The Internet of Things may be a proliferation of computers, but the approaches to computer security we are all familiar with are insufficient, indeed incompatible, with the requirements of IoT system operators. Absent an approach to security that takes these differences into account, IoT devices are a double-edged sword against which enterprises have no serious defense.
Dumb Things Made Smart (Not Secure)
At its essence, an IoT device is an embedded device that can connect to a network. Your mobile phone is a type of IoT device. Late model cars are rolling IoT devices. The “smart” devices in your house are IoT devices. All of these things were at one time “dumb,” which is to say they required a human to function at all. Thanks to our ability to make things “smart,” your thermostat learns how hot or cold you like it in your house, and cars increasingly drive themselves.
The benefits associated with the growth of the IoT are obvious; less well understood are the risks. The IoT generates epic amounts of data that can be analyzed to extract insight and value. At the same time, it is also data that can be stolen, manipulated, and exploited.
Once a few stories about IoT device vulnerabilities hit the new cycle, the pundits declare the need to ‘bake in’ security to IoT devices, perhaps not realizing just how prolific IoT devices are already, or that millions more IoT chips are being made and shipped to device manufacturers every month. There is no 'baking in' security for IoT; that ship has sailed. IoT is going to have security bolted on after the fact like PCs. The goal now is to make sure you are bolting on capabilities designed for IoT, not PCs.
What’s Old is New Again, and Just as Broke
Commodity IT security vendors trying to make headway in the IoT space usually fail. You would think the opposite would be true given that a great many IoT devices are really PCs underneath. Outdated, unpatched, vulnerable PCs, albeit with some specialized logic on top.
However, the presence of a PC operating system in an IoT shell does not mean that security approaches that work for PCs will work for IoT devices. Consider the basic approach to dealing with the presence of malicious code on a PC: quarantine, disconnect, clean, and reconnect. That’s all well and good unless the device in question happens to be a heart-lung machine keeping someone alive during surgery.
IoT-rich environments are very high-risk environments, and the negative impacts of failure can be grave - literally. These are environments where critical decisions are not left up to machines, but to subject matter experts who train to deal with system failures. They (individually and their respective industries) are not about to surrender their decision-making responsibility to tools or methodologies that are designed for generic office environments.
A Sound Approach to IoT Security
When considering how to reduce the risk that the IoT devices in your enterprise will lead to disruption or tragedy, it is important to screen proposed solutions to ensure they do not do more harm than good:
Up-Time Not Off-Line. As mentioned previously, IoT devices can be connected to people; they can be inside people. Even when compromised, an IoT device can still function, but at a much higher level of risk. The only thing that should decide if something keeping you alive should be switched off is another human, and that decision should include factors no computer can process.
Endless End-Points Not Resources. Your average IoT device measures memory in kilo- not gigabytes. Bandwidth in a plant could be a fraction of you find in an office building. Approaches that assume PC-environment resources are a non-starter.
Scale. Economically. A hospital may have tens of thousands of IoT devices. A manufacturing facility may have just as many, some as large as a car or small enough to fit in your hand. Solutions must handle that kind of volume and diversity of data, from multiple locations, in real-time, and in a cost-effective manner.
Why DPI? Deep packet inspection places a heavy burden on the network. It also impacts privacy. DPI on devices connected to patients in a hospital are accessing the most sensitive and personal data available. Do your security goals for IoT devices really require DPI, or is that legacy thinking that doesn’t really add value?
Green to Red. Without machine learning, we cannot hope to defend against the unknown, but machine learning is not a panacea. The knowledge of when to make a decision is something computer can do far better than a human can; the decision to take action and what that action should be should rest solely in the hands of a human.
Understand the Abnormal. Alert fatigue is a serious problem, to the point where some security teams ignore all but the most severe alerts. Given that all alerts are important, and alerts associated with IoT devices could impact lives, it is critical that the solution you choose knows what merits attention.
Your Screen, My Screen. No solution should require you look at yet-another screen. Your security team already has to log into a dozen or more systems, so if you’re considering a tool that doesn’t integrate with your SIEM, you’re throwing a drowning man a brick.
Extensibility. You have already invested a lot of money in firewalls, IDS, and other security tools. An ideal IoT security solution should extend the utility of those tools to your IoT devices. You should not have to reinvent the wheel and pay for it.
Consider the Source. Experts in PC-centric security approaches have a wealth of experience and knowledge. But that is of limited use when you’re dealing with IoT devices. In-depth knowledge of how IoT devices work, and experience researching device vulnerabilities, are all more useful when it comes to developing a security strategy, and the tactics necessary for that strategy to succeed.
