IoT Security Is Not a Technological Challenge; It’s an Economic One
A genuine enthusiasm for enabling and advancing a connected world can only be a positive for anyone working in the IoT sector. That's certainly the case for Paul Jauregui, who oversees all aspects of marketing, branding and communications at Praetorian, a collective of highly technical engineers and developers that provides a suite of security assessment and advisory services.
His very obvious passion for the Internet of Things has led him to become acting business lead for Austin, Texas-based Praetorian's IoT security assessment and advisory services.
“Recently, I was featured in Fortune Magazine for my work on Praetorian's Internet of Things Map Project,” Jauregui tells IoT World News, “during which I guided a team of security engineers who were developing an autonomous, handheld, IoT-sniffing payload capable of discovering, fingerprinting and mapping local area IoT devices and networks.
“And of course, we had to strap it to a drone. On one of its first flights, our autonomous drone-carrying payload discovered 726 unique IoT devices over an 18-minute flight and fingerprinted the manufacturer names on 465 of those devices.”
Keeping the ever-growing IoT secure
By now, most of those aware of IoT are pretty familiar with the statistics regarding its expected reach — 25-billion smart devices by 2020 (Gartner), and a global market worth $14.4 trillion by 2022 (PwC). Those numbers alone are fairly intimidating, but what's truly scary is the prospect we may be unable to sufficiently secure this mass network of automated connectivity.
“Joining the Internet of Things adds many new layers of complexity to any product environment. New technologies, existing technologies working together in new ways, limited standards and competing protocols all add to the challenge of delivering a secure connected product to the market,” Jauregui says.
“The expected growth of global IoT deployments over the coming years and the promise of expansive interconnectivity compounds the issues around security even further. One thing that will be needed by 2020 is the notion of a shared responsibility model for IoT security — one that delineates boundaries across the entire IoT supply chain — from chip to code — and between IoT producers, providers and consumers.
“For example, in the context of a smart city environment, as everything gets connected, it will get harder to know what assets different groups would be responsible for protecting and reacting to. Where do you draw that line of responsibility? When a potential breach occurs at a parking meter at one end of a smart city and traverses its way across networks to impact other back-end systems, who's responsible?”
Penetration testing is one of many practices that helps companies ramp up their cybersecurity efforts, and one in which Praetorian specializes.
“Penetration testing activities help organizations identify security weaknesses in systems the same way a real-world attacker would — by hacking them,” says Jauregui. “This enables organizations to better understand and ultimately minimize the risk associated with IoT systems.
“Praetorian's IoT penetration testing services take a holistic approach to security testing by reviewing the entire product ecosystem, from chip to code, while prioritizing vulnerabilities so our clients can successfully balance risk with time-to-market pressures. It provides end-to-end security assurance that helps organizations better deliver and deploy secure connected products.
“That ultimately translates into business value in the form of one, reduced reputational risk and increased brand protection for consumer-facing IoT product companies, two, sales enablement for IoT solutions companies selling into enterprise, and three, mission-critical assurances for an industrial IoT deployment.”
IoT at its strongest and weakest
IoT already spans many industries and has the potential to impact pretty much ever industry in existence. I asked Jauregui where the IoT is currently strongest and where it's weakest in terms of cybersecurity.
“The greatest weaknesses and strengths affecting the business of IoT today does not have anything to do with a specific set of technologies, but rather perceptions,” he counters.
“In today's connected world, the perception of security risk alone, even if not realized, can still negatively impact the consumer confidence necessary for new technologies to meet their full market potential. Recent, high-profile data breaches covered in the media have heightened consumers' awareness of data security and privacy issues. As a result, consumer adoption may suffer until vendors can adequately address IoT security and privacy concerns.
“On the other hand, there is a healthy perception shared across industry that sees security as mission critical to the IoT's future growth and success. Whenever IoT is talked about at a conference or in the media, the word 'security' is never far behind. This industry perception helps prioritize security awareness and action, which is a major strength.
“With that said, there are always budgetary considerations that come into play and, at the end of the day, I very much recognize that security is not a technology challenge. It's an economic challenge. Over the next five to ten years, security resources will increase as viable IoT business models and value creation opportunities solidify across every industry. This will also drive changes in consumer confidence as IoT's perceived value begins to outweigh perceived risk.”
What's the solution?
Nevertheless, the monumental risks and lack of comprehensive security solutions in this area mean many companies are competing to provide the one technology that might solve IoT's cybersecurity issues for good. But have any of them managed to produce anything that comes close to achieving this goal?
“When I ask my security engineers this question, the response is usually something like, 'There isn’t a single solution that provides the most assistance.' They remind me that everything in IoT is about limiting attack vectors and risk,” Jauregui says.
“Things like XMPP and other pub/sub models encourage good security hygiene by forcing the device to make outbound connections instead of listening for network activity. In addition, lots of hardware problems can be solved by choosing chips with secure elements and well-defined SDKs. It's promising to see unified cloud solutions emerge, because there is a high likelihood that network requirements will be significantly vetted (in the case of IBM, Microsoft, and Amazon).”
And what are the potential ramifications if the industry can't find a way to make the ever-growing global IoT network secure.
“That entirely depends on the type of IoT solution we're talking about and its associated risk profile,” he concludes. “We work with clients who develop everything from connected medical devices to connected children's toys and beyond. I think we can all agree that the ramifications of security weaknesses found in an Internet-enabled pacemaker are much higher than the same weakness found in a connected toy.
“With that said, our team is starting to partner with major semiconductor manufacturers, IoT cloud providers, and the open source security community to draft guiding frameworks for new IoT security verification standards. These frameworks will take several factors into account, such as a device's risk profile, so that the appropriate level of end-to-end security assurances are delivered by IoT vendors and recognized by end consumers.”