Juniper IoT security chief: Device threats could be devastating

Cybersecurity feels like a hydra that keeps spouting new heads – Mirai, WannaCry and Petya have made headlines internationally, posing a threat that no brand seems safe from.

As the scope, frequency and severity of these breaches increases year on year, it’s easy to forget that many of them stem from common issues that have existed for years.

“None of these attacks are new,” Juniper Networks security technology chief Kevin Walker said in an interview with The IoT Institute about the Juniper IoT security strategy. “However, the harm that can occur from 6 billion IoT devices today and 20 billion within three years could be devastating to any infrastructure.

“We should also be acutely aware that there is another aspect of IoT devices in that many are sensors unto themselves; microphones within televisions, heartrate monitors on the wrist, voice control that could be captured and may in fact be of far more interest to attackers than using IoT again as a massive botnet, as we’ve already witnessed,” Walker said.

Juniper is a security vendor that concentrates on what it calls “co-innovation” – partnering with clients as they build their security frameworks. As security CTO and strategy officer, Walker has a hand in all of Juniper’s products and services and ensures that they address the industry’s most pressing needs.

He’s as familiar as anyone with the cybersecurity woes of tech-based companies. According to a recent survey by Ponemon Institute, more than three-quarters security professionals across a variety of industries anticipate their organizations will undergo an IoT-enabled data breach within the next two years with devastating consequences, and not necessarily because they lack the technology to prevent one.

“Many long-established network security practices do indeed work in the era of IoT – if we employ them. For example, network segregation and rate limiting,” Walker said. “IoT is not much different, although some of the indicators that we rely on for detecting attacks may be unique to IoT. In particular, we are increasing our threat detection capabilities on the network itself and will continue to apply appropriate machine learning as close to the attack point as possible to better detect and suppress threats without human intervention.”

This balance of introducing the right new technologies without throwing out tried-and-tested best practices will be addressed at IoT Security Summit in New York next week, where Walker will give the first keynote.

[New York is a hotbed for IoT security and blockchain activity. See why.]

“Because of the explosion of IoT devices, the legacy security approach is no longer adequate,” Walker said, when asked what he’ll cover during his talk. “The security industry needs to adopt or develop a design framework with guidance for IoT manufacturers, as well as have industry testing for conformance to the framework. We also need to leverage better detection and suppression technologies such as SDSN (software-defined secure network) and edge containment.”

The complexity of industrial IoT security, due to the challenges and requirements unique to each particular industry, is expected to be another hot topic for discussion at the conference. Walker will likely be addressing representatives from a variety of industries, but doesn’t see advising them all on security simultaneously as problematic.

“The key is to focus on the commonality across industries,” he said, “which is quite often a high percentage of the problem. Areas such as risk management and cyber-defense are examples of issues that span multiple industries.

“Obviously, there will be organizations that have particular legislative or regulatory requirements that others may not need to address, but that’s also an opportunity to learn from one another. Solutions that the energy industry developed, for example, may have applications [across industries].”

If there are enough commonalities across industrial IoT security for all practitioners to benefit from what Walker has to say, then there are plenty of issues that IIoT users can address in parallel and share notes on. Asides from strengthening network security, this will also put them in a stronger position when tackling the nuances posed by their particular industries.

And Walker believes they’ll do so, though not necessarily by choice.

“The explosion of devices and wearables with compute capability forces practitioners to rethink cybersecurity,” he concluded. “There is an opportunity for our practice of cybersecurity to leap into the next generation; if not by desire then by necessity.”

[See Kevin Walker speak at IoT Security Summit, exploring how industrywide security, privacy and trust can be established to unlock the full potential of IoT.]