IOT IS COMING and a lot of IT execs are scared silly. Or maybe it’s more accurate to say they are resigned to their fates.
In a May study of 553 IT decision makers, 78% said they thought it was at least somewhat likely that their businesses would suffer data loss or theft enabled by IoT devices. Some 72% said the speed at which IoT is advancing makes it harder to keep up with evolving security requirements.
Such fears are rooted in reality. Last October, hackers took down Dyn, the company that controls much of the Internet’s domain name system infrastructure using some 100,000 “malicious endpoints” from IoT devices. More recently, the WannaCry ransomware attack crippled some Bank of China ATM networks and washing machine networks. For naysayers, those attacks validated fears that hackers could cause mayhem by commandeering our IoT devices.
At the same time, the IoT industry continues its steady growth path. Gartner predicts that by 2020 there will be some 21 billion IoT devices in existence, up from 5 billion in 2015. About 8 billion of those devices will be industrial, not consumer devices. Both present a juicy target for hackers.
For some, it seems like IoT is a slow-motion wreck playing out in real time. “The reason that the industry hasn’t backed off is the value proposition is very powerful,” said Chris Moyer, CTO and VP-cybersecurity at DXC. “The risk proposition is also very powerful and that’s where the balancing is going on.”
Regardless of the industry’s appetite, IoT isn’t likely to get scale until the industry addresses its security issue. That will take a cooperation among vendors, government intervention and standardization. In 2017, none of those things appear to be on the horizon.
What’s wrong with IoT security
The consensus is that IoT is still under-secured and presents possibly catastrophic security risks as companies trust IoT devices for business, operational and safety decisions. Existing standards are not in place and vendors keep struggling to embed the right level of intelligence and management into products. Add the increasing collaboration among attackers and the it creates a need to address these challenges across a set of dimensions.
Consider what we face with faced with the security of IoT devices;
- Unlike PCs or smartphones, IoT devices are generally short on processing power and memory. That means that they lack robust security solutions and encryption protocols that would protect them from threats.
- Because such devices are connected to the Internet, they will encounter threats daily. Shodan, a search engine for IoT devices, offers hackers an entrée into webcams, routers and security systems.
- Security was never contemplated in the design or development stages for many of these Internet-connected devices.
- It’s not just the devices themselves that lack security capability; many of the networks and protocols that connect them don’t have a robust end-to-end encryption mechanism.
- Many IoT devices require manual intervention to be upgraded while others can’t be upgraded at all. “Some of these devices were built very rapidly with limited design thinking beyond Iteration 1 and they’re not update-able,” said Moyer.
- IoT devices are a “weak link” that allows hackers to infiltrate an IT system. This is especially true if the devices are linked to the overall network.
- Many IoT devices have default passwords that hackers can look up online. The Mirai distributed denial of services attack was possible because of this very fact.
- The devices may have “backdoors” that provide openings for hackers.
- The cost of security for a device may negate its financial value. “When you have a 2-cent component, when you put a dollar’s worth of security on top of it, you’ve just broken the business model,” said Beau Woods, an IoT security expert.
- The devices also produce a huge amount of data. “It’s not just 21 billion devices you have to work with,” said Kieran McCorry, director of technology programs at DXC. “It’s all the data generated from 21 billion devices. There’s huge amounts of data that are almost orders of magnitude more than the number of devices that are out there producing that data. It’s a massive data-crunching problem.”
Taking such shortcomings into account, businesses can protect themselves to a certain extent by following best practices for IoT security. But if compliance isn’t 100% (which it won’t be) then, inevitably, attacks will occur and the industry will lose faith in IoT. That’s why security standards are imperative.
Who will set the standards?
Various government agencies already regulate some IoT devices. For instance, the FAA regulates drones and the National Highway Traffic Safety Administration regulates autonomous vehicles. The Department of Homeland Security is getting involved with IoT-based smart cities initiatives. The FDA also has oversight of IoT medical devices.
At the moment though, no government agency oversees the IoT used in smart factories or consumer-focused IoT devices for smart homes. In 2015, the Federal Trade Commission issued a report on IoT that included advice on best practices. In early 2017, the FTC also issued a “challenge” to the public to create a “tool that would address security vulnerabilities caused by out-of-date software in IoT devices” and offered a $25,000 prize for the winner.
Moyer said that while the government will regulate some aspects of IoT, he believes that only the industry can create a standard. He envisions two pathways to such a standard: Either buyers will push for one and refuse to purchase items that don’t support a standard or a dominant player or two will set a de facto standard with its market dominance. “I don’t think it’s going to happen that way,” Moyer said, noting that no such player exists.
Instead of one or two standards, the industry has several right now and none appears to be edging toward dominance. Those include vendor-based standards and ones put forth by the IoT Security Foundation, the IEEE, the Trusted Computing Group, the IoT World Alliance and the Industrial Internet Consortium Security Working Group. All of those bodies are working on standards, protocols and best practices for security IoT environments.
Ultimately what will change the market is buyers, who will begin demanding standards, Moyer said. “Standards get set for lots of reasons,” Moyer said. “Some are regulatory but a lot are because buyers say it’s important to me.”
Lacking standards, Woods sees several paths to improve IoT security. One is transparency in business models. “If you’re buying 1,000 fleet vehicles, one might be able do to over-the-air updates and the other we’d have to replace manually and it would take seven months,” Woods said. “It’s a different risk calculus.”
Another solution is to require manufacturers to assume liability for their devices. Woods said that’s currently the case for hardware devices, but it is often unclear who assumes liability for software malfunctions.
AI to the rescue?
A wild card in this scenario is artificial intelligence. Proponents argue that machine learning can spot general usage patterns and alert the system when abnormalities occur. Bitdefender, for instance, looks at cloud server data from all endpoints and uses machine learning to identify abnormal or malicious behavior. Just as a credit card’s system might flag a $1,000 splurge in a foreign country as suspicious, a ML system might identify unusual behavior from a sensor or smart device. Because IoT devices are limited in function, it should be relatively easy to spot such abnormalities.
Since the use of machine learning for security is still new, defenders of this approach advocate using a security system that includes human intervention.
The real solution: A combination of everything
While AI may play a bigger role in IoT security than initially thought, a comprehensive IoT solution will include a bit of everything, including government regulation, standards and AI.
The industry is capable of creating such a solution, but the catch is that it needs to do it on a very accelerated timetable. At the moment, in the race between IoT security and IoT adoption, the latter is winning.
So what can companies do now to latch on to IoT without making security compromises? Moyer had a few suggestions:
- Take an integration approach. This is a case where more is better. Moyer said that companies using IoT should integrate management solutions and bring the IoT platform in for primary connectivity and data movement and pull that data into an analytics environment that’s more sophisticated and lets them do a behavioral analysis, which can be automated. “By integrating those components, you can be more confident that what you’ve got from a feed in an IoT environment is more statistically valid,” he said.
- Pick the right IoT devices. Those are devices that have a super-strong ecosystem and a set of partners that are being open about how they’re sharing information.
- Use IoT Gateways and Edge Devices. To mitigate against an overall lack of security, many companies are using IoT gateways and edge devices to segregate and provide layers of protection between insecure devices and the Internet.
- Get involved in creating standards. On a macro level, the best thing you can do to ensure IoT security over the long run is to get involved in setting standards both in your particular industry and in tech as a whole.