Security issues for Internet of Things (IoT) shouldn’t be a big surprise which is why most organizations are worried about their IoT rollouts. While most companies are either already deploying or planning to deploy IoT solutions in their enterprises, their concerns around security of these connected devices continue to escalate. And, most organizations are falling behind in addressing IoT security issues. A recent survey by the security firm Forescout showed that only 44 percent of respondents had a known security policy for IoT.
Ready or not, IoT is here. No longer just a buzz term, it’ll continue to grow at an unprecedented pace over the next few years expecting to reach over 75 billion connected devices by 2025, according to Cisco. History shows us that most fast growth technology solutions focus on solving business problems first and security is an afterthought. Web applications, that have grown dramatically over the last decade to hundreds of millions in number, still have a major security problem and hackers continue to attack through this low hanging fruit. Mobile apps, with over 9 million of them out there and growing, are still easily exploitable, leading to major losses from cyberattacks. Unfortunately, IoT is following the same trend. Most IoT Devices, apps, and infrastructure were developed without security in mind. Vendors are anxious to get their products out to stay ahead of competition. Thinking through security issues means diverting resources and delaying product releases which has a direct impact on revenues and not acceptable to most Boards.
In a survey conducted by Tripwire and Dimensional Research earlier this year of individuals who were directly responsible for IoT security at their company, 99% of them had encountered challenges in the process of securing their organization’s IoT and Industrial Internet of Things (IIoT) devices. Around 95% of the respondents were somewhat to very concerned about the risks associated with those devices. With an accelerated adoption of IoT, there will be some very distinct benefits including significant operational efficiencies. But, unless security risks are proactively addressed, attacks on the IoT infrastructure are more likely than ever. Any major hacker attack can cause a devastating blow to organizations with brand reputation damage, revenue loss, regulatory compliance issues, and expensive recovery processes.
Tips to address IoT Security
The good news is that these issues are not insurmountable. Here are a few simple tips to follow:
Chart out your IoT infrastructure and identify the weakest links: A typical IoT framework at a very high level consists of edge devices like sensors, adapters, beacons etc., a gateway to communicate with these devices, and a back-end server in the cloud or on-premise.
Once you have charted out the infrastructure start asking yourself the hard questions – Do we know where are all these devices and systems are located and what they are being used for?; Are there any rogue devices in our environment?; What standards/protocols are these “things” using? Do we know what types of vulnerabilities we have in this infrastructure?
Take each section separately and start addressing vulnerabilities for each. For example, have a security pen test to find out if end point devices can be hijacked and exploited by hackers and what they can do with it. If you need certificates for devices to communicate, ask your device manufacturer or find a security certificate vendor to provide the solution. For the gateway and the back-end server, make sure that besides the network security and data encryption issues, you are addressing application security issues by performing security testing and fixing vulnerabilities, as well as binary code hardening to protect your environment.
Of course, these processes require a lot of effort but security is the most serious issue which needs to be dealt up front. You can kick the can down to post deployment, but consequences are not worth it. And, remember that it’s a risk management issue. There is no such thing as a hacker-proof system. You need to raise the barrier high enough to make it painful and not worthwhile for hackers to attack you.