Remember the early days of the emergence of Internet of Things (IoT) devices? The rush to market for consumers to enjoy the modern conveniences offered by these devices shocked the security community. Security experts were concerned that these devices were built with no security in mind. As more of these devices appeared on the market, those security apprehensions were found to be correct. Vulnerabilities have been discovered in many of these IoT devices. Has the security of these devices gotten better, or remained the same?
On the latest Security Sessions podcast, I am joined by a distinguished expert in the IoT space, Ellen Boehm, Vice President of IoT Strategy and Operations at Keyfactor. Ellen has extensive experience in cybersecurity, and specifically, the understanding of IoT risk.
IoT devices have grown exponentially in recent years, and are expected to exceed 64 billion devices worldwide in the next four years. This is a massive growth, as well as an equally substantial risk footprint. What's more interesting is that these devices are no longer home-based novelties. They are present in every organization in varying capacities and functions.
The good news is that security is no longer being ignored during the manufacturing of the devices. Due to the enormous scale of IoT growth, human processes cannot possibly keep up pace with device security – therefore one solution to achieve security for these devices is through automation. This is not a simple task, as it involves all aspects of the device lifecycle, and of course, a layered security model is essential.
In the podcast, Ellen agreed that numerous challenges arise because of the scale of IoT adoption, and builds on the idea of a layered IoT security model by adding the concept of on-device key generation in order to uniquely identify every IoT device. Digital identification would fulfill a critical element of attaining a zero trust architecture, especially important for industrial technology edge devices. Secure firmware flashing is also a way to enhance assurance of device security, allowing for audit capabilities and controls around these devices.
There are also data privacy implications with IoT. In the absence of good security, two obvious privacy violations include spoofing the identity of a registered user, or even spoofing the device identity itself. Just as layered security can better protect a device, layered data leakage can assist an attacker in building a mosaic attack; an attack constructed from small pieces of information to build a larger picture of an individual, or an organization.
Ellen's experience with medical clients gives her a more critical view of the need for data privacy with IoT devices. She emphasized the need to keep medical IoT data confidential, no matter how seemingly insignificant it may seem. Data manipulation of an IoT medical device can have a dramatic impact, not just from a life and death perspective, but also from a continuity of care perspective.
From a peripheral standpoint, the development and increased deployment of 5G technology will also impact IoT security. 5G will act as an accelerant for the growth of IoT. While there are benefits of increased bandwidth and connectivity, this also broadens the attack landscape. The risk of more devices, more information, more quickly can create unanticipated opportunities for malicious actors.
Is there IoT security awareness training for employees who use the technology? Yes, and Ellen uses the example of a retail grocery store to effectively demonstrate the point. When we think of all the devices that operate in a supermarket in order to help it to function efficiently, each one of these endpoints presents an entry point to the network. Remote work has extended corporate networks, creating more access points. These are all parts of the specialized awareness that needs to be conveyed to the staff.
The rise of IoT has not gone unnoticed in government circles. Recently, the US signed the IoT Cybersecurity Act into law, directing the National Institute of Standards and Technology (NIST) to draft guidance for IoT vendors to implement security best practices. These guidelines and recommendations can often lead to the development of regulations.
Of course, regulations take time to develop, as well as achieve passage into the mainstream. In the meantime, there are steps that organizations can take to secure IoT devices for the consumer. Best practices include strong identity and access management (IAM), as well as integration into a corporate IAM system. Along with that, strong encryption, certificate-based authentication, or the ability to layer an organization's certificate onto a device will go a long way towards creating a more secure IoT environment. Above all, automation of these actions will enrich the process.
Above all, it is important to remember that all the steps cannot be accomplished overnight. The IoT environment must be treated as any other part of the organizational infrastructure. Just because it is a small device, it poses an equivalent risk as the larger systems, and must be treated with the same due diligence and due care.
To hear more, tune into the podcast.