Understanding the IoT Digital Attack Surface and Threat Mitigation
The IoT (Internet of Things) continues to grow, which in turn expands your organization’s attack surface. That’s because the more “things” you connect to your business network, the more data is collected and the more endpoints there are to safeguard. According to the Gartner Group, “By 2018, digital business will require 50% fewer business process workers and 500% more key digital business jobs, compared with traditional models. By 2018, the total cost of ownership for business operations will be reduced by 30% through smart machines and industrialized services.”
The scale of security risks in the IoT era is therefore much greater than in the pre-IoT environment, and the "attack surface" is much larger. According to HP Security Research, “Almost 90 percent of the (IoT) devices collect personal information such as name, address, date of birth, email, credit card number, etc., in an un-encrypted format, stored in the cloud and processed by big data, thus endangering the privacy of users.” By 2020 there will be over 26 billion devices connected to the IoT. How will this impact your organization? How many IoT endpoints will have access to information you “control” and thus have the responsibility to secure? With a limited availability of adequate security skills, how should risk management leaders work with cybersecurity consultants? What are the IoT security solutions on the market today, and how do you pick the best one for your organization?
A Prime Example - Smart City Projects Based on IoT
Smart city projects are spreading across regions at a fast pace. These projects are integrating IoT, API technology, and security-related elements from utility, automotive, and manufacturing industries, as part of advanced metering infrastructure, connected cars, and smart home initiatives. This will lead to the proliferation of devices and applications processing sensitive data. A recent Gartner report predicts that: “The compound spend on IoT security relating to government, utility, building and facilities automation, and manufacturing will continue to grow. From a design and economics perspective, the balance of spending between IoT endpoints and IoT gateways will shift toward a gateway-centric deployment model over time. We project that 2019 will be the tipping point at which gateway security spending surpasses endpoint security spending.” This trend highlights a problem because IoT Gateways aggregate sensor data, translate data among protocols, and perform processes on sensor data before sending it to other devices or applications. Therefore, the gateways become a potential weak link in data security, where decrypted data might be intercepted. This means that you have to plan on integrating not just endpoint protection into your IoT security fabric, but also the gateways.
Current Security Solutions Aren’t Good Enough
IT teams are inundated with a heterogeneous mix of security tools, applications, and processes to protect against infiltration. Adding thousands of IoT devices to the network will only add to the headache of managing security. Juanita Koilpillai, President at Digital Risk Management Institute, outlines the current challenges that need to be addressed:
- VPNs don’t scale and once inside the network there is no control over what users can access without additional tools.
- Authentication with multi-factor vs. multi-level is hard to implement as described in the guidelines.
- ID Management is typically not tied to access control Key Management – there are too many user keys, device keys, encryption keys to effectively manage.
- Firewalls are static and the more rules that are added, the more maintenance it needs; logs are hard to analyze in real-time; onboarding applications is a long process; and services are not just exposed to one user.
- Vulnerability/Patch Management is increasingly unwieldy due to the increasing number of vulnerabilities that are hard to prioritize, while IT is held hostage by old/legacy applications that are hard to upgrade to keep current with maintenance contracts.
IoT Attacks Continue to Rise – What Can Be Done?
By its very “newness” and distributed nature, the IoT is subject to attacks for a variety of reasons, including improper installation and operation of code and devices, and the limited availability of experts in IoT security protocols.
IoT Attacks Continue to Rise Due to Improper or Unsafe Operation
IoT applications and devices are susceptible to malicious code modifications, bypassing of controls, and tampering with data integrity, resulting in:
- Information Exposure or Loss – IoT applications/devices can reveal protected private information, encryption keys, and credentials.
- Intellectual Property (IP) Theft – Unprotected IoT applications and devices expose embedded, proprietary algorithms that can easily be analyzed, stolen, or pirated.
- Exposure of Unknown Vulnerabilities — Patching of thousands of diverse IoT devices is challenging especially when battling zero-day malware.
Mandeep Khera, a thought leader in Web Application Security, suggests 3 ways to prevent exposure to unknown vulnerabilities to make it more difficult for hackers to reverse-engineer, analyze, or exploit code:
- Build security in at the design phase.
