When Jeff Wright, cybersecurity manager at RTI Surgical, a global surgical implant company in Alachua, Fla., began expanding the company's security program, one of the first challenges he faced was how to know when a new device connected to the network.
"It was an issue to determine what's on my network, because once something gets on your network -- no matter how it got there -- you don't always know it's there," Wright said.
Although the provider of biologic, metal and synthetic implants said there are vulnerability assessments and penetration tests to uncover security vulnerabilities, they very seldom happen daily, let alone up to the minute or even hourly.
"I needed to find a way to do that without burying me in a lot of custom applications or custom coding," Wright said.
While attending various security conferences and exploring IoT security companies, Wright heard about Pwnie Express, a Boston-based firm that helps companies detect devices on their networks that might pose threats. After researching Pwnie's technology, Wright decided it was a good fit for what he wanted to do.
"It does give me vulnerability visibility because it sits on my network and sits on my wireless and can tell me about Bluetooth devices that are coming into my network that I didn't necessarily know were there," he said.
As the number of connected devices continues to skyrocket, so too does the number of IoT security challenges.
The big problem is that most of these connected devices, such as printers, smart thermostats, medical devices and even coffee pots, that enter the enterprise aren't secure.
John Pescatoredirector of emerging security trends, SANS Institute
"One of the first things you need to do to secure the internet of things is to do an inventory -- knowing what things you're connected to or what things are connected to you so you know what you need to protect," said John Pescatore, director of emerging security trends at SANS Institute in Washington, D.C. "That's mostly what Pwnie Express does -- and that's very key."
Pwnie Express' software-as-a-service device detection platform, Pulse, provides enterprises with a complete picture of networked devices, said Dimitri Vlachos, Pwnie's vice president of marketing.
"We allow you to come in and discover every device that is on your network and your airspace; we look in wireless, we look in Bluetooth, we look in cellular," he said. "We're able to see all the devices that are on your network or in your environment and have the potential to interact with your network."
Pwnie continually tracks all the devices, scanning them to see if they have vulnerabilities, according to Vlachos. Then the company's threat detection analytics determine whether there are connections that shouldn't be happening between trusted devices and non-trusted devices.
Wright said RTI Surgical went through a proof-of-concept stage with Pwnie's technology in the first quarter of 2016 and now the company is close to a full deployment across its 14 locations in the U.S. and abroad.
"In the first couple days it had inventoried one of my smaller networks and I saw all these devices that nobody in IT even knew were out there," he said. "Now imagine if these had been bad guys -- they're sitting on my network for years just pushing data right out the firewall and nobody knows they're even there."
For example, Pwnie uncovered a "little weird device" on RTI's network that was running the Linux operating system. After a closer look, Wright realized that the device was running the air conditioning system in buildings where accurate climate control is critical.
"That was a huge deal for us. What if someone were to shut down some coolers or mess with the temperatures?" he asked. "Maybe they're doing it to destroy tissue. When you have tissue that gets destroyed that has a negative impact on people who were expecting that tissue to be there or those devices to be ready."
Pescatore said knowing what is connected to a network and understanding where the vulnerabilities are allows a company such as RTI to fix or shield those vulnerabilities so its own devices can't be used in an attack.
David Monahanresearch director of security and risk management, Enterprise Management Associates Inc.
As billions of physical objects become network-enabled, enterprises are also looking for IoT security companies to help them not only identify but also authenticate devices connected to IoT so those devices can securely communicate with each other.
"IT personnel and security systems are often unfamiliar with the technology and the protocols they use to communicate so they are underprepared to protect and manage them," said David Monahan, research director of security and risk management at Enterprise Management Associates Inc. in Boulder, Colo. "This leaves us with a rapidly expanding IoT footprint that is used for scale, cost cutting and convenience, and no standards for interface, control and lifecycle management, but with significant security gaps."
IoT security companies take on IoT authentication
Where Pwnie specializes in device discovery, Pescatore said, other IoT security companies, such as Rubicon Labs Inc. and Device Authority Ltd., focus on an identification and authentication approach to internet of things security.
"The strategy of Device Authority and Rubicon Labs is more focused on making sure things aren't vulnerable, and the authentication side of things to make sure that the only things that connect to you are ones you've authorized," he said.
Pescatore admitted this is a tougher task than the discovery part.
San Francisco-based Rubicon Labs offers a cloud-based key provisioning and key protection platform for securing IoT devices and the data they generate. Its approach relies on a system of provisioning a "vault" in device memory. The key used to secure this vault is the result of a one-way hash such that the key never appears in memory. The keys are thus effectively "invisible" while still protecting secrets for authorized users. The use of these "zero-knowledge keys" is thus unseen by senders, receivers and hackers alike, according to the company.
"The company has developed a novel way to use cryptography to strongly authenticate IoT devices and encrypt the data they generate, all within the bounds of the technical limitations of most IoT devices," read a report by 451 Research.
Rubicon Labs allows each device to be uniquely identified and authorized, down to the smallest microcontroller, so no other device can get on a company's network claiming to be that device, said Rod Schultz, vice president of product at Rubicon Labs, adding one of the use cases for Rubicon Labs' technology is in healthcare.
"We see a lot of need to encrypt and protect data and software that's being run and generated on small medical devices," Schultz said. "So insulin pumps, cardiac monitors, anything like that because today the tools to attack are there and the motivations to attack are there. We're looking at securing those devices."
Schultz said Rubicon Labs is also talking to companies in the automotive space.
"You have systems designed in automotive 10 or 15 years ago with the assumption that the [car] was on an island and the [car] was secure based on the fact that no one could communicate with it," he said. "But when you start to connect devices like cars that you were never supposed to connect to a network in the first place, you have a problem."
Other IoT security companies have other methods for IoT authentication. London-based Device Authority's KeyScaler platform lets customers securely register, provision and update their devices through active, policy-based security controls designed to protect IoT applications and services.
The KeyScaler platform includes the ability to create dynamic keys on the fly without having to store the keys anywhere, said Robert Dobson, director of presales at Device Authority.
"That's quite a powerful thing," he said. "You're not storing any keys; you're basically reducing your attack surface. You're trying to narrow down the possibility that someone will get access to your data. What it means is that we can generate keys dynamically on the device. And it's a session-based key. So for the duration of the session, we have a unique key and as soon as the session is torn down and you want to build up another session, you generate another key."
Device Authority is looking at securing the internet of things from a holistic point of view and trying to secure data all the way from the endpoint to the cloud where it is consumed, Dobson said.
"What's also key is how you onboard your devices securely to your back-office server platform so you know that the device that's connected to the platform is what it says it is and somebody hasn't spoofed the device and is trying do some damage to your system," he said.
Then the challenge for enterprises is how to manage who gets access to the data in their cloud platforms and what granularity they give to which people.
"So you have to set policies around how and who gets access to that data," Dobson said.
The benefit of Device Authority's data-centric approach to its IoT security platform is pretty straightforward, Monahan said.
"Once the device has been authenticated so you know the data is coming from a verified source, the data can be encrypted using a symmetric key algorithm," he said. "So no man-in-the-middle attacks can be leveraged, nor can the data be read by unauthorized parties."
Did you know securing streaming media has provided a roadmap for IoT?