When I think of Internet of Things (IoT) security, it's like sending a kid off to college. You send them off with the best intentions, hoping they will make the right decisions, attempting to correct them with limited information when they mess up, but ultimately, they are essentially on their own. When they fail, someone says, "see, I told you so!" Unfortunately, this is how most IoT, especially platform providers, approach cybersecurity at the edge. Over the past several years, I have worked with dozens of IoT providers—vendors, smart city developers, and intelligence agencies—to implement and validate cybersecurity strategies at the edge. One of the most common threads with each is the desire to focus on outcomes (reactive) rather than being proactive about the threats they are facing.
Most security organizations naturally focus on the process of cybersecurity, meaning they check the box from a process and regulatory perspective while not preparing for the real-world practice of cybersecurity. From an IoT perspective, cyber-process is mostly an exercise in cyber-ignorance. Further, with more data processing, machine learning, and autonomy at the edge, organizations are forced to take on more responsibility to ensure the integrity of their data regardless of its state.
Security at the edge is a daunting task, but a successful program combines both technology and human intervention. Companies like Qualcomm, Intel, Cisco, Microsoft, HPE's Aruba, and Securithings are bringing solid security technology to the edge. Hybrid service providers like TrustWave, IBM QRadar, Microsoft Azure, and AT&T (with its recent acquisition of Alien Vault) are delivering some very promising technology/people-based solutions.
When implementing an IoT security program, there are a few things organizations can do to avoid pitfalls:
- Distributed Intelligence. Most organizations manage IT and security in a centralized silo. By nature, IoT is distributed, and security must be managed as such. Adopting a distributed approach requires intelligence to be shared between devices, networks, and its constituents.
- Simulate and virtualize potential threats. It is essential to understand what your devices, applications, and the network will do under duress within the IoT network. By using machine learning based virtualization platforms, organizations can get a deeper insight into the demands that potential IoT deployments may put on their network, especially from a security perspective.
- Understand the threat landscape. IoT delivers a threat vector that most organizations are not equipped to respond. Patch management, unencrypted firmware updates that are not signed, and updates not sent over secure channels create a significant security challenge. Furthermore, devices that do not leverage standard communications protocols like SPI (Serial to Peripheral Interface) or I2C can give an attacker the ability to breach devices at the edge. Finally, weak local encryption, hardcoding and/or lack of a secure password policy is far too conventional and a very attractive attack vector.
Even if organizations work to mitigate as much risk as possible, they typically do not do the things needed to deploy an incident response and remediation policy in time. IoT creates another challenge entirely. However, companies MUST begin practicing security hygiene, especially within an IoT environment. Many companies invest millions of dollars in security programs, especially security incident and event management systems (SIEM), only to not implement them into their infrastructure. Either that or they simply "connect" these tools within their network environment. From an IoT perspective, without understanding how your network and infrastructure will perform within an IoT environment is a recipe for disaster. It’s a liability that can cost your company to lose data, revenue, brand, trust, and most importantly—your job.