By Rich Castagna

Key takeaways from this article are the following:

The success of IoT technology may also be its Achilles’ heel. 

As organizations begin to realize the benefits of extended networks’ real-time data gathering abilities, building out those capabilities has been the natural step: More data and analysis fuel more efficient and cost-effective operations.

But adding hundreds or thousands of connected devices to an IoT environment also expands its attack surface. These IoT devices often live unsecured on the edge of the network and thus, invite bad actors.

To learn more about IoT Security, take part in our virtual IoT Security Summit this December! Learn More

IoT continues to grow. In its Worldwide Internet of Things Spending Guide, IDC indicated that it “expects global IoT spending will return to double-digit growth rates in 2021 and achieve a compound annual growth rate of 11.3% over the 2020-2024 forecast period.”

Of course, extensive IoT infrastructures supporting thousands (or millions) of devices won’t be useful if operations are compromised, so securing the edge is paramount. In very general terms, this involves two complementary efforts:

The edge is poised to play a key role in IoT’s growth, as noted in a Schneider Electric e-book, Capturing the Business Value of the IoT Edge: “The edge of the IoT is a critical component of this information loop enabling local devices to capture data that can be analyzed quickly on the spot to support critical decision making.”

Many Edge Devices Are Inherently Vulnerable

A single unprotected edge device can provide an entry point for a malicious hacker but, in reality, thousands of edge devices have potentially porous defenses, compounding the problem. 

IoT devices also frequently complicate device management. As the proportion of unmanaged devices within enterprises grows and exceeds that of managed devices, so too does the organization’s attack surface,” noted a 2019 Forrester Consulting report commissioned by security vendor Armis.

“The number of devices connecting to the network today is massive,” said Chris Dobrec, VP of product marketing at Armis. More disturbing, however, is how few of them are effectively managed. Securing a laptop or smartphone could be a relatively simple proposition of running a security agent directly on the device. But most edge devices such as IoT-enabled sensors and actuators are simple, single-purpose devices with limited processing capabilities.

“The amount of spare processing power that they have to run security software is just nonexistent,” Dobrec said. “They inherently don’t have security built in and they don’t have enough processing power to run a traditional security agent.” 

Lack of processing power is only one stumbling block for IoT security.

“For the most part, the IoT devices are unregulated,” said Anand Oswal, senior vice president and general manager of Palo Alto Networks’ firewall efforts. “They are shipped with unknown and or unpatched vulnerabilities, and often their useful life will exceed their supported life.”

Oswal addressed another startling issue: “98% or so of all IoT device traffic today is unencrypted.”

From a management perspective, these characteristics add up to a lack of insight into the devices and limited tools to bolster security. “I can’t see them, and I don’t understand what those devices are doing inside my network,” remarked Itzik Feiglevitch, Check Point Software Technologies’ product manager for IoT. 

Despite these encumbrances, an organization’s security team must provide effective and transparent security. “Protect all that has to be connected to [the network to] avoid downtime without hampering data in real-time operations,” noted Dimitrios Pavlakis, an industrial analyst of digital security at ABI Research. Being overly aggressive with security controls can hamper operations, Pavlakis said.

IoT vulnerabilities are not taken lightly, given IoT’s penetration into virtually every industry vertical, including critical applications within healthcare facilities. “Anything that has to do with securing human lives should be one of the highest priorities,” Pavlakis added.

If these factors weren’t enough to deter a security professional, the lack of standardization makes a hard job even tougher. While there are some standard protocols for network communications such as Message Queuing Telemetry Transport (MQTT), their reach doesn’t extend far enough to provide much relief for security implementers.

“We’re starting to see more and more standards and also some local regulations,” said Check Point’s Feiglevitch, “but it’s still not there.” ABI’s Pavlakis concurred but noted that regulations vary “from market to market.”

“From a security angle perspective, we don’t really see that much adoption,” said Xu Zou, vice president of IoT security at Palo Alto Networks. “Even though you may use a standard protocol for communication, hackers can still find a way to break in.”

“It’s a bit chaotic,” said Armis’ Dobrec of the current state of IoT networking standards.

Organizational Issues May Exacerbate Edge Security Woes 

There are ample technical reasons that make IoT security such a difficult undertaking, but there may be some less apparent factors contributing to the challenge.

Johna Till Johnson, CEO of Nemertes Research, sees issues related to a company’s organization and territorial responsibilities as key factors that have made IoT security an elusive endeavor. 

