The day when virtually every electronic device -- from phones and cars to refrigerators and light switches -- will be connected to the Internet is not far away. The number of Internet-connected devices is growing rapidly and is expected to reach 50 billion by 2020.
However innovative and promising it seems, this so-called Internet of Things (IoT) phenomenon significantly increases the number of security risks businesses and consumers will inevitably face. Any device connecting to the Internet with an operating system comes with the possibility of being compromised, in turn becoming a backdoor for attackers into the enterprise.
In this article, we will discuss the proliferation of the Internet of Things and explore what enterprises can do to manage the security risks associated with IoT devices.
What is the IoT? Why is it growing in popularity?
The IoT sensation is rapidly embracing entire societies and holds the potential to empower and advance nearly each and every individual and business. This creates tremendous opportunities for enterprises to develop new services and products that will offer increased convenience and satisfaction to their consumers.
On the user side, Google Inc. recently announced that it is partnering with major automakers Audi, General Motors and Honda to put Android-connected cars on the roads. Google is currently developing a new Android platform that will connect cars to the Internet. Soon, car owners will be able to lock or unlock their vehicles, start the engine or even monitor vehicle performance from a computer or smartphone.
The promises of IoT go far beyond those for individual users. Enterprise mobility management is a rapidly evolving example of the impact of IoT devices. Imagine if suddenly every package delivered to your organization came with a built-in RFID chip that could connect to your network and identify itself to a connected logistics system. Or picture a medical environment in which every instrument in the exam room connected to the network to transmit patient data collected via sensors. Even in industries like farming, imagine if every animal were digitally tracked to monitor its location, health and behavior. The IoT possibilities are limitless, and so are the number of devices that could manifest.
However, despite the opportunities of IoT, there are many risks that must be contended with. Any device that can connect to Internet has an embedded operating system deployed in its firmware. Because embedded operating systems are often not designed with security as a primary consideration, there are vulnerabilities present in virtually all of them -- just look at the amount of malware that is targeting Android-based devices today. Similar threats will likely proliferate among IoT devices as they catch on.
Enterprises and users alike must be prepared for the numerous issues of IoT. Listed below are seven of the many risks that will be inherent in an Internet of Things world, as well as suggestions to help organizations prepare for the challenge.
1. Disruption and denial-of-service attacks
Ensuring continuous availability of IoT-based devices will be important to avoid potential operational failures and interruptions to enterprise services. Even the seemingly simple process of adding new endpoints into the network -- particularly automated devices that work under the principle of machine-to-machine communications like those that help run power stations or build environmental controls -- will require the business to focus its attention on physical attacks on the devices in remote locations. This will require the business to strengthen physical security to prevent unauthorized access to devices outside of the security perimeter.
Disruptive cyberattacks, such as distributed denial-of-service attacks, could have new detrimental consequences for an enterprise. If thousands of IoT devices try to access a corporate website or data feed that isn't available, an enterprise's once-happy customers will become frustrated, resulting in revenue loss, customer dissatisfaction and potentially poor reception in the market.
Many of the challenges inherent to IoT are similar to those found in a bring your own device environment. Capabilities for managing lost or stolen devices -- either remote wiping or at least disabling their connectivity -- will be critical for dealing with compromised IoT devices. Having this enterprise strategy in place will help mitigate the risks of corporate data ending up in the wrong hands. Other policies that help manage BYOD could also be beneficial.
2. Understanding the complexity of vulnerabilities
Last year, an unknown attacker used a known vulnerability in a popular Web-connected baby monitor to spy on a two-year-old. This eye-opening incident goes to show what a high risk the IoT poses to enterprises and consumers alike. In a more dramatic example, imagine using an IoT device like a simple thermostat to manipulate temperature readings at a nuclear power plant. If attackers compromise the device, the consequences could be devastating. Understanding where vulnerabilities fall on the complexity meter -- and how serious of a threat they pose -- is going to become a huge dilemma. To mitigate the risk, any project involving IoT devices must be designed with security in mind, and incorporate security controls, leveraging a pre-built role-based security model. Because these devices will have hardware, platforms and software that enterprises may never have seen before, the types of vulnerabilities may be unlike anything organizations have dealt with previously. It's critical not to underestimate the elevated risk many IoT devices may pose.
3. IoT vulnerability management
Another big challenge for enterprises in an IoT environment will be figuring out how to quickly patch IoT device vulnerabilities -- and how to prioritize vulnerability patching.
Because most IoT devices require a firmware update in order to patch vulnerabilities, the task can be complex to accomplish on the fly. For example, if a printer requires firmware upgrading, IT departments are unlikely to be able to apply a patch as quickly as they would in a server or desktop system; upgrading custom firmware often requires extra time and effort.
