Securing the future of IoT; poor implementation will weaken security
Securing the future of IoT; poor implementation will weaken security
We are at the very beginning of the Internet of Things (IoT) revolution.  The combination of increasing network speeds, advanced sensors and big data analytics will soon enable a greater level of awareness, understanding, and insight into the world around us than ever before.  Businesses are on track to employ more than three billion connected ‘things' in 2017, and by 2020, Gartner expects to see 20 billion ‘things' connected to the Internet globally.  

A recent report from Cradlepoint, ‘State of IoT 2018', found significant levels of interest in IoT from IT leaders in the US, UK and Canada, with more than 69 percent of companies surveyed saying they had adopted or planned to adopt IoT solutions within the next year.  The far-reaching possibilities of IoT have captured the attention of decision makers at all organisational levels, from the front line to the C-suite. 

When IoT attacks

IoT deployments are now perhaps the most anticipated – but least understood – of IT initiatives today.  The security risks are already evident.  Failure to secure an IoT network can expose an enterprise to the threat of internal pivot attacks, where one compromised IoT device can give an attacker access to the whole network.  On a global scale, IoT botnets are already gaining speed.  In 2016, the Mirai botnet trawled the Internet to brute-force its way into easy-to-compromise devices.  Eventually these devices were used to launch a massive DDoS attack, playing havoc with many of the world's most popular websites. 

In many ways, Mirai was a textbook example of IoT's dangers.  After taking control of poorly secured devices, the botnet perpetrated crippling DDoS attacks that pivoted to vital resources on core networks.  The dangers of insufficient – or nonexistent – network segmentation played out on a worldwide stage. 

Yet nearly a year after the discovery of Mirai, it seems that many IT pros have not absorbed the lessons of that attack.  Cradlepoint's recent State of IoT Report suggests many organisations are preparing to implement IoT in-house.  The survey found that half were designing their own network architecture to support IoT, while 57 percent preferred to manage their own IoT device security.  Significantly, almost half of those surveyed planned to implement IoT on their core enterprise network, using legacy network approaches associated with known vulnerabilities

Repeating the mistakes of the past

There is no sugar-coating it: organisations that plan to implement, house, and manage IoT in-house are taking a ‘back-to-the- future' approach.  IoT is part of a fundamental shift forward in enterprise networking – towards a cloud-enabled ‘consume' approach – and yet most companies plan to implement IoT in a way that parallels an outdated way of ‘DIY' networking. 

Perhaps ironically, the most popular application for IoT today is security.  The ‘State of IoT' found approximately 71 percent of respondents who already use IoT technologies are using it for building security.  These are the very types of devices Mirai used to perpetrate its attack.  In an effort to increase physical security, IT teams are undertaking projects that could make their companies less secure — in both the physical and digital realms — than they were before deploying IoT. 

Closing the IoT divide: a strategic security assessment

Security is one of the most important factors driving IoT adoption — and one of the biggest associated risks.  It is crucial for those driving IoT adoption to convene all stakeholders and determine criteria for success.  From a security perspective, IoT leaders have several questions to ask, including:

To what degree will IoT increase the network's potential attack surface?  How will the organisation scale security efforts to match this growth? 

Which users, devices, applications, and data centres need a connection to the IoT system?  How will that access be granted and managed? 

Does the IT team, with its projected resources, really have the ability to own tasks like micro-segmentation and policy orchestration in-house? 

Does the organisation currently employ a prevention-focused security strategy? Should prevention efforts fail, how will the organisation detect a security incident or breach? 

How might investment in a multi-layered security strategy impact this project? 

Should this project use a Software-defined Perimeter (SDP) for greater network security and management? 

Of all the potential security risks associated with this IoT system, which pose the greatest threat to the business? 

This is by no means an exhaustive list.  It does, however, provide a framework of key considerations during the IoT planning stage.  While there are many factors that go into a successful IoT deployment, network security should be a foundational consideration from the inception of the planning process, not as an afterthought. 

Contributed by  Ken Hosac, VP of IoT strategy and business development at Cradlepoint