What changes will the Internet of Things (IoT) bring to enterprise security? As billions of devices chat away, administrators will be tasked with ensuring that communication flows are authentic and authorized. New security challenges are likely to follow the exponential increase in connected devices. Knowing the lay of the land now will help administrators develop an IoT security posture that fits their organization’s needs.
Standardized security for IoT? Not so much.
The variety of devices comprising the Internet of Things world is staggering, and standardization of security protocols across that universe lacking. In fact, it’s almost non-existent. Even within a particular segment—lighting sensors or conveyor belts, for example—there’s little agreement on the use of a single flavor of security. “There are so many protocols because everything has been fragmented up to this point in time,” said James Blaisdell, CTO at Mocana.
As a result, each manufacturer has historically taken its own approach to securing devices. And unlike the texting, word processing and video-call-making multifunctional smartphones that administrators are used to managing, many Internet of Things devices continue to be designed and deployed for rather specific duties. “The protocols used by these things reflect the purpose the device was built for,” Blaisdell said. Wider issues, such as broad network security policies, haven’t often been the primary focus.
While significant chunks of effort have gone into the development and standardization of security protocols in the IT space, Francis Cianfrocca, founder and CEO of Bayshore Networks, said that hasn’t been a primary issue in the operational technology (OT) sector. “What they’re much more concerned about is safety and availability when it comes down to industrial networking-type equipment.”
Networks used in OT are often considered to be isolated (though this turns out to not be the case time and time again), leaving classic IT-centered security efforts far down the list of priorities. So far down the list, in fact, that Cianfrocca said, “I don’t think there is any great amount of agreement or standardization on security protocols for OT.” It isn’t a complete free-for-all, but as IT and OT continue moving toward convergence in the form of IoT, the lack of commonality across the platforms will quickly become an issue.
But standardizing IoT security may bring with it an unexpected downside: lack of choice. Between point-to-point networks where every device has a voice, and the hub-and-spoke models that minimize the number of connections in favor of a central provisioning point, there are plenty of benefits and downsides to go around. And that may be a good thing, at least for now. “It’s very hard to try to pick the winner in the beginning,” said David Miller, chief security officer at Detroit-based Covisint.
To figure out which of the connection types and which of the security protocols work in the real world, he said, “You almost need it to be a little Wild Wild West.” That may be even more pragmatic considering how many companies are involved in the security hierarchy. “The manufacturers of the connections may not be the manufacturers of the things,” Miller explained. “In those connected devices, a lot of times you’re going to get some sort of embedded communication technology that may be provided by two or three different vendors.”
Though Glenn Seidman, PhD, chief architect at Arrayent, describes IoT as “a complete mutt collection of all these different security protocols,” he said we aren’t really starting at square one. A small sampling of security protocols in use today could provide a template for advancement and wider commonality across the industry. “There are a number of IoT protocols, like Z-Wave—they’ve decided on using a particular security protocol which uses AES-128—and Zigbee, who uses another security protocol that’s different, but they also use AES-128 encryption as well,” Seidman said. “In many cases, each of the ones that have been selected are considered standards, but they’re not all the same.”
As the network topology continues to mature, Seidman anticipates several segments of communication becoming better defined in their preferred use of security protocols, such as segments between devices and the cloud gateways that oversee device traffic. “Depending on which medium the communication is over, it will use a particular standard,” Seidman explained.
Today’s Internet of Things security concerns
Device manufacturers are worried because no one wants their equipment to be involved in a network intrusion. But Blaisdell said many administrators have even bigger problems. “Devices are coming to their networks that will be connecting up one way or another, and those are potential entry points,” he explained. Enterprises have long had concerns about rogue wireless access points, and they don’t want to see the incoming horde of connected IoT devices become similarly unsafe endpoints. “There will be lots and lots of devices coming on that we don’t even know about yet, and those potentially have an entry into the enterprise,” Blaisdell said.
The sheer scale of the Internet of Things justifiably causes angst in the hearts of network administrators, but it dovetails with another issue that complicates security efforts even further. That’s the number of device types. There are different uses, different vendors, different generations and different capabilities, and these all make security more difficult. “The way I like looking at it is, today we have spyware and malware. Tomorrow we could have spythings and malthings,” said Miller.
Knowing where vulnerabilities exist across a handful of smartphone OS varieties pales in comparison to keeping pace with the status of thousands of different sensors, cameras, meters, controllers and other machines. “Now there’s going to be not just tens of thousands of things, it’s lots of protocols and lots of connection methodologies,” Miller said. “That becomes a nightmare because you have to support all of them and you have to read all of the security bulletins and you have to keep updated on every vulnerability that occurs in every different type of item.” The kicker is that many of these devices will never receive a single update from the manufacturer as time goes on, so patches aren’t an option to help address emerging threats.
What administrators can do to improve IoT security
Conventional approaches to network security will likely need to be rethought before an enterprise deploys IoT to any significant degree. “Recognize first and foremost that you are not going to solve this problem with a firewall product from an IT-oriented vendor who says to you, ‘Hey, we’ve got a brand-new product line, ruggedized industrial, capable of solving this problem,’” Cianfrocca said. The IDS, IPS and firewall products that have served administrators so well in the past should be “left in the enterprise space where they belong, and where they are good at their job,” Cianfrocca added. Instead, become familiar with gateway solutions that incorporate protocol filters, policy capabilities and other functionalities directed at the security challenges specific to IoT.
Because many firewalls may not control Internet of Things traffic as effectively as other types of network flows, a different approach needs to be considered. “At the end of the day, a security administrator needs to be very seasoned and make sure that these are on completely separate networks,” Seidman said of IoT and IT devices. “It might even make sense to get a little crazy and have them on completely separate physical networks.” Then the compromise of one network will not facilitate access to the other. It may be a somewhat extreme data protection measure, but if highly sensitive information is hanging around, the organization should conduct a risk assessment to see what level of network separation is appropriate.
Staying up to date with evolving vulnerability assessments and advancements in security solutions will also be crucial. Miller encouraged network administrators to attend conferences to help them understand “exactly what the standards are going to be, so when the discussion occurs about how they’re going to introduce a large number of things into their network, they’re already prepared.” Industry events are a good way to stay informed about which vendors have defined security standards and what those standards are, as well as which standards are secure and which aren’t.
With an understanding of the IoT security landscape, administrators are better equipped to be part of the decision-making process when it comes to deploying connected devices. “Otherwise, there will be a business reason why the enterprise wants all these things connected, and that business reason will win and the security administrators will just have to adapt to whatever is required of them,” Miller said.
Administrators may also want to consider beefing up their team’s monitoring chops. It’s a strategy Blaisdell said will be useful in managing security in Internet of Things environments. “For those systems that are going to be protected, it’s really understanding and monitoring the traffic and being able to detect intrusions,” he explained. Data exfiltration and other anomalies will need to be spotted quickly, and preventing problems in real time may be key to stemming suspicious activity.
“You can’t win this war, so the best thing to do is try to put systems in place that are going to protect the data you use,” Blaisdell said. “It’s really about controlling your data, when it comes down to it.” Information gathered and transmitted through the IoT-osphere could be extremely valuable (not to mention potentially damaging to the organization if lost), and a robust monitoring strategy may be one tool that helps keep it all in check.
Photo courtesy of Shutterstock.