What’s in Store for IoT Security in 2017
In 2016, we saw some of the first big IoT-fueled cyberattacks, including one in October that knocked a big chunk of the internet offline. As we head into a new year, security will become a sharper focus for the young Internet of Things industry but a small talent pool of security professionals will make it challenging to keep up with hackers.
1. Embedded Security Will Finally Get Serious
While the topic of embedded security pops up fairly often, it is easier to pay lip service to the concept than to actually build security into hardware. That is changing, says Robert Vamosi, security strategist with Synopsys. “Devices, once thought to be too small to include their own security, will undergo a more thorough analysis beginning with firmware testing,” he says. “The software inside the chip is just as important as the application controlling it. Both need to be tested for security and quality. Some of the early IoT botnets have leveraged vulnerabilities and features within the device itself.”
2. Inspecting the Cyber Supply Chain Becomes a Priority
Third-party software is rampant but is often not sufficiently tested. “Some of the early IoT botnets have leveraged vulnerabilities and features within third-party chipsets found inside the devices themselves,” says Robert Vamosi of Synopsys. “Understanding the bill of materials for the software components found in each chipset added will become important as IoT vendors rush to protect themselves from expensive recalls.”
3. IoT-Fueled DDoS Attacks Will Remain a Problem
There is little that can be done for now to avert DDoS attacks like the Mirai botnet that brought down much of the internet in October. One factor that could help is if industry and regulators require ISPs to start playing a more active role managing network traffic. There would, however, be “a different set of costs to Internet users in security and privacy concerns” if this were to happen, says Todd Inskeep, advisory board member for RSA Conference. “Longer term, we could think about security requirements for all Internet enabled-devices, but that comes with its own set of issues: which requirements, who verifies compliance. This could lead to conflicting security concerns in different regions and geographies,” Inskeep says. “The internet was designed to be open and resilient, assuming that all the actors were self-interested to be at least benign if not helpful. Instead, we continue to find individuals, organizations, and apparently nation-states with malicious intent.”
In the meantime, there are things that companies and individuals can do reduce the power of botnets. According to Trevor Hawthorn, CTO of Wombat Security, there are three most steps people can take to avert botnet problems. First, don’t allow IoT devices to be exposed to the open internet. “This is probably the most important consideration,” he says. Second, ensure IoT devices are kept up to date. Third, change all default passwords on all devices.
4. Companies with IoT Projects Will Try to Think Like Hackers
In 1993, Saturday Night Live aired a skit that poked fun of the auto industry’s strategies of protecting vehicles using solely alarms and steering wheel locks like the Club.
“In the nineties, you don’t need a car to tell the world you are wealthy. But you do need a car to tell the world you are smart.” The answer is a car, the Chameleon XLE, that looks like a piece of junk from the outside but offers luxury within and a strong engine under the hood. “A car thief takes one look at this, and keeps right on walking,” explained the mock ad.
Although a joke, the SNL skit highlights the need for thinking like a criminal. Both cybercriminals and car thieves are drawn to valuable targets that can be easily broken into. Organizations with IoT devices should focus not just making their products more secure, but also on understanding why attackers are drawn to their products in the first place and how they can make them less attractive targets.
In the technology field, many have struggled with security, even though the same basic threats have remained similar for decades. “IoT threats are fundamentally the same threats we’ve been trying to manage for the last 20 years: malicious actors (individuals, organizations, and nation-states) trying to gain advantage by disrupting the confidentiality, integrity, and availability of data and services,” says Todd Inskeep, Advisory Board Member for RSA Conference.
IoT devices, however, open up new territory when it comes to information and services. “These new devices process different kinds of information, and are more likely than previous devices to have real-world impacts,” Inskeep says. “An IoT device in a manufacturing line could be disrupted to mix chemicals in the wrong proportions. An IoT device at home might be hackable to unlock a door, or share videos from inside a company with people outside the company. While these threats are the same, the risks may be very different.”
5. Finding IoT Security Talent Will Stay Tough
The need for security professionals throughout the entire tech industry outstrips supply. The IoT industry is no different, says Todd Inskeep, advisory board member for RSA Conference. “It’s a challenge for all industries to find security talent,” agrees Trevor Hawthorn, CTO of Wombat Security. “Well-funded and well-known vendors will have an easier time. The problem is that the flood of small, cheap products are made by offshore manufacturers that have a poor security track record. As we have seen, offshore IoT device manufacturers are not that interested in security to begin with, so they would likely have a hard time finding talent if they were looking.”
In the meantime, the product security industry will be well-served to draw on existing security models. “We’ve seen the rise of a new category of security professional – chief product security officer, and their support staff, the product security officer and product security engineer, but the people in these roles often say they thought they were the only one,” Inskeep says. There’s a variety of requirements documentation relevant to these professionals including NIST’s FIPS-140 for hardware and the globally recognized Common Criteria model for software and systems. Another example is the more software-focused Building Security In Maturity Model.
6. Situational Awareness Becomes a Bigger Security Objective
With the forecasts of billions of IoT devices blanketing the planet, it becomes critical to keep track of which devices are deployed where. But it is easy to lose track. “With IoT devices deployed within IPv4 networks, organizations should be able to scan or ‘see’ what IoT devices are deployed on their networks,” says Trevor Hawthorn of Wombat Security. “With IPv6, it is possible to have so many IPv6 addresses that it is near impossible to scan your perimeter. Organizations will need to focus on other methods to keep a handle on what they have and what is exposed.”