Top six myths of IoT security

1. Lightbulbs and industrial robots are secured the same way

IoT is really a superset of two very different technologies. The first part is what we think of most with consumer-grade tech: think lightbulbs, TVs and vacuum cleaners. The second part is operational technology, or OT: industrial robots, water turbines, elevators and power plant relay actuators. The essential difference is that OT is serviced and maintained by a dedicated team, usually closely backed by the vendor, whereas IoT, as consumer-grade tech, is not. This difference is significant to how they are secured, and to the impact of being insecure. OT vendors, however, are typically less experienced than IT vendors in the ways of security. This is a rough differentiation though. Cars, for example, although a consumer technology, are in the OT classification because of manufacturer involvement.

2. Standards will secure IoT

This is a common myth. I hosted an OT/IoT roundtable in the UAE, and the majority voted that they believed standards would fix the IoT security problem. This is certainly how things should work when viewed through the lens of safety: safety standards work well in OT and IoT, with established national standards bodies and labs. However, the reality is much different.

There is hope, but no time soon will standards play a role of any impact. Standards play almost no role in IT security today, so our hope for them in IoT is aspirational.

3. IoT vendors will start patching their devices

Product makers don’t want insecure stuff. All IoT is patching-challenged, but for different reasons. This short description won’t completely do the topic justice, as this is a very nuanced and complex discussion.

OT teams do have a strong desire to patch, however their software update cycles are often magnitudes slower than IT patching. Many OT devices will never see a patch, so the development and delivery of time-critical security patches is not part of their corporate DNA. Similarly, patch management is not traditionally part of the OT group’s DNA — there is no “Turbine & Water Filtration System Monday” equivalent to Microsoft Patch Tuesday, nor are patch management tools often in use in OT environments. Much of the patching must be done locally and manually.

IoT has different issues with patching. Most IoT devices were designed without any prospect of patching. Some IoT vendors do not keep a software team in house, making patching problematic. A portion of IoT software is embedded in firmware — chips containing the flaws that can require a replacement — meaning usually the whole device must be replaced. I spoke with one IoT component manufacturer that told me it would add about $0.02 per chip for them to extensively test code and provide patches for security vulnerabilities, whereas the price of their nearest competitor was $0.01per chip, and the manufacturer said the company had never had a buyer factor security into a purchasing decision.

4. OT will make it all better

What is not a myth is that there is usually tension between enterprise IT departments, and the OT staff is responsible for the technology of the shop floor or production environments. The OT teams certainly know their environments best, however they come less equipped and experienced than IT staff concerning modern threats and patch management techniques. OT teams usually lean on their familiar vendors — the manufacturers of the equipment. However, these vendors reflect the OT teams in that they are slow to adapt to the new and incredibly hostile environment. Most of these vendors do not even have any kind of bug bounty or vulnerability research interface. Think about it — OT and their vendor-scape are required to go from 0-100 overnight; from an air-gapped low-threat world to an IP-enabled one attacked by nation states and custom-crafted malware. OT teams do understand their environments the best, so they are rightly skeptical of IT teams. Which leads us to …

5. IT will make it all better

Early on in IoT and OT security, it was assumed that the current IT techniques would be the fix. Just do what we do on the corporate network and everything will be alright. Unfortunately, it was immediately evident that things weren’t business as usual. Not everything is IP-enabled, we cannot risk connecting critical infrastructure to the corporate environment, the service-level agreements for outage or downtime was several magnitudes less forgiving than IT, strange protocols were involved, and there was little if no coverage of these devices by vulnerability research. IT security has the triad of CIA as its foundation: confidentiality, integrity and availability. Suddenly, a new leg was added to that: safety. IT security and ops departments were not equipped to perform their current tasks with that level of impact.

IoT under IT is a bit better than OT, but still requires flexing which IT departments may not be willing to undertake. Most studies predict that IoT devices are growing at magnitudes greater than IT devices. Most IT security products are not equipped to deal with the scale of IoT, even if the teams are willing. For example, most security information and event products are already being challenged to handle the alert load, as well as firewalls handling connections per second. IoT adds an approximate 10x load in most enterprises, with IT departments again often unwilling to take on the load of managing and securing what doesn’t appear to be devices in their realm of responsibility. IT does not have the IoT security answer today. But that doesn’t stop the threat landscape from using IoT as an attack surface in the interim.

6. Special IoT security products will fix it all

Early on, there were IoT-specific security products that emerged. They tended to be either wireless focused — a good thing, since so much of IoT connectivity is wireless based — or from the OT device manufacturers. However, the impact has been limited. OT manufacturers have been slow to bring effective products, and the slow release of real dollars for OT and IoT has alienated vendors. The critical issue is that most IoT and OT security technologies are not linked to corporate IT security groups that are already organizationally decoupled, making the job of a security operations center response almost a manual task of calling coworkers to find out information.

The answer will most likely be via partnerships between OT vendors and IT security vendors, taking the already advanced security technologies and hardening them to work in the organizational, cultural and technical OT environments. IoT is a more difficult issue in that these “unpatchables” must be segmented and surrounded by intrusion prevention systems and antimalware. Instead of a pre-patch shield, this becomes a never-can-patch shield. Segmentation and shielding, especially via wireless connectivity, become the future state.

The bottom line is that not all IoT is created equally, and can’t be secured equally. But IoT is here and the baddies know it to be a soft underbelly. The “two solitudes” of the organizations representing IT and OT can together secure OT, but it is up to mostly IT to embrace and secure consumer-grade IoT technologies. Don’t fall into the traps set by these myths — be informed and get to work now on fixing these … things.

All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.