The time to deal with IoT security is now
In most cases, I try to turn a skeptical eye on hyperbole. So when a cybersecurity expert tells me that IoT security is a “ticking time bomb,” my initial reaction is not to worry about an upcoming “security apocalypse.”
But I am already worried about security in the Internet of Things. So, I took the opportunity to ask Srini Vemula, global product management leader and security expert at SenecaGlobal, what’s really at risk as we hurtle toward 2020 and an estimated 20.4 billion connected devices.
Why is IoT so vulnerable?
Srini Vemula, global product management leader and security expert, SenecaGlobal
First off, I wanted to know why the IoT is so vulnerable. According to Vemula, the “minimal footprint” of IoT software and hardware cuts down on traditional malware protection strategies. Plus, Vemula said, buyers of consumer products — ranging from children’s toys to pacemakers and cars — are not primed to think of security issues. On a larger scale, he added, “critical infrastructures like electricity, irrigation and defense are now connected,” creating juicy targets for digital mayhem from criminal gangs to rogue nations.
The problems are hardly theoretical. Apparently, IoT malware has already infected more than 1 million organizations. Everything from ransomware to hacking into healthcare, manufacturing, and media is already costing big bucks leading to myriad lawsuits.
Biggest IoT security problems
Vemula laid out some of the biggest IoT-related security problems that have already occurred:
- Mirai: Last year, the Mirai botnet attack brought down a significant portion of the internet by exploiting factory default and hardcoded passwords.
- DDoS attacks in 2016: Embedded utilities running on CCTV devices were hacked on a jewelry store.
- DDoS attacks on a security journalist site: Using more than 500,000 internet-connected cameras, attackers generated 660 Gbps of traffic, causing Akamai, the company providing protection for the site, to let go when it became too costly to hold off that amount of traffic.
- Persirai botnet: More than 100,000 IP-connected cameras were attacked, giving the hackers access to the cameras’ internet feed.
Despite these examples, and many others, many companies still think IoT security is something they’ll need to worry about in a few years. Not surprisingly, Vemula believes that approach is dangerously complacent.
How can enterprises boost their IoT security?
Fortunately, it’s never too late for companies to take action to mitigate their IoT-related risks. Vemula shares a handful of actions he says can make a real difference:
- Build devices based on security-hardened platforms. By hardened, he means operating systems fine-tuned to be secure. Additionally, he says, “IoT architectures should support patching of software at scale.”
- Adopt standard IoT security controls. Vemula offers NIST (800-53) as an example.
- Make sure IoT devices have a workflow that enables and encourages changing default passwords. As Vemula notes, buyers of connected devices don’t automatically think, “Oh! Let me secure these first!” So, designers have to make security precautions an easy and expected part of using the product.
- Subscribe to security services, and act on all threat reports in the wild. When IoT exploits appear in the real world, it’s critical that IoT users and vendors apply patches immediately to minimize the danger of of zero-day vulnerabilities. Knowing about a problem and not doing anything about it does not make you any safer.
- Understand that building in rock-solid security can be at odds with building fast and keeping products affordable. It’s not always possible to build secure products and networks quickly and inexpensively. Given that, enterprises have to intelligently prioritize their security resources depending on the usage of given device—to get the most bang for their security buck.
Ultimately, I’m not sure those suggestions are enough to defuse the “ticking time bomb” and head off the IoT “security apocalypse,” but they’re a lot better than doing nothing.