The Internet of Things (IoT) is transforming the world in ways unimaginable 5-10 years ago. For many of us, IoT extends to the innovation of smartwatches, connected cars, and smart home devices, which have substantially changed the way we live. Printed maps have been rendered useless. Lights in an owner’s house can be turned on for safety or off for efficiency from 10,000 miles away. Cooks can “look into” their refrigerators from the grocery store to check the items they’re missing for that night’s dinner. How did we ever function before being able to tell our car to text our friends that we are going to be 22 minutes late for drinks because a minivan crashed into a semi 1.36 miles up the freeway, which has also created a traffic jam at the intersection of Main and Broad Streets?
Most people first think of consumer-focused business innovation when they consider IoT, but the reality is that manufacturing, construction/engineering, transportation/logistics, utilities, and healthcare, to name a few, have been completely transformed by IoT as well. Businesses are using IoT as a means of gathering more and better data about daily operations and equipment so they can enhance the decision-making process, monitor for problems and quickly remediate when problems arise, and create greater efficiencies overall. Business profits through use of the IoT, and according to a Forrester survey, 67% of businesses intend to expand use of IoT technology.
Security professionals have a concern, obviously, with the security of embedded devices, software, and sensors. Security isn’t automatically a concern, though, when Caterpillar, for instance, is manufacturing a new line of forklifts. While embedded device companies, themselves, are getting better at paying attention to the security of the devices they sell to manufacturers (and some larger companies have begun manufacturing devices or software in-house to gain a competitive advantage), there is another concern with IoT: asset inventorying.
You broke the bonds
As with cloud technologies, especially in the early days, the business often makes decisions about technology-enabled products without consulting the security team, who could help vet the security of the solution being proffered. And like cloud, even though embedded device security is improving, if the security team doesn’t know the asset exists, it’s difficult to monitor. IoT is introducing another avenue of shadow IT, but this time all of the assets are not necessarily technology related or apparent on the network.
In theory, all IoT technologies “phone home.” To work, the technologies must be wirelessly connected to the internet, and as such, some system is monitoring them. Not all systems, though, are connecting back to the customer’s network, which makes it very challenging for security and IT teams to know what’s going on. Like all as-a-service offerings before them, IoT platforms can be hosted, which means that none of the back end infrastructure is maintained or monitored by the customer. It’s feasible, therefore, for an organization to implement an IoT technology without impacting the organization’s technology stack in any way. The security and IT team could be completely clueless about it, but the customer’s customer data or business operations data could be whizzing back and forth between the device and the provider’s network, unmonitored by the company that handles the data and invisible to security and IT teams.
You loosened the chains
Even if devices are pinging back to the network, the number and types of connections are overwhelming for many organizations. When an employee can purchase an Apple watch, download the Office 365 app, and start checking email from her wrist, the level of asset tracking ratchets up yet again. Security is compounded further when the same user also links her FitBit, iPhone, Mint, home monitoring, and Bumble. And these are only valid, vetted app store apps. This conundrum isn’t all that different from BYOD, but every time a new wearable or other affordable IoT consumer device is introduced to the network, it’s another asset for which security teams must account. Long gone are the days of issuing one laptop and (maybe) company-owned phone. Devices could pile up by the day, given a large, multinational organization, which makes inventorying onerous.
Then all the colors will bleed into one
Organizations need to develop a plan to manage IoT technologies, on the network and managed by third-parties. Relying on a few tricks from BYOD and cloud, organizations should:
Develop a policy: While a policy itself won’t stop usage, it helps employees understand some of the risks to bringing an IoT device into the organization, be it a smartwatch or ordering manufacturing equipment. The socialization of the message itself is a step in the right direction. A formal policy which employees are required to review and accept establishes a risk management approach to IoT, and if employees understand they’re part of—and accountable for—risk, they’re more likely to start bringing instances to IT and security.
