This content is part of the Essential Guide: Framing your enterprise IoT approach
Manage Learn to apply best practices and optimize your operations.

What do we need to make IoT security a reality?

As standards and security models emerge, security professionals can take steps today to improve Internet of Things security.

Information technology is evolving, and security is failing to keep pace. Computing is becoming more pervasive in our daily lives as everything from cars to industrial control systems to refrigerators is interconnected and sending or receiving data from mobile applications and cloud services. We need holistic security approaches to keep up with this growing Internet of Things (IoT).

While an attack on a smart thermostat may seem insignificant, the Target breach -- in which information on more than 70 million of its customers was compromised -- was the result of poor security of the heating and ventilation management and control systems in the company's stores. Other high-profile IoT attacks have surfaced, from the Carna embedded-device botnet and TRENDnet's Web camera exploit to the Linux.Darlloz worm, and the Thingsbot attack discovered by Proofpoint, a security as a service provider.

A lack of security

The diversity of IoT devices is dramatically increasing the attack surface for exploits and malware. A report from HP Security Research provided results of the top 10 consumer devices and found a staggering amount of vulnerabilities (lack of transport encryption, insecure Web interface, authorization and software protection issues) and privacy concerns. 

Poor IoT security results from two main problems: 

  • The race to market for new devices means that security is not included in the design, or it is severely limited or poorly implemented. 
  • Developers of legacy embedded systems in areas such as manufacturing or transportation didn't consider security controls, because these systems originally were isolated and air-gapped from IP networks. Those air gaps are quickly disappearing as industrial control systems are increasingly networked and remotely managed. 

The HP study showed that even basic security principles that have been taught for more than 20 years, such as strong passwords, aren't making it into the product development cycle. What can we do to improve IoT security?

Dig Deeper on Internet of Things (IoT) Security Strategy

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Bottom line: Consumers and companies may not be smart enough to be trusted with smart devices just yet. There need to be better rules in place to protect our data.
I wrote a piece on this recently where I lamented the divide between IT and the commoners within an organization. Until there's some understanding of how each side operates, we're going to be saddled with that divide.

For example, if an employee is connected to systems via his own hardware; company-issued laptop; and other devices, then the folks enforcing security have to find a way to make it all work. If the simple answer is that employees can't connect if they're outside the facility, then that's not a good answer for the viability of the enterprise.

We need to find a way to protect our data and IP without handcuffing the folks who need this information at their fingertips to do their jobs. This will be an ongoing problem in my opinion...and it probably won't ever change because we're only going to increase the rate and regularity with which we work from everywhere.
The more complexity we add and the further out we push that complexity, the greater the odds that the systems will be ripe for exploitation. Short of implementing a device level firewall for each node, the end nodes need to be developed in a way that the communications back and forth can be secured and encrypted so that tampering is, if not eliminated, at least made much more difficult.
Just like following WWW specification in developing standards for computer languages, there should be rules defined for developing these smart things.
One thing that will help is the development of standards withing the IoT world. Right now, there are two competing camps working standards (see this article). It’s certainly a Catch 22, with the diversity of devices complicating the adoption of standards and industry-wide standards needed to help handle and promote security for the diversity of devices.
A good firewall and locked down home network are a must. I honestly cannot believe what they are connecting to the internet these days. We are just asking for trouble when we start adding the ability to unlock doors to our homes. One hack or breach  of your mobile device to controls these and you just gave them full access to your life.