Information Security

Defending the digital infrastructure

vasabii - Fotolia

Stranger things: IoT security concerns extend CISOs' reach

The internet of things has drastically expanded the scope of what enterprises need to protect, adding challenges big and small to CISOs' responsibilities.

Connected devices, with the plethora of data they provide, play a critical role in enterprise digital transformation. But IoT security concerns are proving to be speedbumps -- if not outright roadblocks -- to adoption in many organizations.

Consider this statistic: Gartner found in its most recent "Internet of Things Backbone Survey," published in 2017, that 32% of IT leaders list security as a top barrier to the internet of things.

Attacks that use unsecured IoT devices have shown that there's more than compromised data at risk. They can cripple critical systems, a potentially catastrophic problem as IoT extends to automobiles and healthcare devices where lives could be at stake.

The internet of things has also drastically expanded the size and scope of what security teams need to protect, adding IoT security concerns to CISOs' responsibilities.

 "It's meshing business knowledge with the technical knowledge to develop your risk framework and validate that the security measures you have will work with the operational requirements for IoT initiatives," said Barika L. Pace, a Gartner research director focused on IoT strategy.

'Software is already in crisis'

Gartner predicted that by 2020, that there will be 20 billion internet-connected devices in use, with IoT connecting everything from jet engines and commercial vehicles to manufacturing equipment and office equipment to personal cars and consumer electronics.

That staggering number, along with the range of device manufacturers, creates a vastly larger and more complex environment for enterprises and their CISOs to secure, said Balakrishnan Dasarathy, professor and program chair for information assurance at the University of Maryland University College's graduate school.

"This is the issue with IoT that you didn't encounter before," he said, noting that many of the players in the IoT space aren't "traditional software people."

"Software is already in a crisis, and now there are billions of billions of devices being manufactured by hardware makers; if they don't have good software, they'll be vulnerable to attacks."

The scope of IoT's reach is another new, or at least heightened, element of cybersecurity risk, Dasarathy added. Case in point: The 2016 Mirai botnet distributed denial-of-service attacks that used unsecured IoT devices.

The internet of things, by its very design, extends enterprise technology infrastructure farther and farther out, computerizing devices whose functions, if corrupted, could mean catastrophic results.  CISOs now must worry not only about compromised or stolen data, but also the potential for bad actors to hijack vehicles, heavy machinery and medical equipment.

Contending with the risks

Taylor Lehmann, CISO for both Wellforce and its academic hospital, Tufts Medical Center, has seen that kind of risk grow over the past two decades as the Massachusetts-based healthcare system has expanded its IoT infrastructure.

Now he oversees security for an organization whose connected technologies include secure wireless infusion pumps and heartrate monitors, as well as heating, ventilating and air conditioning units; research-critical refrigerator systems; and traditional computer equipment, such as servers, PCs and mobile devices.

"People talk about IoT being the new, hot thing, but it has been there almost 20 years in medical care," he said. "What has changed is the number of these devices and how many of these devices are vulnerable."

Like Dasarathy, Lehmann sees the sheer scope of IoT, the number of players in the space and the devices' inherent features as IoT security concerns for CISOs. Many connected devices can't be patched or updated, nor do they have security features such as basic encryption and two-factor authentication.

Taylor Lehmann, CISO, Wellforce and Tufts Medical CenterTaylor Lehmann

"One of the challenges we've had in securing the devices is trying to apply the traditional-device security approach. Most can't take antivirus [software]; some can't be patched; some don't even have operating systems," Lehmann explained.

"Take a desktop PC -- a commodity piece of equipment on anyone's enterprise network that's designed for the enterprise -- and for highly regulated businesses, you can reflect your security policy in an automated way; you can be more specific and define how you enforce security policy. But on IoT devices, you can maybe do that with 50% of the devices, and the other 50%, you have to rely on users and/or accept the risk."

To mitigate IoT security concerns, Lehmann uses asset and inventory management technologies and network access control tools to determine and track what devices are connected to the network and to control where and what systems each device can access.

