When was the last time literally billions of something showed up in global enterprises, seemingly overnight? The projections are changing all the time, but Gartner has estimated that upwards of 7 million IoT devices will make their way into businesses by next year. If IT teams thought they had their hands full with BYOD security, the sheer ubiquity of IoT devices promises to be an exponentially larger burden to secure. This is compounded by the many variations in types, purpose, manufacturer, build quality and country of origin of these devices, which are poised to become instant security headaches. The accelerated growth of IoT cannot be stopped, but how device manufacturers and enterprises improve the security posture of their IoT devices can. This is the only path to safe, expedited rollouts that ensure IoT can deliver on its many promises.
Getting an IoT device quickly to market and deployed has always been the primary objective of the vendor, developer and the enterprise. Security has often been an afterthought during this quest for speed, but now is the time to reverse that psychology. As more IoT devices come online, an enterprise’s attack surface grows. And with a growing eagerness to support more 5G devices, an adjustment in how security is accounted for in the testing phase of devices has never been more important.
Putting the ‘test’ in IoT
Simply put, security needs to be embedded in every part of the testing process. From early on, with the developer testing for software vulnerabilities, to the enterprise’s infosec DevOps teams conducting testing that emulates realistic application traffic while validating security coverage from the enterprise to carrier-grade network capacity. Developers and infosec teams can’t work in silos. They should be collaborating from day one and be aligned on the requirements for securing an IoT device. Unlike a network switch or web portal that uses standardized interfaces and protocols, IoT devices can run on completely different protocols that are not addressed by traditional enterprise security and management measures. When that’s not taken into consideration, the potential for an IoT breach runs high.
To truly improve risk mitigation of IoT devices, comprehensive testing requirements are needed, but it could be several more years before that happens. In the interim, parties that have a stake in ensuring the device’s security should follow the most credible industry guidelines available — including GSMA’s fairly new IoT security guidelines. While it’s unrealistic to abide by all guidelines, developers and infosec should curate and reach agreement on the checklist and risk assessment items in the guidelines document that both groups will abide by throughout the testing lifecycle.
A few security ‘things’ to consider right now
As IoT devices become more complex and operate in more complex environments, hackers will continue to evolve tactics to exploit them. With that in mind, there are steps that IoT device manufacturers, enterprises, developers and infosec teams that deploy devices can take right now to take significant strides toward better security practices. From Spirent’s work with the expanding IoT ecosystem, here are three simple rules we often offer for anyone exploring where to start with IoT device testing:
- Eliminate vulnerability management complacency. If a vulnerability is found early on, act with urgency to patch and mitigate. Compiling known vulnerabilities and waiting until the end to patch or just after a device is deployed is not suitable.
- Stress test, and stress test some more. One of the more common tactics among hackers is executing a brute force attack, which applies numerous combinations of usernames and passwords to gain access to the network and follow through with a distributed denial-of-service attack. Knowing the number of available usernames and passwords accessible to hackers via the dark web, enterprises executing stress testing — encompassing network penetration testing and simulating actual cyberattacks on the network — is a given.
- Get multiple reads on vendor security systems and software. IoT device ecosystems continue to grow, and vendor systems and software need to keep pace with their level of protection. But sometimes that’s not happening or what the systems or software can do no longer meet the ecosystem’s requirements. While vendors may offer up their own testing and reads on things, enterprises need to make the investment to do more testing themselves.
Testing brings an invaluable level of assurance to IoT devices, but enterprises need as much confirmation as possible that the security designs and capabilities of these devices will hold when deployed. Just last summer, CTIA introduced a new IoT cybersecurity certification program that was developed in collaboration with wireless providers, technology companies and security professionals to provide a new level of confirmation. The program enables IoT device vendors to submit soon-to-be-deployed devices to authorized test laboratories for aggressive security testing which accounts for the device’s security features, complexity, sophistication and manageability. In recent months, I’ve had an opportunity to be part of the initial certification testing in our authorized test laboratory and have come away with some interesting learnings. Numerous devices have included low-cost CPUs and open source operating systems from suppliers. There is a tendency for either or both to possess more weaknesses largely due to the fact they haven’t been updated to support newer threats including Spectre and Meltdown. The takeaway is IoT device developers cannot simply trust a CPU and OS as being secure out of the box.
As IoT devices become more pervasive in the enterprise, use cases and functionality will continue to expand. This means devices will interact with more networks, infrastructure and components, creating an even larger attack surface that provides a constantly moving target and will need to be continuously accounted for when working to manage overall security posture. It’s why IoT device security testing can’t be conducted in silos.
A holistic approach doesn’t need to bring an overly complex testing strategy. By standardizing IoT device testing and following a consistent set of testing activities, little room is left for confusion or gaps, creating the ideal environment for device security posture to improve.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.