The Internet of Things, or IoT, represents a new battlefront for security – bringing with it an increased threat surface available to attackers. At the same time, hundreds of equipment makers – with limited experience in securing connected devices – are connecting everything, from lightbulbs to sophisticated medical equipment, onto a network . This presents a new wave of challenges for the security industry.
Ashley Wearne, General Manager of Australia and New Zealand, at Sophos, presented during the 2018 CSO Roadshow, where we discussed the challenges this new frontier is bringing to the security industry.
"I don't think we're even on the hype cycle yet. People don't even know what the definition of IoT is yet – with many thinking of anything with a processor as an IoT device. I don't think they have an idea about how many devices they’re talking about. I don't think they understand how pervasive the IoT already is, not to mention where we’re going in terms of how we work and how we live".
The scale and velocity of the challenge facing business means the security models we employed in the past are no longer applicable. Wearne said the discussions he's having with people are changing. He believes there's a greater awareness, because devices such as Amazon Alexa and Google Home can listen into conversations and then communicate with other devices. However, there is an important nuance here. Much of the discussion regarding IoT devices focuses on how connected devices communicate over the internet. These discussions ignore the fact that IoT devices will also be communicating with each other within your network.
That means the old 'hub and spoke' infrastructure of devices communicating with each other via a central point is no longer valid. We are now creating a mesh with everything connected to everything.
"It's almost impossible to use the same mindset to protect everything as we're doing it today," said Wearne.
The good news is that companies are getting smarter with deploying IoT devices and manufacturers are getting better at making devices that can be better secured.
On the manufacturing side, developers are now thinking about ensuring there's enough kernel space to support updates and patching, as well as mechanisms for updating devices as new threats and vulnerabilities are discovered.
"There's a lot more awareness of what the possibility is now," said Wearne. "There's a lot more visibility. People are asking questions about updating devices and are wanting proof that they can be successfully protected".
Amongst the many challenges we face that stem from the number of devices and their rapid deployment, we also have to consider the variety said Wearne. He believes we haven't yet scratched the surface of what types of devices will be created that can connect either to the Internet or to other devices and what risks they will introduce.
While incidents such the emergence of the Mirai botnet point to the sorts of things that compromised IoT devices can be used for, Wearne says the industry has yet to face a significant incident that will drive a steep-change in the approach to IoT security.
"In terms of the pace of change, people are getting more responsible. It'll be the day a car gets taken over and crashes over a bridge when things really change".
Some of the risks Wearne sees are things that will come from unintended consequences. For example, while security cameras at points of sale are used for preventing shoplifting, a hacked camera could be used to capture someone entering a PIN code at an EFTPOS terminal.
Part of the answer, he said, is to take a risk-based approach.
"The first thing is to assume all IoT devices are unsecured. The way to treat them is to put them on a part of your network that is for untrusted devices. There is no objective way to prove that these devices are secure and will remain secure in the future. Then you can treat them as a network security problem."
Wearne also suggests buying IoT devices that connect to their own cloud service, that you verify as trusted, so there's another level of protection where the manufacturers take responsibility for security.
When it comes to managing the security budget for IoT, Wearne suggests spending resources on defining the principles for introducing devices into the network and outlining to what extent do you want or can control these devices. For example, while you may have strong control over your own systems, what about the connected devices in your staffs' homes or at your customer and supplier offices?
All those things need to be considered in order to have a comprehensive view of the risks and opportunities offered by the IoT.