Securing IoT involves developers, manufacturers and end users alike
Who's to blame for the IoT security problem: manufacturers creating devices, end user deploying them or governments not creating legislation enforcing security measures?
IoT technologies offer a plethora of benefits and opportunities that are just beginning to be realized. Organizations of all shapes and sizes -- from manufacturing to healthcare to automotive and more -- can collect real-time data to monitor and control their surroundings and power smart cities, factories, buildings, campuses and homes.
These benefits and opportunities, however, can only be truly enjoyed if the devices are properly secured, deployed and configured. Unfortunately, with anything as powerful, new and ubiquitous as IoT, significant risks to safety, security and privacy are all too real.
Historically, securing the few million industrial control devices deployed across utilities and industries was a struggle -- and this was long before they became internet-connected. Now, by some accounts, billions of potentially insecure IoT devices will need to be dealt with in more verticals than ever before. Industrial control engineers and manufacturers of yesteryear may get a pass for mistakes made decades before the advent of industrial control internet connectivity, but the engineers and manufacturers designing today's IoT devices without keeping security in mind can't be excused -- and neither can the end users and enterprises deploying them.
From connected cameras being enlisted in bot armies that deliver devastating distributed denial-of-service attacks to a smart fish tank being the gateway to hacking a casino, the challenges of securing IoT are compounding. Add in lower costs, and increasingly, simplistic deployment and security issues abound. Cheaply made, poorly designed and configured, rushed-to-market devices sold with too much capability and little or no security threaten enterprises, industrial organizations and governments. The major question becomes: Just whose responsibility is IoT security, anyway?
Should manufacturers take the blame?
Paul Hager, CEO of Information Technology Professionals, an IT services company, sees manufacturers as the key culprits. "I blame the manufacturer that doesn't take that full-stack Linux IP camera and limit its capabilities," he said. "It is simply unacceptable that they push time to market over commonsense security."
Todd Thibodeaux, president and CEO of CompTIA Inc., a leading nonprofit IT trade association that certifies thousands of professionals in cybersecurity, agreed. "Far too many IoT devices are developed by lazy manufacturers that are including a full stack in the device, thereby allowing them to do things that are just not needed and without any legitimate way to manage vulnerabilities embedded in them," he said.
Overpowering devices with limited requirements and a lack of security is a formula for disaster, according to Stephen DiFranco, principal at IoT Advisory Group. "The more of a stack you put on an insecure device, the more dangerous it becomes," he said.
When asked why IoT security isn't top of mind for manufacturers, Eric Hembree, director of IoT at Ingram Micro Inc., equated it to the cloud computing boom. "Ten years ago, when cloud began its predominance, a lot of people put faith into cloud computing, believing incorrectly that cloud services were secure unto themselves," he said. "Now, with the massive opportunity in IoT, we are watching a similar response. People think it is just a harmless sensor, asking what criminals are going to do with it. In reality, it can often be a significant entry point or be used to attack others externally."
Securing IoT may start with the devices themselves, but developers and manufacturers aren't the only ones to blame. Blatant disregard for traditional IT controls over technology implemented in corporate systems is a growing issue. Executives are complicit with those who have decided IT security is just in the way and encourage those who add devices or services willy-nilly to a corporate system without knowledge or concern. Likewise, end users need to know their place in keeping connected devices safe and sound -- especially when it comes to changing default passwords and using proper security hygiene.
IoT security responsibility -- the many ways forward
Every security problem has multiple solutions, and the IoT security responsibility dilemma is no exception.
CompTIA's Thibodeaux's answer is to segment IoT devices onto their own network. "We have advocated with our friends at NIST that we need a completely separate network or network architecture," he said. "These devices should simply not live on the traditional IP network freely."
An IoT-specific network would limit concerns for the impacts on the public internet and lower the likelihood of attacks on critical computing functions, IoT Advisory Group's DiFranco agreed.
In the absence of a separate IoT network, maybe it's time to develop an IoT security and device cleanup superfund. A small fee could be applied to every device that would finance the construction, management and security of an IoT-specific network and help clean up those insecure IoT devices already deployed. Those funds could also provide proper configuration and upgrades.
"Businesses and individual consumers should be willing to pay the additional amount needed for the power and convenience of IoT technology," said Steve Cotton, chairman and CEO at FireScope Inc., a SaaS-based security, discovery, dependency mapping and performance monitoring software company. "Whether those monies go into a superfund or IoT-specific security and recycling like other electronics, this could be a very positive intervention."
Kyle HanslovanFounder and CEO, Huntress Labs
DiFranco also suggested putting the obligation on internet service provider (ISP) gateways.
"The providers of the home gateway to which we pay a significant amount should monitor these devices' behavior and manage them if they get out of line," DiFranco said. While having ISPs manage this issue may seem logical on some levels, in order for that to happen, ISPs would need to decide exactly what devices should be capable of doing. Yet, the whole point of the open internet is to not have ISPs decide device behavior and block devices when they feel like it.
A policy-based approach to securing IoT is what Ingram Micro's Hembree advocated. "We need policies backed up with teeth that say, 'You must at least follow the NIST framework and work to design security responses specific to IoT,'" he said. This would start with baseline manufacturing expectations, such as limiting capabilities to functional requirements and forcing vulnerability management and security fundamentals, such as default password changes upon device installation.
In the end, it may just be the responsibility of the users using the devices. But will end users pay for added security? DiFranco doesn't think so. "Trying to make a smarter endpoint in the name of security is not going to fit the economic model of affordability," he said. "Frankly, in context of consumers, these devices need to be as dumb and inexpensive as possible, doing only what they are specifically tasked to do."
The onus comes back to the business deploying them. "The one thing I beg and plead for is know thyself. You must know what's in your network and engineer isolation and segmentation into it," said Kyle Hanslovan, founder and CEO of Huntress Labs, an advanced threat detection and cybersecurity intelligence provider for managed service providers and SMBs. "Unfortunately, few administrators are engineers anymore, and we see a lack of deep thought around how to engineer and manage a secure network." This includes forgotten devices that remain connected by their owners, as well as those devices no longer supported by manufacturers -- or, worse, the manufacturers have gone out of business, making secure updating and management impossible.
Jessvin Thomas, president and CTO of Skout Cybersecurity, also sees businesses' lack of accountability as a critical issue. "The key thing for us is educating the customers on the need for monitoring and security," he said. "So many are connecting and using IoT devices without understanding the impact -- they have no plan for watching, securing and updating those devices. We must help them understand."
As the world goes full speed ahead into mass IoT adoption, it's critical to plan ahead. Incredible numbers of devices and applications are predicted to be deployed in a short window -- we're running short on time. It will become impossible to clean up if we don't move quickly to determine policy and take action immediately. If action is taken now, there's a good chance to manage this. If not, IoT will become an insurmountable security problem.