The number of attendees to the IoT World conference grows with each passing year, and this year was no exception. The Santa Clara convention center was packed with over 12,500 participants and over 300 exhibitors with seasoned veterans and startups alike. The conference focused on a wide range of prominent topics, from continued advancement and adoption of artificial intelligence and machine learning, to discussions surrounding information technology and operational technology management challenges. As the industrial and critical infrastructure markets move at a much slower pace than the traditional IT ecosystem, effective security solutions will continue to be sought after for years to come.
Security remains a prominent concern
Unlike last year’s event, security made a late entry into the rounds of various conference discussions. However, once presented, attention and curiosity surrounding the topic of data protection quickly swelled. The sheer volume of devices being developed and introduced into the information ecosystem presents monumental challenges, as greater numbers of connected nodes for potential exploitation and compromise grows with each passing day. With nearly 40 billion installed IoT devices projected by 2020, the potential threat landscape will be enormous. As a result of the raw volume of IoT devices being added daily, effective security and management will have to remain top priorities in the technology market.
Nature’s lessons for security at scale
One of the first individuals to speak directly on the topic of IoT security was Ben Baker, Director of Strategic Marketing for Juniper Networks. Baker suggested that we look towards nature to find examples of large scale group management behaviors, like those of starlings taking part in a murmuration, and use those behaviors to structure our IoT management solutions. His discussion outlined five specific steps to address IoT security at scale. First, the devices themselves need to be observed effectively, to determine whether the behavior the device is engaging in is desirable or not. Second, the devices need to be classified and clustered based on common characteristics for effective management to be possible. Third, any analysis of the clustered devices will help to further provide visibility into anomalous behavior. Fourth, the root causes of the undesirable behavior need to be recognized as either malicious, or simply outside the norms. Lastly, there need to be efforts to remediate the issues, be that in the form of blocking a port, or updating a policy to alter the accepted norms. Without proper management strategies to address the exponential growth of the IoT, effective security will be nearly impossible to achieve.
Security demands protection for the entire device lifecycle
When it comes to securing the IoT, the process doesn’t start simply when the device is purchased or installed. Comprehensive and effective security begins at the moment of product design. Craig Miller, Director of Product Strategy at u-blox, and Christopher Schouten, Senior Director of Product Marketing at the Kudelski Group, provided insight into this topic. The pair outlined what they argued is a needed transition in the way IoT security should be approached. The modern approach is one of security by observation and reaction. However, the gentlemen described how security by design is the far better strategy, and provided examples of specific questions that developers should answer in the product roadmaps to ensure effective security. They outlined three primary steps. The first is to design a secure IoT solution tailored to meet your business needs. Secondly, IoT assets need to be managed and controlled with simple and secure APIs. Lastly, returns on investment should be maximized throughout the entire device security lifecycle. Ultimately the pair reinforced the argument that building security into a product by design is substantially less costly than addressing a security flaw later on.
Mission critical infrastructure remains a prime target
Unfortunately, new vulnerabilities designed to target the world’s critical infrastructure are discovered with unfortunate regularity. Dean Weber, Chief Technology Officer at Mocana, highlighted some of the complications unique to this market. For instance, securing critical infrastructure requires being prepared to address attacks from a wide range of vectors. From inbound and physical attacks, to phishing and social engineering efforts, the methods of compromising the industrial sector are growing. Furthermore, hackers are finding ways to circumvent traditional defenses by taking advantage of security flaws or weaknesses within the connected IoT devices themselves. From insecure boot practices, to weak authentication methods, to a lack of encryption, these options remain quite numerous on some devices. Weber outlined Mocana’s solution, which seeks to provide secure integration, provisioning, and management services for IoT devices. While modern equipment can benefit from this security solution, Weber highlighted that Mocana can also protect much of the legacy industrial infrastructure that is more than a decade old.
Government’s are developing threat response plans
The reality is that IoT security has consequences for every single market imaginable. However, the responses to these threats are far from ubiquitous. Raj Patel, the Chief Information Security Officer for the City of Palo Alto, promoted a 10 step plan to help encourage secure practices for managing the IoT. 1) In-depth IoT security awareness training is essential. 2) An IoT specific security policy has to be developed and implemented. 3) Each of the sources of IoT devices, equipment, hardware, and software need their own security controls. 4) Effective access control policies within the IoT software, as well as the coding of the devices themselves, need to be in place. 5) Data segregation between different devices can help reduce risk in the event of one device being compromised. 6) Network segmentation through VLANs, and encrypted communications via VPNs are necessary for secure IoT communications. 7) Default passwords on devices must be changed using strong password policies. 8) Secure Wi-Fi solutions have to be used when connecting IoT devices. 9) Automated SOC and incident response systems need to be in place to address issues as they arise. 10) Lastly, an IoT cyber-threat intelligence program should also be developed to respond to future incidents. While not all of these individual steps apply universally to all situations, adhering to them wherever able will provide a solid security foundation with which any institution can build from.
Effective defense requires adaptability
The last speaker of the day was Mike Ahmadi, the Global Director for IoT Security Solutions at DigiCert. Ahmadi elaborated on the concern that the growing number of IoT devices presents a security concern as the threat landscape grows proportionately with each connected device. However, Ahmadi outlined how the incorporation of the Public Key Infrastructure (PKI) can help to secure these devices through the application of three separate solutions. Initially, the identity of IoT devices needs to be authenticated through PKI certificates. Secondly, the certificates can then be used to create an encrypted link in order to transmit information privately, and securely. Lastly, the PKI certificates can ensure data and system integrity by verifying that the IoT device settings, and the data being transferred, have not been altered in any way. By applying this trinity of PKI functionality, IoT devices, and the information they manage, can be made far more secure.
While additional IoT functionality and capabilities were front and center at the conference, cybersecurity remained a less conspicuous topic of discussion. However, those discussions and presentations that did focus on cybersecurity provided greater insight into the growing risks present in the ever-growing and evolving IoT landscape. Each of the conference speakers recognized the essential requirement of addressing the growing number of threats to IoT devices earlier instead of later. This is a difficult reality to accept, but it’s no longer a matter of if an internet connected device will be attacked or compromised. The harsh truth is that it’s only a question of when an attack will take place, and whether or not we are prepared to address it.
Cybersecurity Technology, IoT