Rise of the IoT machines
Even the public sector is taking notice. While most government agencies do not use commercial IoT devices inside their own walls, the government workforce has established telework programs, and workers are going through their home broadband connections, says Sadiyg Karim, vice president of cybersecurity and CTO at NSSPlus, a network security systems provider that works with the Department of Defense and other government agencies.
“The DoD and federal government have instituted more standards and guidelines over what people should use from home, even if they’re going over VPN,” including changing default passwords, Karim says. Still, he thinks about the demographics of internet users today who are not IT professionals and are expected to carry out these security steps. “The capability is there for individuals to do it on their own, but the learning curve is very steep. It’s still pretty cryptic out there,” he says.
Recent IoT device hijackings have targeted commercial devices rather than industrial devices, and the Industrial Internet Consortium wants to keep it that way. In September the group, made up of some of the biggest players in the IoT ecosphere, rolled out its Industrial Internet Security Framework, a set of best practices to help developers and users assess risks and defend against them.
The framework also lays out a systematic way for implementing security in IoT and provides a common language for talking about it. Consortium participants say the long-term goal is to make security an integral part of every IoT system and implementation.
“There has always been an acknowledgment that this is critical. It was just a question of what do we actually do about it,” says Sven Schrecker, chief architect for IoT security solutions at Intel, and co-chair of the IIC security working group. “In [the framework], we explain what to do about it at a number of levels.”
The IIC believes that original owners of industrial equipment should not be responsible for implementing security, but rather the systems integrator, “who can lean on the device builders, components builders, chip builders and software vendors” to include security. “When all of that flows from the bottom up, it is much more manageable security solution.” Since its release, the new framework has received “tremendous response,” he adds.
Some IoT device providers think security is a shared responsibility. “Manufacturers of IoT devices need to focus on cyber secure design, development and deployment,” says Jason Rosselot, director of global product security at Johnson Controls, which has provided internet-connected building controls, security and fire technologies for more than a decade. Equally important, Rosselot says, is that “consumers of IoT devices must prioritise security in those devices,” including deploying updates and patches as soon as they become available and changing passwords from factory defaults to complex passwords.
Organisations need to assess what internet-connected device they currently have, their vulnerabilities, and how they will address them, Evans says. Gartner classifies IoT devices into four categories. Passive, identifiable things like RFID tags have a low threat risk. Sensors that communicate information about themselves, like pressure sensors, have a moderate threat risk. Devices that can be remotely controlled and manipulated, such as HVAC systems and self-driving cars, hold the highest risk for sensitive data loss, malware and sabotage.
At the most basic level, default user names and IP addresses should be changed. Prevention measures could also include micro-segmentation of devices to limit the damage caused by a breach or at least control or restrict the movement of cyber criminals who get inside. Enterprises could also opt for a “cognitive firewall,” which places security controls into the cloud instead of on the device, and uses artificial intelligence to determine if a requested action on a device is appropriate or not, such as “turn on the microwave for 100 minutes,” Evans says.
While the Dyn DDoS attack may be an opening salvo for future attacks, it may also mark the beginning of industry mobilisation to introduce standards to IoT devices, Schrecker says. “Two years ago, I would’ve said it would be fruitless to pursue a standard for IoT security, but we’re seeing a collaborative effort now to solve this problem once and for all, so there may be a silver lining here.”
IDG News Service