Update network security controls: “Inventorying all IoT devices is difficult at best,” says Tim Krabec (@tkrabec), information security architect and analyst. As with other shadow IT, tech teams can update network rules and settings to detect new devices on the network. Krabec furthers, “Organizations need to have a solid network infrastructure with the ability to report all devices, MAC address, and IP addresses in use, then use a device to listen for rogue WiFi and Bluetooth networks in case they’re tethered to a mobile hotspot/phone.” Security teams can then collect data from various logs (firewall, DNS, etc.) and the SIEM, then correlate and cross reference it with IT asset tracking.
Patch: If the devices are in the organization’s network, keep software and firmware up-to-date. Pay attention to IoT manufacturers’ updates and announcements, and use available threat intelligence capabilities to identify CVEs or targeted threats against certain device types, industries, or hardware. Keep in mind though, warns Krabec, that “not all IoT devices are even capable of being updated.”
Here’s where things get hard. When data collection and monitoring is occurring on another provider’s network, customers may, at best, have limited control over security. In the worst case scenario, the customer isn’t aware of the existence of the IoT device, can’t query for it, and is therefore helpless when it comes to security of the device and data used in normal operation. These facts make many security teams nervous. According to Chris Poulin, Research Strategist with the IBM X-Force Research & Development team, “Almost all IoT has an IoTaaS component.” This is to say, even when the security team is able to find and monitor the device, some aspect of control must be conceded, just like with other types of cloud providers.
All is not lost, however; Poulin points to some FTC guidance for IoT manufacturers:
Data Minimization: “Data minimization refers to the concept that companies should limit the data they collect and retain, and dispose of it once they no longer need it.” As a user of an IoT device—B2B or B2C—the user/customer should expect that certain data is collected; that is the point of IoT, after all. That said, when data is no longer required for operation of the device or outlives its usefulness, the data should be properly disposed of or destroyed.
Notice and Choice: “The Commission staff believes that consumer choice continues to play an important role in the IoT.” For normal operation of the device, explains Poulin, there is expectation of certain data collection. However, for any data beyond what’s expected, he says, “before they can collect the data, the IoT manufacturer has to disclose to the consumer what is being collected, the purpose [of collection], and who will have access to it (e.g., partners or buyers of data).” The FTC also recommends that device manufacturers provide an opt-in—not an opt-out—so consumers can choose whether this type of extraordinary data are collected at all. Poulin furthers, “Manufacturers should provide transparency to the data: allow the user to see exactly what is being collected and change their opt-in status at any time.”
While notice and choice do not change security controls around data collected, it does help limit the data that could be lost, stolen, accessed by unauthorized parties, or used in unintended ways.
Security by Design: “The Commission staff encourages companies to consider adopting [industry leading] practices.” While the “appropriate security practices,” explained in the document are high-level—Implement strong passwords, limit access to sensitive data, encrypt data, test systems, patch, etc.—the very existence of a seventy-one page report with security and privacy advice for manufacturers of IoT is a step in the right direction.
Beyond the FTC’s guidance, in Poulin’s opinion, “Cloud providers should provide a ‘zero knowledge encryption option’ to consumers. That's to say, allow the users to encrypt their data so even the cloud provider doesn't have the key and can't sell it to third-parties or disclose it to the government.”
In addition to the above recommendations, several third-party organizations are launching or looking to launch testing programs that will certify the security features of IoT devices and sensors. Testing, of course, won’t be a legislated requirement, but manufacturers who complete the process can tout independent validation, which goes a long way in the minds of buyers.
But yes, I’m still running
IoT has many similarities to cloud, but security teams and providers/manufacturers have learned lessons along the way. With IoT we’re not starting from ground zero as we did with cloud. Security is being built in from the get-go, maybe not as robustly as enterprise security teams envision (that’s the Holy Grail), but an effort is under way and that’s encouraging. IoT security awareness groups are forming; guidance is being written and distributed broadly; security researchers are disclosing their findings very publicly.
As with shadow IT, there’s no guarantee that shadow IoT will ever cease completely. Provider/manufacturer responsibility will be the security key. If these beginnings of IoT are indication of progress, though, the future’s so bright I gotta wear my internet-connected shades.