The IoT has been around longer than most realize, and its impact on our lives has already been significant. That significance is only going to grow, and the ubiquitous nature of the IoT means the impact of security shortcomings will be far worse than any PC-based compromise to date. Find out how Senrio can help you address these problems in an effective and efficient manner.
At its essence, an IoT device is an embedded device that can connect to a network. Your mobile phone is a type of IoT device. Late model cars are rolling IoT devices. The “smart” devices in your house are IoT devices. All of these things were at one time “dumb,” which is to say they required a human to function at all. Thanks to our ability to make things “smart,” your thermostat learns how hot or cold you like it in your house, and cars increasingly drive themselves.
The benefits associated with the growth of the IoT are obvious; less well understood are the risks. The IoT generates epic amounts of data that can be analyzed to extract insight and value. At the same time, it is also data that can be stolen, manipulated, and exploited.
Once a few stories about IoT device vulnerabilities hit the new cycle, the pundits declare the need to ‘bake in’ security to IoT devices, perhaps not realizing just how prolific IoT devices are already, or that millions more IoT chips are being made and shipped to device manufacturers every month. There is no 'baking in' security for IoT; that ship has sailed. IoT is going to have security bolted on after the fact like PCs. The goal now is to make sure you are bolting on capabilities designed for IoT, not PCs.
What’s Old is New Again, and Just as Broke
Commodity IT security vendors trying to make headway in the IoT space usually fail. You would think the opposite would be true given that a great many IoT devices are really PCs underneath. Outdated, unpatched, vulnerable PCs, albeit with some specialized logic on top.
However, the presence of a PC operating system in an IoT shell does not mean that security approaches that work for PCs will work for IoT devices. Consider the basic approach to dealing with the presence of malicious code on a PC: quarantine, disconnect, clean, and reconnect. That’s all well and good unless the device in question happens to be a heart-lung machine keeping someone alive during surgery.
IoT-rich environments are very high-risk environments, and the negative impacts of failure can be grave - literally. These are environments where critical decisions are not left up to machines, but to subject matter experts who train to deal with system failures. They (individually and their respective industries) are not about to surrender their decision-making responsibility to tools or methodologies that are designed for generic office environments.
A Sound Approach to IoT Security
When considering how to reduce the risk that the IoT devices in your enterprise will lead to disruption or tragedy, it is important to screen proposed solutions to ensure they do not do more harm than good:
Up-Time Not Off-Line. As mentioned previously, IoT devices can be connected to people; they can be inside people. Even when compromised, an IoT device can still function, but at a much higher level of risk. The only thing that should decide if something keeping you alive should be switched off is another human, and that decision should include factors no computer can process.
Endless End-Points Not Resources. Your average IoT device measures memory in kilo- not gigabytes. Bandwidth in a plant could be a fraction of you find in an office building. Approaches that assume PC-environment resources are a non-starter.
Scale. Economically. A hospital may have tens of thousands of IoT devices. A manufacturing facility may have just as many, some as large as a car or small enough to fit in your hand. Solutions must handle that kind of volume and diversity of data, from multiple locations, in real-time, and in a cost-effective manner.
Why DPI? Deep packet inspection places a heavy burden on the network. It also impacts privacy. DPI on devices connected to patients in a hospital are accessing the most sensitive and personal data available. Do your security goals for IoT devices really require DPI, or is that legacy thinking that doesn’t really add value?
Green to Red. Without machine learning, we cannot hope to defend against the unknown, but machine learning is not a panacea. The knowledge of when to make a decision is something computer can do far better than a human can; the decision to take action and what that action should be should rest solely in the hands of a human.
Understand the Abnormal. Alert fatigue is a serious problem, to the point where some security teams ignore all but the most severe alerts. Given that all alerts are important, and alerts associated with IoT devices could impact lives, it is critical that the solution you choose knows what merits attention.
Your Screen, My Screen. No solution should require you look at yet-another screen. Your security team already has to log into a dozen or more systems, so if you’re considering a tool that doesn’t integrate with your SIEM, you’re throwing a drowning man a brick.
Extensibility. You have already invested a lot of money in firewalls, IDS, and other security tools. An ideal IoT security solution should extend the utility of those tools to your IoT devices. You should not have to reinvent the wheel and pay for it.
Consider the Source. Experts in PC-centric security approaches have a wealth of experience and knowledge. But that is of limited use when you’re dealing with IoT devices. In-depth knowledge of how IoT devices work, and experience researching device vulnerabilities, are all more useful when it comes to developing a security strategy, and the tactics necessary for that strategy to succeed.
The IoT has been around longer than most realize, and its impact on our lives has already been significant. That significance is only going to grow, and the ubiquitous nature of the IoT means the impact of security shortcomings will be far worse than any PC-based compromise to date. Find out how Senrio can help you address these problems in an effective and efficient manner.
RSS Feed