Weigh benefits of IoT devices against potential security risks to determine on a device-by-device basis if the technology should be used, experts advice.
The FBI’s recently issued warning that newer cars are susceptible to hacking highlights the issue of IoT (Internet of Things) security not only in vehicles, but across the enterprise.
Earlier this year security researchers used a $30 webcam to establish a persistent point of access into a network. This type of IoT hack poses a clear danger to enterprises as hackers can access the network without having to infect a laptop, workstation or server, all of which are usually protected by firewalls, intrusion prevention systems and malware sandboxes in addition to running antivirus software.
Despite the dangers, enterprises are embracing IoT in sensors, locks and in other types of devices. Research firm IDC expects annual spending on the Internet of Things to grow 17 percent for each of the next three years, to reach $1.3 trillion in 2019.
“We’ve been looking at IoT a lot,” said Chris Poulin, security research strategist for IBM. “Most makers of IoT devices are not including security.”
IoT Security Shortfalls
Many IoT device manufacturers are early stage technology companies that have little or no profits, so they need to concentrate on manufacturing and selling devices just to keep the lights on, said Kate Lucente, co-chair of the IoT practice at DLA Piper, a multi-national law firm. In many cases, security suffers.
Such security neglect has ramifications for everything from smart building systems to wearables such as badges that employees wear to gain access to sensitive areas or sensitive systems, Poulin said.
A survey by Facilities.net found that 84 percent of building automation systems (such as elevators and HVAC) were connected to the internet, with 35 percent of those bridged to the enterprise network. Thirty-one percent of respondents said a cybersecurity attack could cause significant harm. Yet less than half (41 percent) had established security countermeasures for Internet of Things systems.
Companies of all types are at risk, Poulin said. In addition to autos, systems of hotels and airlines have been compromised via IoT hacks. “Hackers try to break in using every type of connected system,” he said.
Still, enterprises are often slow to close security loopholes created by connecting devices to the internet. For example, old PBX telephone systems weren’t a security risk until modems connected to the internet were added. But security and other executives tended to ignore updated systems until security was compromised at their firm or at another enterprise.
Similarly, security and company executives need to start paying attention to IoT risks now, Poulin advised. “What’s being made today is being made for availability, not for security.”
Enterprise security executives should examine any security vulnerabilities of IoT devices and take steps to address those threats before the devices are installed, he said.
IoT Risk Assessment
Poulin and other security experts recommend weighing the benefits of individual IoT devices against the additional risks they may pose to determine on a device-by-device basis if the technology should be added at all.
“Security always comes down to making a risk assessment,” said Garry McCracken, vice president of technology for WinMagic, a provider of encryption key management solutions. “If the IoT device provides only potentially marginal utility, why install it?”
Any communications between devices should be encrypted, McCracken said, and any security included in IoT devices or protocols used to connect IoT devices should meet the enterprise’s own security standards and best practices.
IoT provides a lot of entry points into the enterprise; each one is a security issue. You need to make sure that you have the appropriate firmware and hardware updates,” Lucente said.
IoT’s Legal Ramifications
Beyond the security of the enterprise, the liability issue also becomes more challenging for law firms and their clients, Lucente said. The law says enterprises need to take “reasonable” precautions to protect information. With IoT, the definition of what is reasonable becomes more confusing.
Though most companies have reasonable security programs now, the volume of IoT devices will make it much harder to stay in compliance, Lucente said. “It will be very difficult to manage.”
Enterprises need to make sure they take reasonable precautions or the government will step in and define the steps that need to be taken, said Elliot Katz, associate at DLA Piper. Indeed, the government already started discussing legislation to define security protocols for vehicles after security experts highlighted the ease of hacking cars.
According to Katz, the proposed legislation, which is still in its earliest stages, would outlaw all hacking, with no exceptions for “ethical” or white hat hacking that companies use to determine the vulnerabilities of their own systems.
IoT Security Advice
While IoT receives plenty of attention today, most enterprise hacks come via other, simpler, technologies, said Ryan Kalember, Proofpoint senior vice president of cybersecurity strategies.
“For years and years, people have tried to hack into systems from a connected printer or through conference room systems,” Kalember said. “Now with smart lights, smart locks and other devices that are connected, you are now just one or two hops away from the internet.”
While older devices typically don’t offer internet connectivity and are thus more secure, such devices typically don’t appeal to companies upgrading their systems, Kalember added. If the enterprise is intent on installing IoT devices, they should be segmented from one another and from critical network systems to help ensure security.
Kalember further recommends that enterprises connect devices via the cloud and use strong authentication.
Though IoT certainly presents security challenges for enterprises, it can provide some security enhancements as well, Katz said. “IoT can help identify bad network traffic and provide additional analytics for better enterprise security.”
IoT devices should be able to communicate warnings if hacks have been attempted, McCracken said.
Many security experts agree that, just as happened with major retailers before they took significant steps to tighten their security systems, there will likely be noticeable, costly IoT hacks before most enterprises adequately protect themselves against these new security threats.
“Look at the retailers; they didn’t invest a lot in security before the incidents at Home Depot and at Target,” Poulin said. “A lot of CSOs and CEOs lost their jobs as a result. Incidents cause change.”