IoT security: whose job is it anyway?

It’s been nearly two decades since the coining of the term “Internet of Things,” yet we are still asking the same question: “Whose responsibility is it to secure the billions of IoT devices?” Given the market’s progress of late, you would think we’d have it figured out by now; but, it’s not that simple.

Although IoT security has long been a hot topic of discussion, it has become more important—and more challenging – than ever. First, gone are the days when operational technology (OT) was single-handedly responsible for securing IoT, often taking a “security by obscurity” approach by physically separating production operations and industrial networks from enterprise networks and the Internet. Although enterprises are realizing the need to converge IT with OT to drive new use cases, enable an open flow of data between networks and applications, support better business decisions, lower costs, and reduce complexity, new attack surfaces are arising between the gaps in IT and OT practices.

Second, cybercriminals are increasingly targeting IoT by exposing these vulnerable attack surfaces. Studies show that DDoS (Distributed Denial-of-Service) attacks by IoT devices turned into IoT botnets are on the rise. For example, the Mirai botnet has infected hundreds of thousands of IoT devices, making them capable of collaborating on large-scale network attacks.

Third, each vertical is different when it comes to IoT security, some with critical or mission-critical infrastructures, and varying regulations. In the Utilities industry, for instance, the U.S. government recently mandated the adoption of version 5 of the North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) as the cybersecurity standard, whereas the Healthcare industry follows HIPPA requirements for securing data.

While enterprise IT, chief information security officers and governments around the world play central roles in IoT security, it is everybody’s job, especially industry’s, to establish consensus around a core set of requirements that address critical security, data protection and privacy needs.

From devices to industry standards

Both device and security vendors are critical to the IoT ecosystem. However, device vendors have been slow to invest in security because it can add cost, complexity and time-to-market. With many makers committing clear security missteps – such as hard-coding default names and passwords into their devices – consumer IoT gadgets have been incredibly easy to compromise.

Yet, after a series of high-profile consumer IoT attacks in 2016, not only are governments considering regulation, but more vendors and device makers have finally started to invest appropriately in IoT security. These vendors are taking a dual approach where they protect the “things” from the network, and vice-versa. For instance, manufacturers can now add an extra layer of security to their devices by using the IETF MUD standard enabling them to “tell” the network what access the device needs. This allows the network to deny any anomalous requests from that device.

At the same time, industrial IoT vendors are collaborating to establish standards, interoperability and certifications for IoT security. For example, manufacturing standards bodies such as ODVA, OPC and ISA are working to align with IEC 62443 on security. These standards combine vertical, industry-specific best practices at the higher layers, with horizontal approaches to common elements like industrial security. Also, groups like the IETF, the Industrial Internet Consortium (IIC)’s security working group and IEEE have all been active in developing IoT security frameworks, standards and methodologies to ensure cybersecurity across interconnected IoT systems by brand, model and type. This will help companies mitigate risks when developing and deploying their IoT solutions.

The work of all these players is complicated by the unique challenges of an IoT environment—more distributed, more heterogeneous, more complex and often at a much larger scale than traditional IT environments. This leads us to our next line of defense in IoT security: your business.

Best practices for businesses

As vendors rise to the IoT security challenge and embrace interoperability standards, businesses across industries must also do their part to safeguard IoT and prevent potentially disastrous cyberattacks. The key tactics involve achieving visibility into their networks, network endpoints, IoT devices and cloud infrastructure. To do so, consider the following tools and best practices:

1. Inventory devices and systems connected to the network

Security teams often have only snapshot views or outdated lists of managed devices for reference. If possible, automate device discovery to understand precisely what devices are running which operating systems and quickly send out patches to fix known vulnerabilities. Also, invest in a centralized platform that can integrate all your IoT initiatives and provide you with the visibility (and security) to obtain new value from the data shared between different systems.

2. Enable real-time monitoring and leak path detection

Investigate solutions that closely monitor network traffic, detect attackers and track how IoT devices interact with the network and other devices. It may very well be a sign of malicious activity if an IoT device is scanning another, or if an otherwise predictable traffic pattern changes. For example, if the HVAC system is communicating with the point of sale (POS) system, or if the POS is unexpectedly sending data to the cloud, you can quickly flag and shut down that activity.

3. Implement network segmentation and role-based access controls

Ensure that only authorized people, machines or processes can access certain classes of devices or data flows. There’s no reason the HVAC should even be allowed to talk to the POS, is there? To prevent this, isolate these systems on separate network segments—and remember to review segmentation policies and test their effectiveness regularly.

4. Train your employees and build a culture of security awareness

Your employees (no matter their roles) should be your first line of defense against countless threats. Like IoT itself, security

education is never “one and done.” Another issue for both IT and IoT is that 60 percent of security threats originate from inside sources. A quarter of these breaches are unintentional—from clicking on a link in a phishing email to carelessly holding the door open for an unbadged person. This is where we get back to the notion that IoT security is everybody’s job.

While these best practices will help secure IoT, the bottom line is that companies must take an integrated, policy-based approach to IoT security that integrates data, device and physical security. Doing this will open new classes of IoT use cases and provide customers with a single source of accountability. With billions of new devices coming online every year, it will take more than a perimeter or “security by obscurity” defense to secure your IoT systems. If we want to enjoy the full benefits of connected systems, it’s up to everyone to know and own their part.

So, what’s your role in securing IoT?