Valuing Data Protection Over Device Security Can Be A ‘Life-Threatening’ Mistake

OIES Consulting’s Francisco Maroto interviews Subex’s Kiran Zachariah on the state of affairs in IoT security. Francisco will moderate a panel at IoT World, showcasing how manufacturers increase productivity and output through IoT applications.

Actively and passively, I never tire of repeating the importance of one of the greatest concerns in Internet of Things (IoT): security.

There have already been many data breaches where smart devices have been the target. But unfortunately, in the IoT ecosystem, first-to-market is a huge competitive driver, so this mean that security is many times sacrificed for speed-to-release. Businesses and consumers need to make claims for security to IoT vendors and regulators.

I spoke to Kiran Zachariah, director projects – CEO’s office, Subex Ltd, about the past, present and future of IoT in security.

Francisco: As you know, the meaning IoT security is not well defined. What is IoT security for Subex and why did your company develop an IoT security solution?

Kiran: “An IoT deployment involves multiple systems that include devices, the connectivity, IoT platforms, gateways, field gateways, load balancers, web services, certificate servers, databases, etcetera.

“A true IoT security solution should be able to secure all of this infrastructure seamlessly and should be in a position to correlate events from all of these sources to detect and mitigate threats. The IoT security system should be capable of identifying specific IoT protocols such as MQTT, AMQP, CoAP, STOMP, Zigbee, Zwave and any other custom protocols, and understand the nature of the topology and communication patterns used in the specific deployment.”

“The attack surface that IoT presents is multiple times larger than the traditional IT scale that incumbent security providers aren’t capable of securing. Subex’s ability to process big data to secure a large number of devices and our pedigree in providing telco scale and telco grade solutions makes IoT a natural vertical that we can cater to.”

“An IoT breach is not just a data breach, but also a control breach… Such hacks are potentially life threatening” – Kiran Zachariah, Subex

Francisco: In the latest Vodafone Barometer Report 2016, we read that “Enterprises are more concerned about data protection than about device or network security”. Are you surprised about this conclusion? Do you believe the results will be different if the information of all IoT breaches and attacks were available?

Kiran: “This is surprising and not so surprising at the same time. It is not surprising because this result is an indicator of what most enterprises perceive as the threat of an IoT – they tend to equate IoT breaches with IT breaches because that’s the traditional view towards security. Unlike traditional breaches, an IoT breach is not just a data breach, but also a control breach.

“The spate of high-profile IoT breaches such as the Jeep Hack, Lizard Stresser, medical pumps etcetera, were less about data and more about taking control of the device. Such hacks are potentially life threatening. Devices inherently contain very little data and there could be some PI information that should be protected, but the larger threat from IoT breach is the loss of control of the device and the havoc such a breach could have on the device’s environment and the people using the device.”

Francisco: IoT industry solutions, by default, are complex. They are made up of many parts, from the devices installed in connected assets, through network connections to back-end systems that are hosted in data centers. What assets is Subex’s IoT security solution protecting? And what are the benefits to the customers that deploy Subex’s IoT security solution?

Kiran: “Subex focuses on securing the three areas of any organization: the customer, brand and device.

“We have seen numerous instances where there has been loss of personal data which is sensitive in nature, loss of control over a connected device and loss of privacy, which are some of the major concerns that a customer is often worried about.

“When a device is compromised (often these are rendered inoperable) there is loss of intellectual property, and also when a device is compromised, it needs to be patched. OTA may not be possible and fixing costs may run very high.

“Every time a security threat occurs in any organization, it makes it to the media, thus causing reputation damage and loss of business. Companies like Target and Asus are classic examples of such an event. The compliance costs associated with such events are very high as well.

“Since the inception of Subex Secure, securing these three areas have been the foundation of our product.

“IoT ecosystems tend to be extremely complex. A typical deployment includes multiple systems such as platforms, databases, mobile apps, load balancers, web interfaces, certificate servers, etc. All of these systems expose interfaces that can present vulnerabilities to the IoT deployment. A true IoT security solution should be able to secure all these components and should be able to understand traffic from ‘OSI layer 3’ to ‘OSI layer 7’.

“A possible solution is to incorporate multiple systems that detects vulnerabilities across OSI layers 3-7 such as intrusion detection system (IDS), a web application firewall (WAF) and a security incident and event management system (SIEM) with a built in log analyser. However, interfacing these systems and correlating events between them could be extremely challenging. Subex Secure monitors threats from layer 3 of the OSI stack, all the way up to the application layer (layer 7).”

Francisco: In the absence of standards in IoT, there are many battles, with protocols, platforms, networks, and so on. Do you see a potential winner in the IoT networks battle?

Kiran: “Our opinion is that the IoT market is big with enough variations and use cases for every one of the providers to survive and thrive. The market is also relatively new, and it is too early to pick a winner among all the providers. Considering the nascent nature of the technology – the best providers will move forward through partnerships and affiliations.”

Francisco: What do you think is the biggest threat to IoT around the world?

Kiran: “Over the last couple of years, the media crescendo around hacking and privacy has reached a very high pitch. Starting from the Target Hack to the 60-minute documentary featuring the hacking of a congressman’s cellphone. Hacking has entered mainstream media with the Mr Robot TV series.

“The backlash to the NSA decryption program Bullrun is well documented. The average customer is becoming aware and concerned about diluted nature of security being implemented in everyday products. The media focus on IoT security is increasing, and coupled with growing consumer concerns could potentially curtail IoT adoption.

“Surveys have shown that security remains the biggest barrier to IoT adoption. Unless the industry takes appropriate steps to counter these fears, there is a likelihood that the promise that IoT provides will not find takers simply because security is not addressed and consumers do not feel comfortable enough.”

Francisco: What trends do you predict for the future of IoT security?

Kiran: “The IoT security market size is estimated to be worth around $37bn dollars by 2021 growing at a CAGR of 36%.

“Security is a ground-up problem and we expect device manufacturers to factor security in from the device design stage of the product lifecycle. As standards get defined around IoT, security will become ubiquitous with features such as remote attestation being built into the device and their solutions. The next couple of years are going to be truly exciting and we look forward to the innovation that we, our partners and customers will jointly bring to the market.”

Francisco: What are the challengers in gaining customer trust in IoT?

Kiran: “Gaining a customer’s trust starts with a compelling use case that the IoT solution provides, which should provide greater benefits to the customer than the value of information that he/she provides. The customer should be assured that the information collected is stored securely and all possible mechanisms are in place to prevent malicious misuse of their information.

“Adherence to strict compliance standards and publishing of those adherences help. Also making user agreements less complex and clear about what information is collected, how is it transported and stored, what is done to protect this information and what is done with the information – basically a lot more transparency is needed.

“It is also important to have clear incident response plans when an event occurs, how a company responds to an incident and the extent they go to safeguard the customer, the service and brand could also be a testament to their intentions.”

Francisco: Do you have any additional comments or recommendations you’d like to make concerning IoT security?

Kiran: “IoT security is a very important piece in IoT ecosystem and any organization that is looking at investing in an IoT security solution must carefully evaluate all the capabilities of the solution.

“The threats related to IoT are ever-evolving and an IoT security solution must not only be effective against existing threats, but must also be capable of identifying and mitigating future threats. Also, the IoT Security solution must be one place where all the threats related to IoT can be viewed and actioned upon.”