20.8bn is a large number
Where the wild (internet of) things are
The Internet of Things (IoT) is ripping across the trough of disappointment and rapidly becoming real. GE believes the number of connected devices will grow by more than five times to 20.8 billion by 2020. But what are the implications for your corporate security?
There’s no doubt IoT can be an enabler for resource management, notifying us of failure in remote locations while monitoring energy, raw materials or outputs. Milton Keynes Council has trialled smart bins, which alert refuse collectors when they are full. Other councils are looking at experimenting with salt bins that send an alert when they’re running low, and even road surfaces that tell managers when they’re too warm to merit gritting.
But while IoT can be applied to address real, measurable resource challenges, there are a raft of security issues that come with the benefits – as the recent spate of IoT-initiated DDoS attacks highlight.
Which is why Dr Emil Lupu, deputy director of PETRAS - a consortium involved in a £40m government programme to advance IoT in the UK – dwelt on security during Capita’s Channel Shift Conference. He says:
Know the devices on your network
Analyst firm Gartner predicts that over 25 per cent of identified attacks in enterprise will involve IoT, so large firms need to be wary of new technologies they’re deploying within the workplace – even the likes of ‘smart’ kettles, thermostats and fridges.
Research by security firm ForeScout found that only 44 per cent of respondents said they had a known security policy for IoT, showing that many firms were not taking IoT security seriously enough. In addition, 85 per cent of organisations aren’t confident they know all the devices on their network.
The main three ways that a lack of IoT security can affect an organisation is through data theft, DDoS attacks, and malfunctioning devices. The latter could mean the organisation is not alerted when components are broken – and in worst case scenarios could lead to the whole system being shut down. All three types of IoT vulnerabilities can cost organisations a great deal in both monetary terms and reputation.
Lupu, who is also part of the faculty of engineering, in the department of computing at Imperial College London, believes the biggest concern is an IoT device comprising a network, with a hacker stealing and modifying data - or the system itself.
990GBPS of traffic
From a purely technical point of view, the problem with a ‘pure’ IoT approach, where every device is directly attached to the network, is that it massively increases the attack surface for any threat. And it puts all the security needs on the device.
Even before the recent attacks which left the likes of Netflix inaccessible, the shortcomings for on-board security were demonstrated with the world’s largest DDoS attack on security expert Brian Krebs’ website.
The perps first took over IP cameras, lightbulbs and thermostats, where username and password combinations were easily obtainable online, creating an IoT botnet.
They then directed 990 Gbps of traffic from these devices to Krebs’ website, taking it down for five days. Enterprises’ own IoT devices can similarly be used against their own systems in an attack like this.
But while insecure IoT devices were the accomplice in this crime, Clive Longbottom, analyst at Quocirca, says that it doesn’t make economic sense to create highly secure devices, as they often only cost a few pounds.
Build yourself an airock
To get around this, and to combat the threat to an increasing attack surface, Longbottom suggests implementing a more intelligent IoT platform.
“The devices can still remain relatively unintelligent,” says Longbottom. “Because they are air-locked from the main network through an aggregation device. The aggregation device can be very intelligent, and rather than spending £50 per device on intelligence, an aggregation device that looks after 1,000 IoT devices could cost £5000, and contain £3000 worth of intelligence in how to manage each device, how to secure them, and how to analyse and filter the IoT data.”
Longbottom explains that thereafter, the aggregation devices can communicate with each other and to a “very expensive” central command centre.
“This provides a highly cost effective means of managing a complex and inherently insecure device network,” he says.
There are other issues to contend with too – such as encrypting IoT devices. This isn’t as hard if a company has a few hundred connected devices, but if an organisation has millions, it can be a huge effort and expense. Identification of particular sensors and devices is another area which can prove tricky; two devices can be easily mistaken for the same product.
Security or consequences
And now the European Commission is drafting new cybersecurity requirements for IoT devices. The Commission wants to encourage companies to come up with a labelling system for devices that are approved and secure in a similar way to the current labelling system that rates appliances on how much energy they consume.
This means that IoT makers will have to start building at least some security into their products – and face consequences if they don’t – which will come as a relief to enterprises who are buying these devices from manufacturers.
For IoT makers and enterprises that are turning their existing products into IoT-enabled devices, the Cloud Security Alliance released a detailed guide on how to incorporate basic security measures into these devices which can be found here.
The IoT is now real. But it doesn’t have to be where the wild things are.
Sooraj Shah is a freelance tech journalist who regularly contributes to Infosecurity Magazine, TechWeekEurope, Computer Weekly and more.