“The biggest problem is focus and organizational structure,” said Johnson, a remark based on the findings of a survey Nemertes conducted that garnered responses about IoT implementations and management from more than 400 companies. “If security isn’t a line item on either the IoT budget or the cybersecurity budget, the teams don’t work together as consistently as they should.”

The Nemertes survey, which looked at a variety of industry sectors, revealed that when purchasing IoT security products, responsibilities may overlap or work at cross-purposes. While some45% of respondents indicated that their IoT and IT groups procure security products jointly, a third try to “align procurement plans but maintain separate procurement processes.” Eighteen percent said that they “occasionally share procurement plans.” 

This disconnect between the teams that manage the corporate network and those on the IoT side can create security gaps, particularly when responsibilities are poorly defined. 

“Not only are the organizations themselves siloed,’ Johnson said, “but operationally and from a procurement perspective, there’s additional operational silo-ization.”

That sentiment is echoed in the 2020 Unit 42 IoT Threat Report published by Palo Alto Networks: “Most organizations manage information technology (IT) and operational technology (OT) as separate teams with separate processes and tools.”

“Most organizations don’t have a cybersecurity person whose job it is to look at IoT or an IoT person whose job it is to think in terms of cybersecurity and the environment,” noted Johnson.

First Step: Identify and Profile Edge Devices

Before any type of security can be applied to the IoT edge, you have to figure out which devices are connected and what they are doing — or, more importantly, what they should be doing.

The more you know about a device, the better you can protect it, but you need to start out assuming all devices are vulnerable.

“At the end of day, it’s about hacking into devices themselves, manipulating them and damaging their operation,” said Check Point’s Feiglevitch. He added that the devices can end up being a “back door into the corporate network.” 

As edge devices are identified, they need to be evaluated based on their risk level. These vulnerabilities should be determined for each device:

Edge devices may do more than collect data. While data-collecting sensors are the most widely implemented devices, other types exist, such as actuators that trigger an action in response to data they receive. Compromising those types of devices may have more serious consequences than, say, a hacked smart speaker.

“We can listen to the network and understand and glean information about the devices and, more importantly, their behavior,” said Dobrec of Armis. That information may be compared to or added to a device knowledge base that Armis maintains that currently holds data related to more than 300 million devices. Other security vendors have compiled and maintained similar device databases.

Because most IoT devices are designed to handle specific tasks, their normal operating behavior is likely consistent and predictable. The device’s behavior can be captured to create a baseline that can be used to differentiate between normal and uncharacteristic behaviors. “If it deviates from the normal curve, you might see that something is happening,” noted ABI’s Pavlakis.

“Not only are we identifying the devices, but we also are classifying them,” said Feiglevitch of Check Point’s security system. “I can tell you what traffic goes into that device, and what traffic goes out of the device.”

Because of deep insight into end-device behavior, these tools can do what would likely be impossible to undertake manually. But it might not be all plug-and-play. “All the tools that do this,” noted Nemertes’ Johnson, “tend to require a certain amount of tuning, tweaking and sort of operational training so they can figure out what normal behavior is.” 

The security vendors often use machine learning techniques to perform their identification processes. But don’t expect any great leaps in edge device technologies that might make securing them a little easier. And some of the devices have been in place for decades, often beyond their expected or supported lifetimes and are typically not updated frequently or at all.

“Many of these sensors have a long lifetime, but very rarely do you hear people say, ‘OK, I’m going to update my temperature sensor software now’ — it’s not happening,” said Palo Alto Networks’ Oswal.

Edge Security Should Work With Existing Security Processes

In addition to supporting network visibility, an edge security solution also has to be agentless, given the limited resources of the edge devices to host any security software and the requirement that a security app shouldn’t inject latency into the IoT environment.

Ideally, an IoT edge security product will at least communicate with other security products that have been deployed in the network. The level of integration will vary by product, but any level of interoperability will be a godsend for beleaguered security administrators who are already juggling numerous security apps. 

“Sometimes they have 80 and even more security solutions in the network,” said Check Point’s Feiglevitch, “and you can’t manage 80 different security solutions.“

Some degree of integration with other network security platforms has become table stakes for edge security vendors. For example, Armis’ Dobrec: “We can work in conjunction with network access control platforms to quarantine a device on the network.”

IoT edge security nirvana is still the elusive single screen. “At the end of the day, you will need one security console that can control everything inside your network,” said Feiglevitch.