Enterprises take action

Prakash Venkata, a principal with the cybersecurity and privacy practice at consulting firm PwC, said enterprises are maturing their security practices as they adopt more IoT technologies.

Venkata pointed to PWC's "Global State of Information Security Survey 2018," which found that 67% of respondents either have an IoT security strategy or are now implementing one. That figure is up 5% over the previous year.

"Organizations need to have a framework in terms of how they're going to be delivering and building these IoT environments: What are the standards, and how can they keep them compliant?" Venkata said, adding that the maturity of IoT security strategies vary from one organization to the next -- just as the level of IoT adoption does.

Although IoT in some ways presents new challenges due to the size and scope of the technology, Venkata and other experts say effective IoT strategies build on long-held security tenets of having the right people, processes and technology.

Three areas to watch for IoT security

Gartner has identified three sets of security challenges that enterprises face as they develop their IoT strategies. The first challenge is finding the right talent.

Cybersecurity professionals in general are difficult to find and hire; Gartner estimated that there's a 0% unemployment rate and has found that it typically takes companies six to nine months to hire a new security team member.

But securing IoT devices requires someone who understands their unique combination of software and hardware as well as the scope of their surface space and potential attack vector.

Barika Pace, research director, GartnerBarika L. Pace

"We need security people to have a very diverse background, a background not just in network trafficking or infrastructure or threat detection, but also with operational knowledge," Pace said. "They need to understand malware, and how equipment works and functions, to understand if what they're seeing is an anomaly or if it's regular traffic."

The second challenge for enterprise security leaders is understanding, even anticipating, how bad actors are monetizing IoT attacks. Pace points to 2017 news reports about thieves using high-tech devices to override keyless security systems in connected BMWs, allowing them "to hop in and start the car and drive away."

"The ways they can monetize [are] so much broader," Pace said, "so you'll also have to have a broader security blanket."

The convergence of traditional IT, operational technology and IoT is the third challenge area.

"All these things we once thought about in separate buckets. We thought about our Windows machine as not in the same category as, for example, an X-ray machine or [the company's] social media platforms. But they're all now connected," Pace said. "They're all converging so the way in which criminals attack can penetrate all areas." --M.P.

Successful IoT strategies start with an inventory: Organizations need to discover and identify devices connecting to their networks to know what they must secure, said John Pescatore, the emerging security trends director at SANS Institute, an information security training organization.

From there, experts say organizations should use network segmentation, asset and inventory management technologies, network access control tools, threat detection software and other traditional security components to manage risk.

Pescatore said many companies are using the BYOD security procedures they developed when bring your own device policies first came into the enterprise as starting points for their IoT security programs, because the security risks of the two trends mirror each other.

Moving forward, however, enterprise leaders and trade groups should -- and are indeed starting to -- pressure IoT component manufacturers to incorporate more security features into their devices and promote the adoption of security standards.

Unified view of all things internet

The number of connected devices on Princeton University's network has grown to include everything from security cameras to laboratory sensors to lightbulbs.

"There are all sorts of things that want to be connected," said David Sherry, CISO at Princeton, noting that one professor dismisses the label IoT and instead just groups all of it as the internet. "If it has an ISP, it's just the internet."

David Sherry, Princeton University CISODavid Sherry

That philosophy reflects Sherry's unified approach to securing this highly connected environment. He relies on network segmentation as well as asset and inventory management technologies to ensure visibility into what's on the network and where it can and can't go. And he establishes relationships with other department leaders throughout the university so that they involve his security team when they want to bring in new technology components -- whether it's IoT devices or more conventional IT.

As such, all technologies and new connections have the same security treatment, the overall lesson here being that a sound security program encompasses IoT rather than IoT security concerns demanding a new approach.

"Any new technology that comes into our infrastructure, whether it's new software or a thousand new IP addresses, on our campus gets a rigorous security review," Sherry said. "It's a review of the technology, what its use is, what it needs access to, and then it gets assigned the proper IP space."

Article 1 of 6

Dig Deeper on Network security

Get More Information Security

Access to all of our back issues View All
Networking
CIO
Enterprise Desktop
Cloud Computing
ComputerWeekly.com
Close