Could a shared responsibility model hold the key to securing the IoT? asks Trend Micro’s Cabrera
10 January 2018 | 0
As we enter a world that is increasingly instrumented and connected, we face a unique set of challenges to secure it. Exactly how best to do so is a much-debated subject, but I believe there is a solution to securing the Internet of Things (IoT). More of that in a moment. First, let’s get a sense of where we are today.
The Internet of Things is seeing explosive growth, both in industrial and domestic settings. Gartner forecasts that by 2020, there will be 20.4 billion devices connected to the internet. That is up from 8.4 billion in 2017, which is itself a 31% increase on the previous year’s figure. Arguably this rapid expansion will improve performance and productivity for individuals and companies alike. But here is where the law of unintended consequences kicks in: these devices are being leveraged to launch direct attacks, or to scale other types of threats.
Since late 2016, Trend Micro’s Smart Home Network solution, in partnership with ASUS’ Smart Home Gateway, has been giving us great insight into attack patterns. For example, in the first half of 2017 there was a 3:1 ratio of outbound attacks to inbound attacks on smart home routers. Attackers are compromising connected IoT devices like these, not as an end goal but as a means to conduct large-scale campaigns that directly target enterprises. Using IoT botnets to conduct distributed denial of service (DDoS) and brute force remote desktop protocol (RDP) attacks, they can break into vulnerable systems, extort money by threatening to take businesses offline, or even carry out malicious cryptocurrency mining. The Mirai and Persirai botnet campaigns this year were good examples of how vulnerable IoT devices give attackers a kind of scale and volume they could never have hoped to achieve through compromised computers alone.
Securing this infrastructure will not be easy, but it is possible—and vital. IoT represents an enormous global risk. There are new IoT companies emerging every week. Enterprises are embarking on projects with connected sensors in order to drive efficiency and productivity benefits. From smart homes to smart factories to smart cities, industrial IoT is here to stay.
Respected thought leaders such as Bruce Schneier, believe the only way to rein in IoT security is government regulation. He argues that the poor state of IoT security is the result of a market failure that requires government intervention to solve. In my opinion, he is partly right: regulation is definitely needed, but it is not the only way to address the issue.
Solving IoT security at scale is a shared responsibility. Government is merely one player on a larger team. Securing IoT infrastructure is too large and complex a task to be addressed by regulation alone. Robust public/private partnerships are required to develop internationally accepted standards as well as drive the necessary short-term and long-term security innovation. This multifaceted approach will go a long way to stem the current free-for-all in IoT where makers are developing devices daily using proprietary technologies.
At Trend Micro, we are already contributing to industry-wide standardisation efforts through our free IoT software development kit (SDK). The SDK provides two key features—the ability to proactively detect threats and conduct risk assessment, as well as endpoint-level protection that activates system security when devices are under attack. Upon deployment, the kit automatically connects to the Trend Micro Smart Protection Network, using cloud machine learning technology to monitor abnormal conditions. The kit’s highly efficient core and multi-layered solution is capable of extensive support for various IoT platforms, providing the best real-time protection.
Partnership is critical for IoT security and that’s why we have focused much of our efforts on developing strong relationships with manufacturers, large enterprises and third-party integrators using industrial IoT devices. Just last month, we announced that Trend Micro IoT Security supports Mentor Automotive ConnectedOS. Mentor, a Siemens business, deploys Mentor Automotive ConnectedOS in many in-vehicle infotainment systems (IVI) and driver information systems for a variety of automotive manufacturers.
Users, when they purchase and use these devices in homes and small businesses, also have a role and responsibility to do everything they can to configure and secure them correctly. The explosive growth of IoT in the years ahead will significantly expand the attack surface for criminals, and give them new ways of going after businesses for financial gain. We need to rethink security in this context, and we need to avoid the same mistakes of our IT past by building a framework where Government, private industry and consumers play pivotal roles to reduce global cyber risk.
Ed Cabrera is chief cybersecurity officer with Trend Micro