The Internet of Things (IoT) is hard at work saving lives, improving health, cutting manufacturing costs, bringing unprecedented conveniences to “smart” homes and more. But with worldwide IoT spending expected to reach $745 billion this year and the number of connected IoT devices expected to total 30 billion by 2020, anyone using these devices faces new challenges of keeping their data systems safe and secure.
“The nature of IoT deployments makes them particularly difficult to secure against cyber threats,” said Brian Partridge, research vice president for Internet of Things at 451 Research.
He notes that IoT projects often straddle operational technology (OT) and essential IT systems.
“When these domains come together driven by IoT, the overall attack surface can increase exponentially,” he said.
IoT got its start without built-in standard security mechanisms, then took off like a shot. Many businesses that want to take advantage of IoT technology worry about its potential to dramatically expand attack vectors across the enterprise. The Ponemon Institute last month reported a dramatic increase in IoT-related data breaches, up to 26% from 15% in 2017 – and those figures represent just the breaches that companies know about.
Billions of Network Entry Points
The problem is all the “things” in an IoT environment – from a sensor on a machine to a thermostat – connect to a network, making them potential entry points for a hacker.
Surveys by 451 Research reflect enterprise concern. Asked to rank which technologies or processes they considered for current or planned IoT initiatives, 55% of more than 600 respondents to a 2018 survey ranked IoT security as a top priority. In an earlier 451 Research survey, 64% of respondents said they were most concerned about poor authentication of IoT endpoints such as sensors and network modules, while 63% cited unsecured enterprise IoT applications and vulnerabilities in how end-users access their IoT devices and applications.
The good news is organizations ranging from the IEEE, Microsoft and Cisco to security consultants like Kudelski Security are offering detailed IoT security architectures, full of best practices and advice for practical IoT security protections.
This advice suggests addressing the threats requires a multi-pronged approach that addresses the endpoints – the “things” in an IoT deployment – as well as a multi-tiered architecture similar to the “defense in depth” approach that has long been essential to enterprise security.
Securing ‘Things’ or Limiting Bandwidth
In its “Internet of Things (IoT) Security Best Practices” white paper, the IEEE shares lots of advice for protecting the myriad things in an IoT implementation, but not all of it is practical. Making devices accessible only to a few authorized staffers, asking device manufacturers to restrict modifications to device firmware to those with a digital signature, and deploying two-factor authentication on IoT devices are a few examples that many enterprises may be limited in their ability to follow.
But another IEEE recommendation is certainly practical for any enterprise: limiting the bandwidth available to devices.
One of the major threats from an IoT implementation is an intruder using IoT devices to launch a distributed denial of service (DDoS) attack, unleashing a torrent of data traffic against servers or web sites. This is the method employed in the 2016 attack that took out DNS provider Dyn, disrupting Internet service for millions. It was based on the Mirai botnet, which was “built out from a rag tag collection of Internet of Things (IoT) related devices … from home routers to digital video recorders,” as Forbes reported.
Most IoT devices “are made of commodity components that have vastly overpowered network capabilities for the function they are supposed to perform,” the IEEE white paper says.
“Vendors should use hardware and kernel-level bandwidth limitations to throttle network transmission rates to levels reasonable for the tasks of each device,” IEEE stated. But enterprise network architects can do the same thing, either by limiting bandwidth by design or using network management tools to throttle traffic if it exceeds a predefined threshold.
Another practical idea the IEEE recommends is to divide IoT networks into segments using virtual LANs and/or IP address ranges. The idea is to use firewalls to create security zones representing different network segments, with the firewall controlling what traffic can pass between segments. Such a strategy could isolate sensitive data, such as customer financial data, from all but authorized users, and it could separate OT and IT networks in an industrial environment.
A Reference Architecture for IoT Security
Kudelski offers a detailed reference architecture for IoT security that’s full of security best practices. It recognizes that enterprises can’t always guarantee the security of IoT end devices and essentially follows a defense-in-depth approach.
The architecture covers four layers:
Device Layer, consisting of IoT hardware, software, sensors and actuators.
Communication Layer, which defines the communication protocols, network technologies, and communications service providers necessary for the IoT system, as well as any necessary security protocols.
Cloud Platform Layer, which includes all web-based services and cloud infrastructure as well as the intelligence that provides competitive advantage. This layer also describes how data flows throughout the network and where it’s stored.
Process Layer focuses on how the organization integrates IoT projects with governance, operations, management processes, and line-of-business systems.
Various security products and disciplines are included in each layer with some – such as “people, process and procedures” spanning all layers.
A Challenge to Vendors
It’s still early in the IoT evolution, but up to now it appears security was not at the forefront as companies were building IoT solutions, certainly not in the end devices, or “things.” The IEEE is essentially challenging vendors to step up their game by building in capabilities like encryption and tamper-resistance.
In the meantime, a defense-in-depth strategy like the one Kudelski recommends is a sound approach.
Paul Desmond is a contributing writer. He is co-founder and principal of Saratoga B2B group and formerly an editor at IDG’s Network World, Redmond magazine and Redmond Channel Partner magazine.
© 2019 Nutanix, Inc. All rights reserved. For additional legal information, please go here.