The Internet of Things (IoT) has become the new frontier of business, and concurrently, is the new frontier of threats. In this four-part series, I’m covering various angles of IoT Security. Whether you’re on the purchasing, sourcing, and finance side, handle IT security and risk management, or you are project- or product-managing an IoT deployment, security is a major piece of the puzzle. Start from the beginning of the series here and subscribe to our blog to be notified when part four drops.
IoT is still in its early years. As with all technological gold rushes, the security mechanisms that protect those systems lag the trend itself. In other words, if the internet of things has just entered its awkward, gangly teen stage, the IoT security ecosystem is its younger sibling, looking on with a raised eyebrow and shaking her head with concern.
The rush to IoT poses risk for everyone. Risk that, in a good-case scenario, is mitigated by forethought and preparation, protecting a business and its consumers from exposure to harm. In a not-so-good-case scenario, vulnerabilities are exposed, and personal data and information falls into the hands of those for whom it was never intended.
A prime example of this in the IoT space is the 2013 Target security breach, in which attackers gained access to Target’s broader network via network-connected HVAC systems used to report on store air and temperature quality. About 40 million debit and credit card account numbers were acquired by the attackers within the two weeks between Black Friday and Christmas.
Still, IoT devices are being rushed to market without adequate concern for security, opening a company up to additional risks with major downstream implications. Throwing an IT security or risk management team without IoT security expertise into the deep end of an IoT deployment is unlikely to end well. Here is what you can do to prepare.
How IT and Risk Management Teams Can Approach IoT Security
An Open Network Approach
Traffic flows through public internet gateways without being backhauled through a private, secured network. This is typically used when non-sensitive information is being passed to a cloud or other network endpoint. While this is a more simplistic approach to take and easier to deploy, it doesn’t mean that no basic security measures should be put in place.
If the right modern IoT cellular network provider is used, it should be able to enable you to turn on features such as deep-packet inspection of your traffic, content filtering of that traffic, and apply usage pattern-based analytics. If your device is only expected to send data to a cloud API and you start seeing FTP or other traffic, this is a red flag that the device could be compromised.
A Closed-Loop Connection Approach
When requirements specify that certain content cannot go over the public internet (in banking or highly sensitive environments, for example), closed-loop connections happen on an internal intranet. All traffic is secured over an encrypted tunnel (IPSEC or something similar) and never actually touches the public internet.
The world of IoT security, in its adolescence, is fragmented. You have vendors doing security specifically on analytics, or on connections, or on data in motion, or data at rest. Closed-loop security connections err on the side of caution. The appropriate security approach for your IoT project will depend upon its use case. If you’re sending diagnostic data off a controller that contains nothing that would be considered private or gives up personal or sensitive information, you may be okay passing that over the public internet. But if it’s credit card or customer information, you might opt for a closed loop.
Basic Security Hygiene of an IoT Project
One of the most common security misses we encounter with businesses launching something IoT are what we consider to be basic security hygiene practices. In an initial set-up phase, your IT security should assess (at a minimum): Who has access to the IoT platform? The API credentials? Are you using hardened credentials? Even in the most sophisticated security system set-ups, we see default passwords never being changed.
These are issues nobody should have to think about, but this is the reality of adding layers of complexity upon layers of complexity to a security environment. It pays to do back-maintenance before moving forward with IoT.
Post-deployment, someone should be looking after the health of your IoT device. We commonly do this month-to-month to monitor for uncommon statistics and behavior. Through this, you’ll be able to identify things like compromised devices, devices using an abnormally abundant amount of traffic, or other behaviors that hint at a possible breach. At the end of the day, you want to prevent a breach or data overage. If you don’t have the IT and risk management staff to manage the monitoring of your IoT systems and devices (most companies don’t), you will benefit from having a reliable managed services provider do it for you.
Legacy IT security teams are not built to support the new frontier of IoT environments. As a business considers or begins an IoT deployment, it must consider how it will handle the security side. A managed services provider specializing in IoT can help with this before you're so far into the planning stage that missed considerations will now cost additional time and money; Or worse, before unconsidered vulnerabilities are exposed by an attacker.
In the final post in this series, we’ll tackle the project and product management team’s perspective when it comes to IoT security. Subscribe to our blog to be notified when it goes live.
If you already have an IoT line of business or IoT is on your radar, schedule an appointment with me for a free one hour strategy session.