Mitigating enterprise IoT security risks
One of the biggest risks posed by businesses in the digital age is that posed by cyberattacks. Keeping your data secure and out of the hands of bad actors is obviously paramount, but the potential risk increases with every digital touchpoint added. While many agree that digital transformation brings huge benefit to almost all aspects of business, the increased vulnerability brought by digital should not be ignored.
For many businesses, IoT is at the center of the plan for digital transformation and like any technology, with the benefits come the risks. In the case of IoT, there will likely be data stored in several locations — on devices, within applications and on servers where data is stored and processed. As well as data being stored, there is also the communication of data and the control of IoT devices to be considered.
This year, worldwide IoT security spending is predicted to reach $1.5 billion, a 28% increase on 2017 ($1.2 billion). This is hardly surprising, given that nearly 20% of organizations surveyed by Gartner observed at least one IoT-based attack in the past three years. On top of this, horror stories like the Mirai botnet have shown us that not only do hackers want to get at your data, they may also want to use your devices to do their dirty work.
The “Global State of Information Security Survey 2018” by PwC found that 29% of respondents reported loss or damage of internal records as a result of a security incident. The report states, “cyberattacks that manipulate or destroy data can undermine trusted systems without the owner’s knowledge and have the potential to damage critical infrastructure.”
The IoT security knowledge gap
As is the case with any emerging technology, IoT brings new challenges to organizations. There is confusion over standards, policy and governance, and at this stage, “best practice” seems like it is a million miles away. On top of this, there is a global skills gap in cybersecurity further compounding the problem for businesses trying to integrate IoT within their organization. According to a report last year by the Center for Cyber Safety and Education, the global shortage of cybersecurity professional appears to be worsening, with the latest figures suggesting 1.8 million information security-related roles will remain unfilled worldwide by 2022.
Connecting legacy systems not designed for connectivity
Due to the interconnectedness of formerly isolated systems, the internet of things brings a whole host of new threats to the organization. And as the ecosystem grows, and technological advancement continues, this problem is only going to get worse. What is secure now might not be secure tomorrow, and the IT department, as expert as they may be at keeping your business network secure, will need to continually update and refresh their skill set to maintain true network resilience.
Of course, this isn’t much different to how IT and infosec work today; however, IoT could increase the number of devices under the control of the IT department by orders of magnitude. On top of this, the currently fragmented nature of IoT also means that IT teams will need to learn new architectures, programming languages and, in the near future, will likely face new engineering challenges that we couldn’t even dream of today. In simple terms, your IT team will need to learn more and learn faster.
Security at what cost?
With businesses already trying to minimize the cost of hardware and connectivity to make deployment viable, for some, the added cost of security might seem like a prohibitive factor. According to a survey by Cisco last year, budget overruns were stated as one of the main factors causing IoT projects to fail. Bearing in mind that the number of devices requiring support could run to thousands or even millions for some organizations, bulletproofing the IoT network might not be possible due to high cost per device.
It’s important for businesses to weigh up the cost of security against the risks before deployment. Special consideration should be given to security in the design phases of a project. This will not only give a better idea of the total cost of deployment, but may also highlight different ways of achieving security at a lower cost to the business.
Breaches will happen
Breaches are inevitable. For this reason, you must assume that at some point in the near future your business will come under attack. It’s also worth bearing in mind that with so much of our business data being in the hands of other organizations, attacks and exploits may happen on systems that are outside of the control of the IT department. It’s simply not enough to lock your systems down and hope nobody gets in. Creating a secure network is only half of the picture. Every node, device and touchpoint on the network could be a potential access point. Ask yourself the following question: Is the data at this access point useful to an attacker?
No matter how good their network security might be, businesses need to have a plan of action for when that security fails. Because it will fail.
Guiding principles of IoT security
With a lack of cohesive standards, it’s hard to see where to start when it comes to securing the IoT network. Rather than simply building a big wall and hoping for the best, businesses need to dial into the devices and data. A strategic approach to IoT security needs to start with asking the right questions. The Internet of Things Security Foundation poses the following questions to consider when assessing the security requirements of your network:
Does the data need to be private?
IoT devices and networks trade in data — storing it and communicating it to and from other devices and internet applications. In cases where personal or sensitive data is concerned, consider this when storing or transmitting it. Where possible, make sure personalized or sensitive data is kept securely, and that security is appropriate for the types of potential threat and consider depersonalization of data wherever possible. Also, bear in mind the other systems to which your devices are connected. Could an attack on one of these systems expose the sensitive data at the edges of your network?
Does the data need to be trusted?
Where the integrity of data is key to mission-critical operations, businesses need to ensure that data cannot be corrupted or interfered with in transit and must ensure that only the right data reaches the right destination. Poor quality data could be the result of a faulty device, misconfiguration or a malicious attacker. As such, this data may adversely affect other parts of the IoT network. Building in a way to identify and isolate these devices quickly and securely will help mitigate against these risks.
Is the safe and/or timely arrival of data important?
In scenarios where the safe or timely arrival of data is important, businesses need to build in quality assurance measures to make sure that important data cannot be missed. These measures may include accurate timestamping of data to ensure that devices and users know how fresh the data is when it arrives.
Building quality of service (QoS) into the messaging between your devices and your IoT platform is another way to ensure data integrity. Platforms which use MQTT are advantageous in this scenario due to its built-in QoS.
Is it necessary to restrict access to or control of the device?
If a hacker gains access to one of your devices, he could potentially steal sensitive information or take control of the device itself. Ensuring that devices can only be accessed through secure, authenticated channels can help to mitigate these risks. Vulnerabilities at this level can also be reduced by building secure access in at the design stage, using secure coding standards and employing penetration testing.
Is it necessary to update the software on the device?
Out-of-date software can introduce security vulnerabilities and could also affect the reliability of data coming from devices. Businesses must make sure that software is updated in line with best practices without negatively impacting the functionality of the device. Making sure that updates can only be applied from a secure and trusted source will further reduce the likelihood of an attack on this vector.
Will ownership of the device need to be managed or transferred in a secure manner?
In situations where the device is tied to an end user, ownership of that device and/or some of the data may need to change hands. Ensuring that this can be done in a safe and secure way is highly important.
Does the data need to be audited?
Depending on the application, IoT services may require auditing, either internally or to meet the requirements of a regulatory body. IoT networks should be designed with this in mind, allowing secure, managed access to IoT data where appropriate.
Future-proofing IoT security
Given the rate of technological advancement in the field of IoT and technology in general, it would be impossible to predict the kinds of cybersecurity threats faced by the enterprise in 10 or even just five years. This is not a new problem for the IT department. As with the rest of the business IT infrastructure, an IoT network needs regular maintenance. This includes ensuring that network devices are always kept up to date and in fully working order. This can be helped by programming devices to report their health when something isn’t right. For example, if a device can’t find an update or hasn’t updated after a period of time, the network admin could be notified, and steps could be taken to solve the problem.
Act now
The next few years will be interesting for the internet of things, as new opportunities and threats will continue to change the landscape. Staying on top of security, making sure yours or your customers’ data is safe and keeping your devices under control are going to be essential going forward. It’s important that businesses start taking a strategic approach to IoT security right now. Those that fail to do this will almost certainly pay for it in the long run.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.