- Bake security controls into IoT apps before release – so they can defend themselves in the highly distributed, untrusted IoT environment.
- Cover not just the app but also the APIs, the devices, and servers – protect all layers to eliminate weak links.
Limited Availability of Security Skills Creates Consultant Demand
The threat caused by the limited availability of internal IoT security skills is also changing the manner in which IoT systems are managed and operated. Some immediate relief can come from workload automation and more cognitive security controls, but these will only go so far. To fill the gap, risk management leaders will need to partner with IoT security consultants and product vendors. Note that most IoT security products from established IT security vendors or small/midsize new entrants are only in their development or proof-of-concept stage. While vendors are working on improving their product and service offerings, IoT and security and risk management leaders should work with IoT security consultants to:
- Assess integration points in their networks for IoT implementations
- Determine gaps in capability and infrastructure
- Assess risk exposure from IoT-related initiatives and assess their organization's security posture
When traditional security measures cannot be implemented to protect IoT implementations, the next best step is to utilize endpoint security. The goal is to protect IoT devices (endpoints) in cases in which traditional authentication and cryptography cannot be implemented due to IT resource constraints and long device life cycles outliving old encryption effectiveness and key lengths.
Selecting an IoT Security Solution
IoT security and risk management leaders selecting an IoT security solution will have to justify the investment by evaluating the benefit of improved visibility and increased control of the organization's risk exposure. For IoT security, cloud-based security services are cost-effective and scalable. Indeed, the potential vast scale of many IoT deployments will drive market changes in how security monitoring, detection, and response take place. Cloud-based security services will play an indispensable role in providing IoT security due to the scale of services required. IoT will not be viable in the long term without cloud-delivered security. Gartner foresees that: “Through 2020, 95% of cloud security failures will be the customer's fault. By year-end 2018, 50% of organizations with more than 2,500 users will use a Cloud Access Security Broker (CASB) product to control SaaS usage, up from less than 5% today. By 2020, 85% of large enterprises will use a CASB product.”
IoT Security Product Vendors
IoT Security product vendors, with varied levels of consulting and professional services capabilities, include embedded trust vendors that provide a hardware root of trust — that is, a foundation to secure many functions at the endpoints. IoT implementation leaders should use a scenario-driven approach in selecting discovery and provisioning solutions. They should not attempt to acquire a "one size fits all" product or service at this stage.
Use an Asset Discovery solution to detect IoT devices in enterprise networks when these devices are part of proprietary or non-IT-standard engineering networks, or if they aren't continuously connected. Build an effective IoT "asset database" complete with attributes and entitlements for access by those devices (a major requirement of identity and access management as well as IT asset management [ITAM] systems). Here again Gartner posits that: “Evaluators and buyers of IoT security products are security and risk management leaders who are trying to establish end-to-end trust — from chip to cloud — in their IoT use cases across all industry verticals and domains. Multiple and wide-ranging IoT security technology providers are evolving to address these technical requirements and the business opportunities.”
Cryptographic Key Provisioning and Management for IoT.
In regard to device management, tackling secure cryptographic key provisioning and management in which a mass number of IoT devices are deployed simultaneously and with mixed environmental characteristics, is needless to say, challenging to manage. Gartner suggests that IoT security vendors be able to: “Provide quick, secure, scalable and device-independent identity, access and relationship management experience that customers, partners and suppliers are looking for. Have a means to provision IoT devices by downloading software, patches, updates and other information periodically (a common requirement for security management systems).”
While every organization has a very complex and unique environment, protecting your organization from the risks of IoT cyber-attacks is only going to continue to grow. IoT applications and devices can reveal troves of personal information along with a bevy of other sensitive data sets. With unprotected IoT applications and devices potentially exposing embedded proprietary algorithms than can easily be analyzed, stolen or pirated, it is time to secure your entire environment.
As you grapple with integrating the myriad of devices and applications to take advantage of the IoT, you’ll need an open data security platform that is flexible enough to manage the sensitive data of all types being collected, transmitted, and processed by your business systems. Using a platform that keeps the PII, PCI, and PHI data flowing from IoT systems securely stored in the cloud, manages encryption keys, and enables the exchange of sensitive data with third-party service providers will alleviate many of the cyber-threats that will plague the IoT.