IoT Security Challenges: Why Enterprise Must Assess Them Now
IoT security challenges are presenting new problems for enterprise to solve. The extended lives of IoT devices as well as network access and privacy issues mean the solutions will have to be as unique as the problems.
Enterprise dependence on the Internet of Things (IoT) is growing, not just as a means to push services to users but to maintain links to employees, partners, contractors and even competitors. But concern is growing that organizations are rushing to reap the rewards of the IoT without fully comprehending its risks or taking steps to address even basic security challenges.
If the past few years have shown anything, it is how vulnerable our data and critical systems are to theft and manipulation. Organizations that do not take bold steps to protect user privacy and ensure that systems are operating in a protected environment run the risk not only of severe loss of business and damage to reputation but civil and even criminal penalties as well. (Read also: Data Breach Notification: The Legal and Regulatory Environment.)
IoT Security Considerations
Pushing the network edge to the IoT and beyond, however, increases security threats by dramatically increasing the number and variety of attack vectors that criminals can exploit to break into vital systems - it expands the attack surface. The top prizes are data "at rest" within storage systems and data "in motion" across network and processing resources, not to mention the management and metadata that can be used to take systems offline or crash them entirely.
IoT World Today’s Chuck Martin notes that the rapid and dramatic scale of the IoT is increasing the need for greater security on the edge, while at the same time adding to the complexity and cost of the challenge. With some 50 billion IoT units projected to be online by the end of the year, fairly routine tasks like discovery and monitoring are placing significant burdens on IT departments around the world. (Read also: Simple Ways to Improve IoT Security.)
At the same time, security policy enforcement becomes more daunting, not just due to the rapid scale of the expansion but the fact that even established devices are in a constant state of configurational change as data flows produce shifting demands in network dependencies, resource allocation and other factors.
Given this hectic environment, the best time to establish a dynamic and flexible IoT security regime is now, says Appknox CEO Harshit Agarwal. The longer this process takes, the more difficult it will be for organizations to even see what needs to be secured, let alone do it in an effective and efficient manner. To start, organizations should ensure that existing IoT platforms provide the proper encryption, data management, privacy and other features needed to deliver robust service without putting data or users at risk. And since many IoT devices will be located outside, they must be hardened against the elements as well as theft and tampering.
One of the more effective ways to accomplish these goals is to use a blockchain-based detection system rather than a traditional DNS. We only need to look at the Facebook outage in October, 2021 to understand the vulnerabilities of DNS-based networking. A blockchain-based detection system offers a number of benefits over traditional DNS-based systems. The mechanisms of the protocol are designed to detect even the slightest change in networked devices, making it ideal for safeguarding IoT networks.
A hybrid access management system provides a robust means to converge IT infrastructure with OT (Operational Technology) infrastructure to ensure there are no exploitable gaps between the two. Organizations should also keep a careful eye on firmware, particularly on network controllers, to reduce attack surfaces as much as possible.
Extended Lifecycle of IoT Devices
The IoT is different from traditional networks in one other key way, says Dr. Mihai Voicu, CISO and director of product management for Telit IoT Platforms: its devices are expected to have a much longer lifespan, perhaps extending over a decade or more. This means they will require secure two-way, end-to-end communications with the ability to be updated remotely and on the fly to prevent hackers from exploiting vulnerabilities that may emerge over time. This will require constant vigilance not just by the enterprise, but a coordinated effort between vendors, integrators and other stakeholders as well.
Unfortunately, says Aruba Chief Technologist Simon Pamplin, one of the most effective network security architectures on the market today is not available for the IoT. Zero Trust Network Access (ZTNA) has proven to be highly effective at thwarting organized attacks on devices like laptops and mobile phones, but it cannot be installed on the largely agentless devices populating the IoT because they do not have the capacity to support third-party agents. This is not an opinion shared throughout the tech world, however. In MicroTrend, Greg Young argues the opposite: that since these IoT devices are deemed untrustworthy, that is why they need a secure architecture, and that is why IoT devices are the ideal candidate to make use of Zero Trust.
To overcome this limitation, the enterprise must build IoT infrastructure on more advanced network architectures like SD-WAN that allow more centralized security solutions to be pushed out to the edge.
One thing about IoT security is certain: failure is not an option. We are already at a point in which the IoT is providing crucial connectivity for all manner of critical, life-supporting functions – everything from autonomous vehicles to pace-makers. If these devices become compromised, people will die; it’s that simple. We must ask, if IoT security is so important, (and it is) then why is it failing time after time? Looking at enterprise IoT deployments today, it seems the same basic mistakes are continually being rehashed.
It’s a sad commentary on the IT industry that security has traditionally been an afterthought. With the breaches that have hit legacy data infrastructure in recent years, it would be the height of negligence to unleash an entirely new data ecosystem on the world only to see it become easy prey for cybercriminals who seek to profit off of other people’s pain. It’s also important to remember that IoT security is not a hole-in-one sport. It requires ongoing vigilance by both the information security team and the business stakeholders, whose interests are ultimately served by protecting company data.