Also challenging for enterprises will be dealing with the default credentials provided when IoT devices are first used. Oftentimes, devices such as wireless access points or printers come with known administrator IDs and passwords. On top of this, devices may provide a built-in Web server to which admins can remotely connect, log in and manage the device. This is a huge vulnerability that can put IoT devices into attackers' hands. This requires enterprises to develop a stringent commissioning process. It also requires them to create a development environment where the initial configuration settings of the devices can be tested, scanned to identify any kind of vulnerabilities they present, validated and issues closed before the device is moved into the production environment. This further requires a compliance team to certify that the device is ready for production, test the security control on a periodic basis and make sure that any changes to the device are closely monitored and controlled and that any operational vulnerabilities found are addressed promptly.
4. Identifying, implementing security controls
In the IT world, redundancy is critical; should one product fail, another is there to take over. The concept of layered security works similarly, but it remains to be seen how well enterprises can layer security and redundancy to manage IoT risk. For example, in the health care industry, medical devices are available that not only monitor patients' health statuses, but also dispense medicine based on analysis performed by such devices. It's easy to imagine how tragic consequences could result were these devices to become compromised.
The challenges for enterprises lie in identifying where security controls are needed for this emerging breed of Internet-connected devices, and then implementing effective controls. Given the diversity that will exist among these devices, organizations will need to conduct customized risk assessments, often relying on third-party expertise, to identify what the risks are and how best to contain them. While an interesting recent example was the case of former Vice President Dick Cheney disabling the remote connectivity of a defibrillator implanted in his chest, unfortunately most enterprises won't have the luxury of taking these devices offline. In any event, organizations which embrace IoT must define their own information security controls to ensure the acceptable and adequate protection of the IoT evolution. As the trend matures, best practices will certainly emerge from industry professionals.
5. Fulfilling the need for security analytics capabilities
The variety of new Wi-Fi-enabled devices connecting to the Internet will create a flood of data for enterprises to collect, aggregate, process and analyze. While certainly organizations will identify new business opportunities based on this data, new risks emerge as well.
Organizations must also be able to identify legitimate and malicious traffic patterns on IoT devices. For example, if an employee tries to download a seemingly legitimate app onto his or her smartphone that contains malware, it is critical to have actionable threat intelligence measures in place to identify the threat. The best analytical tools and algorithms will not only detect malicious activity, but also improve customer support efforts and improve the services being offered to the customers.
To prepare for these challenges, enterprises must build the right set of tools and processes required to provide adequate security analytics capabilities.
6. Modular hardware and software components
Security should be considered and implemented in every aspect of IoT to better control the parts and modules of Internet-connected devices. Unfortunately it should be expected that attackers will seek to compromise the supply chain of IoT devices, implanting malicious code and other vulnerabilities to exploit only after the devices have been implemented in an enterprise environment. It may prove necessary to adopt a security paradigm like the Forrester Zero Trust model for IoT devices.
Where possible, enterprises should proactively set the stage by isolating these devices to their own network segment or vLAN. Additionally, technologies such as microkernels or hypervisors can be used with embedded systems to isolate the systems in the event of a security breach.
7. Rapid demand in bandwidth requirement
A study conducted by Palo Alto Networks Inc. revealed that between November 2011 and May 2012, network traffic jumped 700% on networks the vendor observed, largely due to streaming media, peer-to-peer applications and social networking. As more devices connect to the Internet, this number will continue to grow.
However, the increased demand for Internet will potentially proliferate business continuity risks. If critical applications do not receive their required bandwidth, consumers will have bad experiences, employee productivity will suffer and enterprise profitability could fall.
To ensure high availability of their services, enterprises must consider adding bandwidth and boosting traffic management and monitoring. This will not only mitigate business continuity risks, but also prevent potential losses. In addition, from the project planning standpoint, organizations would need to do capacity planning and watch the growth rate of the network so that the increased demand for the required bandwidth can be met.
The Internet of Things has great potential for the consumer as well as for enterprises, but not without risk. Information security organizations must begin preparations to transition from securing PCs, servers, mobile devices and traditional IT infrastructure, to managing a much broader set of interconnected items incorporating wearable devices, sensors and technology we can't even foresee currently. Enterprise security teams should take the initiative now to research security best practices to secure these emerging devices, and be prepared to update risk matrices and security policies as these devices make their way onto enterprise networks to enable machine-to-machine communication, huge data collection and numerous other uses. This increased complexity within the enterprise shouldn't be overlooked, and threat modeling will be necessary to ensure basic security principal of confidentiality, integrity and availability are maintained in what will be an increasingly interconnected digital world.
About the author:
Ajay Kumar is an information security manager who has been working for a decade in the information security and risk management domain, and has expertise in cybersecurity, identity and access management, security operations management, data protection, cloud security and mobile security. He specializes in the planning, design and implementation of the security services and systems required to protect the confidentiality, integrity, privacy and authenticity of the information stored in enterprise environments. Ajay can be reached at firstname.lastname@example.org.