To put the enormity of the Internet of Things (IoT) into perspective, according to sources like Business Insider, IoT Analytics, Gartner, and Intel, there is expected to be more than 64 billion IoT devices by 2025. According to PwC, business investment will account for more than half of the overall spend in IoT next year. IoT is only going to be more prevalent in both personal and business endeavors. The question is, how is this impacting cybersecurity today and going to in the future?
“IoT Does Not Only Mean IP”
The technology community needs to recognize that, whether hardware, software, or services, that IoT isn’t only IP (Internet Protocol) based technology. It is Bluetooth, LoRa (Long Range), MQTT (Message Queuing Telemetry Transport), and a myriad of other protocols that either talk over IP or operate separately from IP networks. For context, according to Postscapes. com, there are over 20 different protocols used with IoT technology just for data transport functions.
With this said, many of the types of networks that heavily leverage IoT (industrial controls, etc.) may have sensors and controllers that eventually backhaul over IP networks. However, this is not always the case, and even if they eventually do, you still must account for how the device communicates initially, the data payload it’s carrying, and any security vulnerabilities that exist before reaching an IP network (and after of course).
“There is No Such Thing as the Perimeter Anymore”
While this isn’t technically true, it is accurate to say that modern networks today don’t look anything like they did ten years ago, thanks in large part to IoT. Other than cloud services, no other technology has done more than IoT to disrupt the paradigm of a network perimeter. Why does this matter?
Traditional ways of segmenting networks are no longer valid, for a variety of reasons. One, the ubiquitous nature of IoT technology allows these sorts of devices to enter and leave a network environment freely. As such, this poses additional hurdles from a cybersecurity perspective. Any security control you put in place will need to be able to dynamically address the addition and removal of devices participating on your network, regardless of protocol.
"The hope is one day technology vendors and manufacturers will adopt privacy by design and create industry standards into their development processes but until that day arrives, IoT will continue to change the cybersecurity landscape for all"
Additionally, the nature of where IoT devices reside has a huge impact to this concept of the network perimeter. For example, both Microsoft and Amazon now offer virtual IoT cloud services/devices. So, in order to access these IoT resources, the ingress and egress is now outside the traditional local network. In some instances, the IoT devices themselves may not be in the cloud but are talking to a cloud service for data processing. A good example of an emerging industry doing this is building controls and automation.
“We Can’t Manage IoT like What’s in Our Networks”
Other than email-based compromises, one of the biggest attack vectors for any organization are system vulnerabilities. While many companies still find operationalizing their approach to vulnerability management a challenge, this is hardly a new one. Many tools and resources exist to address this within traditional networks, but what about IoT devices? While there are spot solutions, they tend to be focused on a subset of IoT technologies. For example, devices that utilize the ARM processor may be able to use their Device Management Update service. Of course, this only applies to ARM-based technology - what about other aspects of device management? What about enterprise-level remote administration functions that allow one to query firmware versions and push updates across all networks? What about validating local admin passwords have been reset from the factory default? How about ensuring that web-based remote access is done via SSL? Things that we take for granted with tools used in traditional networks are often not available or, if they are, cost-prohibitive and/or enterprise in scope and reach.
“IoT Brings the Risk of Data Privacy to a Whole New Level”
In order to effectively manage data privacy within an organization, one must be able to determine what data exists in the organization, which is easier said than done for most. Add to this the complexity of multiple types of IoT devices, talking in numerous protocols, located in different areas of the enterprise. What many don’t realize is the nature of the data collected from one IoT device to another can be as varied as the different types of devices themselves. IoT devices can be as simple as an occupancy sensor to as complex as a multi-function Virtual IoT device in Azure. What all these different devices do is generate and collect data. IoT becomes an extension that we all face today – what is the data at hand, and what is its sensitivity? Is the data innocuous on its own, but when aggregated with other ‘innocuous’ data, it exceeds the privacy threshold?
“Going Nowhere Except Forward”
The bottom line is IoT is only going to grow in reach, scope, and risk. As cybersecurity professionals, we need to plan for this factor in this new dimension of risk in our planning and operations. Additionally, the vendor ecosystem needs to step up and do their part to help find solutions to the above challenges. The hope is one-day technology vendors, and manufacturers will adopt privacy by design and create industry standards into their development processes, but until that day arrives, IoT will continue to change the cybersecurity landscape for all.