You may not be aware that the Internet of Things (IoT) has already invaded your organisation. Consider that the massive Target breach of 2013-2014 stemmed from network infiltration through Target’s HVAC (heating, ventilation, air conditioning) vendor. An IoT device is basically a sensor with intelligence and connectivity. Pedestrian devices have become smart and network-connected; think of telephones, security devices, and HVAC, among others. Each new connected device introduced to a network can become a hacker’s entry point into the network.
And the number of IoT devices is growing dramatically. This is why Microsoft wants to get in on the act. It has acquired Solair, adding a working and proven set of IoT products and software on the Microsoft Azure platform, to enhance its growing cloud services business.
Security was not an important consideration in the first generation of PCs. After all, they were “personal computers”, networked only for printer service. As network capabilities grew, especially when PCs became capable of accessing corporate assets on minicomputers and mainframes, security was added as an afterthought. This pattern continues in the development of IoT devices.
Most IoT devices are not generic; they are manufactured for a specific purpose. Thus, one company would contain a plethora of device types, one for lighting management, another for security cameras, etc. The code that manages most IoT devices is often ad hoc, created by engineers and/or users with no devops training. You can see that there is next to no standardization of what you might call the “operating system”. Establishing an orderly and systematic method of patching faulty or insecure code is well-nigh impossible. There are now thousands of vendors implementing thousands of unique combinations of software and implementing dozens of technologies (WiFi, Bluetooth, NFC, zigbee, RFID) on literally billions of new devices.
IoT devices typically lack the computing power to support proper security tools such as encryption. No wonder there have been outbreaks of hacks involving medical devices, automobiles, baby monitors, and physical security systems.
There is no one department that seems to be given responsibility for implementation and support of IoT. Depending upon the company, it could be the user department, engineering or IT. This speaks to the cross-cutting nature of IoT. Although IT tends to be chosen to manage IoT projects because of their background in project management, most IT personnel have limited exposure to embedded software development. Moreover, the useful life of IoT devices is typically longer than PCs or mobile devices, making continuity of support a major concern.
IoT vendors have traditionally incorporated Application-Specific Integrated Circuits (ASICs) with unalterable programs, all memory being read-only. This approach minimizes security vulnerabilities. But vendors are increasing using another type of integrated circuit, the Field Programmable Gate Array (FPGA). The chip is reconfigurable, even during run time.
A Georgia Tech case study purports that with FPGAs, "There are entirely new attack vectors to consider, ones that lie outside the traditional computer security mindset." The study introduces an entirely new architecture to deal with these vectors that they call Trustworthy Autonomic Interface Guardian Architecture (TAIGA).
Speaking of standards, the vulnerability of IoT devices has not been lost on industry and the public, and there are a number of promising approaches.
For network-connected smart medical devices, the DTSec standard was unveiled by the Diabetes Technology Society in May 2016. DTSec contains a set of performance requirements to improve cybersecurity through independent expert security evaluation by DTSec-approved labs such as Brightsight. The Diabetes Technology Society will publish the names of products that successfully pass the evaluation process. At this point, the standard applies only to diabetes-related smart devices smart devices like insulin pump controllers and continuous glucose monitors.
The IoT Trust Framework from Online Trust Alliance (OTA) takes another tack, issuing guidelines for IoT manufacturers, developers and retailers. The OTA has such influential members as Microsoft, Symantec, ADT, AVG, Target, TRUSTe and Verisign. The proposed guidelines include the following:
The OTA is also developing testing tools and methodologies. Eventually, OTA plans to have a certification program.
Policy and procedure for the use of IoT should be in place before it is implemented in an organisation. Recent research from ForeScout Technologies analysed responses from over 350 IT pros from a wide range of companies around the world. Fewer than half (44 percent) of respondents have a security policy that includes IoT devices. Almost a third (30 percent) said their company failed to have a specific solution in place to secure IoT devices and 26 percent don't know if they have security policies on their devices.
Hopefully this is food for thought. I’d love to hear your thoughts on this subject . What challenges does IoT pose for your organisation ? Feel free to contact me at firstname.lastname@example.org
Sign-up for email updates...