Why the Internet of Things is so Difficult to Secure
By Ian Yip, Chief Technology Officer, Asia Pacific, McAfee
There are many cases where IoT does improve the quality of life. For example, IoT sensors can help commuters determine which carriages of a train will yield the highest chance of a seat, and hence direct them to the appropriate section of the platform. This is a very practical, useful application that significantly improves a commuter’s journey and experience. It is examples such as this that advocates use as evidence to argue that the benefits of IoT far outweigh the risks.
The term “smart” is a word commonly used to suggest a product has digitally-enhanced capabilities and as such, is a next-generation technology that will improve lives, and help businesses function more effectively. Then there are smart meters, smart thermostats, and all things “smart home” that allow us to evolve our dwellings to something only previously witnessed in science fiction movies. The IoT value proposition is a compelling one. “Smart everything” is the future of how we live and how we will run our businesses.
Today, many security practitioners subscribe to the mantra that “smart means insecure”. Some may say this is an exaggeration, but it is applicable in a frighteningly high number of cases. One just needs to look at the Mirai incidents of late 2016 that used compromised IoT devices against victims which included Twitter, Netflix, and Reddit. While Mirai has been the highest profile example to date of a targeted IoT attack, there have been others since, and the number will continue to rise. Cyber-attackers typically break in via the weakest points on a network; increasingly, this will be through the IoT-enabled parts of an environment.
People and companies do not “buy IoT”. They focus on improving the way their businesses run or that make lives better
The IoT security problem is primarily a cultural one. Take a smart television as an example. For the average person, if it continues to function as required, should they care that it happens to be part of a botnet? Unfortunately, that answer is “no”. The average person only cares that the smart device continues to function in line with expectations; the fact that it may be insecure is secondary if the device was not primarily intended for use as a security control point. This is true in both the consumer and corporate worlds.
There is little regulation mandating that a minimal level of security be built into IoT devices. However, this is starting to change. In August 2017, The United States Senate introduced the IoT Cybersecurity Improvement Act of 2017, which requires that vendors providing internet-connected equipment to the U.S. government ensure their products meet a baseline set of security standards. While this is a good start, it is not the norm. More needs to be done by regulators globally, working in conjunction with those attempting to secure our digital lives, to help ensure IoT devices meet security standards.
For businesses, additional IoT security challenges include:
• Devices are usually low powered. Limited computing capabilities mean difficulty implementing security controls (e.g. encryption).
• Keeping devices up to date is not something that is currently well managed, leading to security vulnerabilities potentially remaining un-patched indefinitely.
• The sheer number of emerging connection protocols makes devices difficult to manage and secure.
• Devices are increasingly unlikely to be in physically secure sites, significantly increasing the opportunities for attackers to compromise their integrity.
• IoT deployments are largely uncontrolled environments where the number of devices grows exponentially, making it extremely challenging for security teams to govern and manage.
People and companies do not “buy IoT”. They focus on improving the way their businesses run or that make lives better. The fact that something is IoT-related technology is secondary to the buyer and user experience. Therefore, IoT will eventually become the norm. The term will lose its luster and we will simply be attempting to maintain cyber safety for organizations and the general population. Security practitioners would serve the world best by getting ahead of this reality and approaching the problem not as “protecting IoT”, but in building next-generation cyber defenses. Instead of security, cyber defenses must focus on cyber resilience using a risk-based approach. This is how we best set ourselves up to succeed in the ongoing war against cyber-attackers.