough time managing firmware update on the fly. Upgrading IoT devices with custom operating systems might turn out a daunting task. And this one may sound familiar. Many IoT devices may come with default credentials, so it will take security best practices to ensure proper management of passwords and other system credentials
Hardening security for inbound open ports
Several IoT devices come with a built-in remote management server, which keeps an inbound port open to allow administrators to perform necessary actions remotely. This has a huge security risk if proper security configuration is not in place. Such areas require rigorous testing and commissioning to prevent IoT devices from falling prey to hackers.
We already discussed how absence of standardization remains among key security challenges at this juncture of IoT ecosystem development. In addition, differences in underlying system architectures, protocols and operating systems also result in interoperability bottlenecks. There’s a need for a roadmap to ensure networks and connected devices are able to share information and data without any bottlenecks.
Assessing risk from pervasive sensing
Pervasive sensing as such quintessentially remains a term that pertains to Industrial Internet of Things or (IIoT). Industrial computing environments having mission-critical dependence on automation technologies such as large manufacturing factories, plants etc. are aggressively deploying large volume of sensors. This is because sensors with their low-cost, low-energy consumption characteristics provide effective measures to send and receive information and other useful monitoring data. However, as sensor deployment grows in scale and becomes more pervasive in more industrial environments, the development also expands attack surface to a great degree. Sensors either carry simple data which is used to signal indication or are used to send critical instructions to control systems. Now we can imagine the risk involved. From security point of view, it needs to be seen if adequate security measures are being introduces in these sensors to protect data, key processes and mission-critical systems.
We all would love to have connected appliances and intelligent IoT enabled devices at home. Technology can be fun and convenient and we need not argue there. But do we care enough about possible security risks that barge into our homes uninvited with such devices? We can discuss a recent incident of a hack which exposed man-in-the-middle vulnerability of a smart refrigerator: upon gaining keys to the castle, hackers managed to access the owner’s network and the ability to steal linked Gmail login credentials and it was the built-in calendar integration functionality that helped hackers win this trick.
Choosing Firewall / security solutions crafted for IoT requirements
We have already discussed that IoT networks and traffic remain significantly different from a typical enterprise network. As an example, securing a network of industrial control systems (ICS) such as SCADA can’t be achieved with an ordinary firewall. Understanding IoT protocols, applications and traffic requires capabilities. Cyber criminals always hunt for latent vulnerabilities in such connected systems.
With IoT, siloed structures between business technology and operational technology have disappeared. Several global regions have witnessed a series of attacks on energy plants, nuclear plants and other mission-critical ICS facilities since hackers could clout from several weak spots like improper input validation, poor firmware updates, poor management of credentials, improper authentication, poor code quality and more. There’s a need to deploy security solutions that are designed around unique security needs of IoT installations.
Embedding security in key processes
Having discussed few examples, we now know that there’s significant lax towards security when it comes to IoT. If we look at most IoT devices, primary focus remains on processes and communication and security takes backseat. This is why we hear about a Firewall that’s specifically designed to protect nuclear plants. We are at a stage where IoT deployments have begun to mature and expanding into new verticals from more traditional applications as seen in manufacturing or energy or oil & gas plants.
We have healthcare, medical systems, retail, automotive and more. Given that technology has immense potential to make things and experiences much smarter and immersive, it’s about time we assign due recognition to security aspect too. Instead of taking a reactive approach on IoT security, we should implements frameworks and design methodology that embeds security invariably in network processes or device communication, hence making security integral to IoT experience.
Greater collaboration for improved data privacy and risk assessment of IoT devices and network: More and more businesses and organizations are inclined to leverage IoT to transform efficiencies. In the absence of commonly adopted security guidelines, it only depends on how we choose to collaborate over what matters and evolve security practices for IoT. We can collectively make contributions in documenting security best practices, develop joint-solutions and help develop commonly agreeable standards and frameworks enable safer and secure deployment of IoT systems and devices.
Sunil Sharma, VP, Sales and Operations, Sophos