‘The New Normal’: Security Concerns Around IoT Inundation
The Need For Improved IoT Security In The 'Smart' Age
Digitalization is driving rapid change in the technology space – both on the enterprise and consumer sides. This transformation is fed by the unprecedented expansion of the Internet of Things (IoT) network, which is poised to hold 20 billion devices by 2020, according to Gartner.
Nevertheless, the proliferation of all things “smart” poses immense security risks; in fact the attack surface widens significantly. Can security teams – at the enterprise level – ensure that connected devices encrypt data and have a regular patching/updating cadence? Furthermore, can chief information security officers (CISO), chief information officers (CIO) and all others charged with device management/oversight be sure that their devices came to market with security principles in mind?
These are challenging questions being answered only gradually, but there is certainly some “required reading” behind the network, or details the security team should know to both embrace and spread awareness around IoT. First comes an understanding of size and scope of this expansive network. Then, there emerges implementable best practices – based off sound research, government regulation and various use cases.
‘The New Normal’
Many technology experts have been trying to grasp the contours of this evolving space. For example, earlier this year Forbes spoke with its Technology Council to get a sense of where cyber security is headed. One Forbes segment referenced IoT device security, lending credence to the fact that the space is a formidable security concern.
Mark Benson, Chief Technology Officer at Exosite and a Technology Council member, described IoT devices as “cheap” and “easy to hack.” Because they’re visible, pervasive and geographically distributed, they make useful hacking targets. One such concern: a distributed denial-of-service attack (DDoS).
Benson also spoke with the Cyber Security Hub at the time, saying that this digitization trend has become “the new normal.” He labeled IoT as a macro-economic movement towards smart connected devices, sensors, data, insights and control.
The CTO added that the security challenges behind IoT are many, largely because the devices are cost- and resource-constrained. The conversation shifts to the security team, too, as IT organizations may be ill-equipped to manage the devices – they may lack the skills, tools or the knowledge to do so.
Benson said IoT has become a key driver for cyber security spending and prioritization.
What’s more, Rebecca Wynn, Head of Information Security and Data Protection Officer (DPO), Senior Director, Matrix Medical Network, also previously spoke with the Cyber Security Hub about IoT.
She said that the speed of acceptance of IoT devices could be jeopardizing the privacy of consumers and businesses. She called for usage within the boundaries of regulatory best practices.
She told the Cyber Security Hub that since the 1980s, there have been “tectonic shifts” in technology, economic decisions and policy, thus creating a “variegated landscape.” IoT fits somewhere within it.
She said IoT devices make important contributions to global challenges (e.g., public health, quality of life, industrial matters). However, with trillions of dollars on the line in the coming decade, more “global standards” are needed.
In a recent IoT Agenda piece for Tech Target, guest contributor John Grimm of Thales Security highlighted that same point – pegged to the May 15 release of the Department of Homeland Security’s (DHS) cyber security strategy.
He wrote, “When it comes to IoT security, the DHS is in a position to encourage and facilitate an increase in information sharing throughout the industry. Organizations can work together, without compromising competitiveness, to collectively increase incident preparedness and incident response.”
He used FS-ISAC and Auto-ISAC as examples of such collaboration. Grimm also said administrative password changes upon installation, and security via updates/patches should be minimum standards.
It is also apparent that different encryption methods will be needed to retain and cloak sensitive data collected on IoT devices. Outside of that, two-factor authentication should become standard practice. Plus, there is the emergence of other identity and access management (IAM) tools, namely biometrics, and the customized entry onto platforms and devices. These methods can prove immensely important in an age where “smart” devices can be harnessed to inflict physical damage (industrial, medical, etc.).
In a guest piece for The Hill, Dr. Gilad Rosner, policy researcher and founder of the nonprofit Internet of Things Privacy Forum, said that on the regulatory front, lawmakers in the U.S. can start to secure the IoT space by outlining jurisdiction for the enforcement of privacy regulations on connected devices. He pushed for an “omnibus privacy law” to fill the gaps left by industry self-regulation. Lastly, Rosner also said a single framework (much like the European Union’s General Data Protection Regulation, or GDPR), could provide much-needed clarity and a workable baseline.
Stay tuned to the Cyber Security Hub for the latest coverage of the IoT space!
Be Sure To Check Out: The Many 'Arms' Of Today's Cyber Security Team: An Inside Look