The internet of things has upped the ante on IT security. Whether it's an office, a retail store or a production line at a factory, security managers need to worry about locking down many endpoints today, sometimes in excess of 100,000. A recent TechTarget survey of IT practitioners worldwide found that security was seen as the second largest issue to be dealt with in IoT (interoperability was the first).
As one might expect, there are dozens if not hundreds of companies looking to solve IoT's security ills, making it all but impossible to gain a coherent view of where security in IoT might be headed. Instead of attempting some kind of misleading sense of coherence, here's a quick view of four companies offering three different approaches to IoT security.
Adjusting and patching
"There's little question that the threat environment has grown rapidly," said John Reno, who heads up IoT product and solutions marketing at Cisco. "While serious attacks are less probable, the impact is far more significant. Companies managing IoT environments are worried about protecting their critical assets; they are concerned that an attack can take out the energy grid or bring down a production line."
Merritt Maxim, a senior analyst at Forrester Research, said people in the industry have to adjust to ensure security in IoT.
"Patching an IoT system with embedded devices is different from patching a Windows machine," he said. "Many industrial systems also have legacy code. Awareness is up, but it's just taking time."
Given the threat, security and network managers need tools that can offer visibility into these emerging IoT environments that blend traditional IT systems with legacy production line or line-of-business systems. Products such as Cisco's ISA 3000 deliver visibility into both IT and operational technology networks, management of which has been largely separate until now.
Reno said in developing the ISA 3000, Cisco built a ruggedized version of its ASA Sourcefire software stack. The product lets security managers segment networks as well as provide logs of the operations environment.
Merritt Maximsenior analyst, Forrester Research
"In the past, this work required a lot of manual operations," Reno said. "The ISA 3000 offers a way to [manage IT and OT] cleanly."
Reno said the ISA 3000 also lets security and network managers administer the network remotely.
"Keep in mind the nature of a global manufacturer with operations all over the world," he said. "In today's world, if there's an issue with a robot on a factory line in Ohio, it may be a service technician in Japan who accesses [and then acts on] all that specific log data on the routers, switches and firewalls."
Locking down access
Secure access and authentication has always been an important issue for security managers, but it becomes even more complicated when addressing security in IoT environments. A user on a factory floor, for example, wants to just authenticate one time to gain permission to the systems and applications he needs to do the job. With so many devices and smart sensors on a factory floor, companies don't want a user to authenticate every time he accesses a device or an application.
"A user can authenticate with Cisco ISE and then use our single sign-on to gain access to applications," explained Patrick Harding, CTO at Ping Identity. "Once they authenticate in ISE they can access SaaS apps such as Salesforce or any other applications without having to reauthenticate."
Harding said users can authenticate using open identity management protocols such as OpenID Connect and SAML. "There's really no need to do something new, we authenticate using standard protocols that have been in use for a while," he said.
These open identity management protocols are also important to developers writing IoT applications.
Jaime Ryan, senior director of product management and strategy at CA Technologies, said that developers don't want to worry about authentication; they just want an open system so they can use the identity management solution of their choice and know that security is built-in.
Ryan said CA's Mobile Apps Services lets developers focus on writing new applications for smart cars or medical devices without having to worry about the identity management technology.
"Security is built in end-to-end," he said. "Now, developers can focus on what they do best: Build applications to make organizations more collaborative and productive."
As companies build IoT environments and run more applications over the cloud, they have to find ways to communicate the new IoT devices and applications that run over IP with legacy SCADA equipment. Most software for the devices in factories and even medical installations has a lifespan of at least eight to 10 years -- longer in many cases.
Machfu has developed a translation gateway that takes legacy SCADA information and coverts it for use in modern IoT systems.
"We take the legacy SCADA systems and translate it into IP," said Prakash Chakravarthi, the company's CEO. "As organizations take data and applications out to cloud services like Microsoft Azure, there's a way to work with that legacy information."
S&C Electric Company sees great potential use for a translation gateway. The company has a long history providing technologies that can reduce grid outages to a matter of seconds. But as the internet of things develops, it will be more necessary for them to traverse both legacy and new communications protocols.
Donivon Hettichdirector of grid control and connectivity, S&C Electric Company
"The industrial internet of things is about enabling communications for both legacy and new grid edge devices," said Donivon Hettich, director of grid control and connectivity at S&C Electric.
"As more communication technologies evolve, there's a need to interoperate with and leverage incumbent communication networks," he explained. "Security in this context must be considered in an end-to-end manner and must be considered as a progression, or evolution. That's why we think going forward, IoT gateways will become more necessary."
IoT has enormous potential, but organizations need to have confidence that malicious hackers won't disrupt their systems. There's really no one-size-fits-all product that can guarantee security in IoT environments. Deploying any new tool must be in concert with a well-thought-out defense-in-depth strategy that includes antivirus software, firewalls, intrusion protection and sandboxing. Don't think those tools will go away.
Before taking on a new security tool, ask the vendor to explain its IoT strategy. It's not enough to secure IT systems anymore. Companies need products that can function in both the IT and the company's legacy line-of-business environment, whether it's a factory, hospital or an electric company looking to modernize.
Security in IoT deployments is about visibility of IT and operations, secure authentication and single sign-on, an IoT development environment that builds security in from the get-go, and translation gateways that can function in both legacy and IP environments. The good news is that products are ever-evolving as more IoT devices get deployed to ensure security in IoT in the first place. The bad news is that in shorter supply are technology managers who can see the big picture and make sense of it all.
Get up to speed on the challenges of -- and solutions to -- IoT security challenges
Ten IoT security myths debunked
Don't let security hinder your IoT deployment