Why Security Heads Aren't Excited About IoT

Internet of Things (IoT) is taking connected firms to a whole new level. In the name of efficiency, agility and better customer experience, many are embracing IoT technology in droves.

Don’t count on security heads to do the same though. According to the Forrester The State of IoT Security 2018 report, many “struggle with disparate and sometimes immature security offerings that fail to properly secure deployments, leading to increased risk of data loss, physical damage, and revenue loss.”

“Although there is considerable awareness and concern about IoT security, S&R [Security and Risk] pros face a diverse set of obstacles when deploying a comprehensive IoT security strategy,” Merritt Maxim, Principal Analyst at Forrester said.  

Insufficient Controls

Device vulnerabilities form a large part of the IoT security fears. Past cases show that ill-managed devices or unsecured devices are enormous vulnerabilities. The problem for security teams is that hackers are also learning how to find and exploit vulnerable devices faster.

“From a hacking perspective, IoT threats are increasing in sophistication and effectiveness. In the past 12 months, several botnets have emerged, all of which have leveraged insecure connected devices to either launch DDoS attacks or load malware, and all of which have leveraged previous botnets to increase in sophistication,” Maxim said.

Agility is needed to overcome insufficient security controls. “This means that today's security controls may not be sufficient in the future, requiring S&R pros to create a flexible architecture that can adapt to the evolving threat landscape quickly and effectively,” Maxim said.

But controls are only part of the equation; enforcing them can be equally hard. According to the Forrester report, 92% of global technology security decision makers at enterprises said that they IoT security policies. But only 47% agreed that they have the right tools to enforce them.

Identifying the Risks

The Forrester report noted four main IoT risks. First is having strong privacy controls as firms need to share the vast volumes of IoT-generated data with both employees and partners. The upcoming EU General Data Protection Regulation (GDPR) compliance makes such controls more urgent and complex. In fact, Forrester believes that privacy concerns may be a key hurdle for future IoT deployments.

"The EU GDPR regulation is increasing the importance of data privacy with the potential of hefty fines. This requires firms to have very explicit policies around user consent, and the right to be forgotten and that data collection and usage with third parties is clearly articulated to end-users," Maxim said.

Second, IoT devices expand your attack surface. Hackers only need a single vulnerable device to get their hands on valuable data. Patching IoT devices is also not for the faint-hearted, especially when many devices lack a proper user interface.

Third, IoT devices employ various integration and connectivity approaches, from peer-to-peer to Z-Wave and low-power wide-area networking (LPWAN). They also communicate differently, from HTTPS to MQTT and AMQP. Different geographic regions use different radio frequencies. All these complexities increase the chances of misconfiguration--opening up new gaping holes for hackers to penetrate.

Lastly, IoT device management itself can be a target. According to the Forrester report, hackers are using scenarios "such as resetting a device to original settings or turning off updates" to compromise. Also, end users need more training to learn when they are dealing with compromised devices and not agree to any configuration change requests.

Other concerns include device heterogeneity (along with new OSes), the preference for digitizing asset-intensive user cases that open up firms for more disruptive attacks, problems of maintaining devices at scale and increasing IoT supply chain risks.

BYO IoT device and the growing use of intelligent assistant devices are becoming a huge concern as well. "This will be a growing problem especially for remote workers who may have digital voice assistants in their home to connect with an enterprise laptop. Risk-averse firms could try to ban or prevent usage but this will can be challenging and will remain a potential threat vector for an enterprise to manage," Maxim said.

Where to Invest

So what must firms focus on to combat IoT security fears? Below are critical IoT capabilities that Forrester urged security teams to invest in:

  • IoT API Security: These authenticate and authorize data movement between IoT devices, back-end systems, and applications "using documented REST-based APIs." 
  • IoT Authentication: These authenticate multiple users looking to connect to a single IoT device (such as a connected car).
  • IoT Device Hardening: These use “secure firmware, trusted execution environments obfuscation or binary modification” to minimize unauthorized tampering.
  • IoT Encryption: These encrypt data at rest and in transit between IoT edge devices and back-end devices. According to Maxim, it is an increasingly vital area as the cloud backend, where all devices connect to, become preferred targets for hackers.
  • IoT IAM: The Forrester report noted that IoT IAM, which offer full lifecycle management features “is emerging as an important capability to help enterprises and service providers manage and secure relationships between identities and IoT devices.”
  • IoT Managed Security Services: Shortage of staff and skills will push up the value of partnering with managed services firms.
  • IoT Network Security: These protect the IoT device networks as they connect with back-end systems on the internet.
  • IoT Network Segmentation: These help to create zones to isolate IoT devices when they are infected.
  • IoT PKI: These offer X.509 digital certificate and cryptographic keys for creating trusted PKI environments.