Why IoT Security Is Scary and What to Do About It

The FBI has issued several alarming cybersecurity warnings recently. In late April, it noted that there had been a significant spike in ransomware against hospitals, schools, police departments, as well as individuals. In March, it announced that the U.S. government had charged seven Iranian hackers with exploiting nearly 50 financial institutions and compromising the controls of a New York dam. Before that, it released separate warnings indicating that cars, farm equipment, and medical devices were all vulnerable to cyber attacks.

Such warnings underscore the unique security problems posed by the Internet of Things, which encompasses billions of objects encompassing everything from connected cars to energy grids.

Security has been one of the top concerns in the IoT space since the British entrepreneur Kevin Ashton coined the term “Internet of Things” in 1999. According to a multi-industrial survey organized by Penton, security and data privacy were the two biggest concerns in the IoT space.

There are wholly new business models involved in the IoT and they are quickly evolving. “As these business models change, they require more interoperability and sharing of data and exchanging of command of control across ecosystems and partners,” said John Sirianni is VP of IoT strategic partnerships at Webroot in an interview at IoT World on May 11 (pictured). “The number of interfaces—between devices, databases, and networks—is growing exponentially. Those interfaces are opportunities for loss of command and control.”

Webroot debuted an IoT Gateway application dubbed BrightCloud Threat Intelligence for IoT Gateways at IoT World.

The sheer variability of the IoT field is another enormous challenge. “Every company or enterprise has a different view of what they would like to accomplish,” Sirianni said.

Webroot officials have identified integrated transportation as being one of the IoT areas with the biggest potential risk. This includes entities ranging from airports to smart seaports. “Both of those tend to have very distributed networks of remote devices with many different protocols, vendors, and interfaces,” Sirianni says. “It is complex. And your security is only as good as your weakest link.”

Webroot officials see DDoS as one of the major security concerns for critical infrastructure projects. In 2015, the company also observed an uptick in ransomware attacks targeting medical and energy-production facilities.

Smart cities also pose unique risks. “As you get into smart cities and look at the operational technology such as traffic control, parking meters, and energy management, sewage, water, and all that kind of stuff, you have a lot of complex devices that are often deployed for for decades,” Sirianni explains. “Where cyber-criminals decide to exploit those systems could be any number of areas: it could be from a PC, tablets that workers use to maintain or upgrade these devices. The threats can really come in anywhere.”

Tackling the Problem

1. Have Real-Time Threat Protection and Intelligence. Because of the unique concerns posed by the Internet of Things, Webroot says that it is crucial to have real-time threat protection and intelligence, and to adapt quickly once threats are identified. “If you can provide an up-to-date understanding of where those threats are coming from, you can stop an exploit whether it be the deed of data exfiltration, network intrusion, or loss of command and control. If you can detect it early enough, you can stop the ransomware in its tracks,” Sirianni says. “But there is no way to design in security 100% because the cybercriminals are innovating very quickly.”

IoT developers should be diligent to ensure that security is factored into every link in the IoT chain. For instance, while software breaches get a lot of press, companies developing IoT platforms sometimes dismiss the threat posed by hardware vulnerabilities.

2. Don’t Neglect the Endpoints. “Endpoint software agents can leverage cloud-based real-time data like threat intelligence to prevent, detect, and block new cyber threats targeting IoT devices and systems, and can be designed into the devices and turned on anytime once deployed in operation,” Sirianni says

“It’s important to pay attention to gateways within the network, as they can be used just like next-generation security appliances to inspect and filter all incoming and outgoing traffic between devices and their control systems in the local IoT platform or over the internet. By doing this, organizations will be able to detect malware before it reaches the network or any endpoint devices.”

3. Engage with Machine Learning and Automation. Automation and machine learning will be a crucial component in IoT cybersecurity, Webroot officials predict.” Leveraging machine learning technology allows organizations to draw correlations among the massive volume of data they collect, all in a streamlined manner,” Sirianni says. “With the amount of emerging vulnerabilities, automation, and machine learning are vital to combatting cybercrime effectively. Autonomous remediation of compromised systems is critical for continuity of service and to keep operational costs to a minimum.”

4. Pay Attention to the Cloud. With the influx of connected devices emerging, more information is moving from traditional on-premises systems into the cloud, Sirianni says. “This is a top challenge for OEMs and IT providers as they try to navigate IoT security, as many conventional security technologies only support on-premises systems.”

“At the same time, hackers have their eye on the cloud. The cloud’s rise in popularity has quickly become a key target for cybercriminals, and weaknesses are found and exploited on a regular basis,” Sirianni adds. “The vulnerabilities of cloud-based infrastructure can wreak havoc on IT providers and system integrators. OEMs and system manufacturers should implement a cloud-based security solution that offers a secure online backup solution. This way, it ensures organizations don’t lose data when an endpoint is compromised. The solution should also provide online access to files from any IoT device.”

5. Be Careful with Vendor Selection. Sirianni recommends that companies developing IoT platforms be extremely careful when working with vendors involved with their infrastructure. “You should have a good conversation about cybersecurity risks and do your diligence during vendor selection,” he says. Vendor choice is especially important because of the quickly growing number of IoT-related startups with little experience dealing with information security.

6. Ensure Only Authorized Users Have Access. The U.S. government has a long history of developing computer software that precisely restricts data access according to the rank of the user. Digital access control systems should be carefully planned to ensure that authorized users have access to sensitive information and studying how that data access is being used. That doesn't mean that such systems are foolproof, however. Edward Snowden's downloading of numerous NSA documents has prompted that agency to rethink how it stores sensitive information. 

On a related point, passwords continue to be a standard method of authenticating users, yet weak passwords have long been one of the chief reasons behind data breaches. Authenticating users based on multiple factors is substantially more effective from a security standpoint.

7. Carefully Explore How Users Will Deploy Your IoT Application and Cybercriminals Might Exploit It. The Cloud Security Alliance recommends performing use case analysis for IoT platforms accompanied by an architectural diagram that covers how the system interfaces with other computers, the flow of data, and security resources. Following that, the association recommends a thorough exploration of how cybercriminals might target the IoT system.

8. Study the Latest Security Advice from Government and Other Relevant Associations. Companies developing IoT technologies would be well served by studying government recommendations on security. FTC and FDA, for instance, have each released specific security recommendations covering a range of consumer devices and medical technology.

Outside of the U.S. government, the GSMA has recommendations that are specific to the Internet of Things. “The GSMA has very good recommendations on security and security architecture,” Sirianni says. The association released its latest guidance in February 2016. “If most device system designers would adhere to those basic principles, they will create a system that is more robust than the guy next door. And the cybercriminals will go to the system next door,” Sirianni quips.