Global IoT security spending will reach $1.5 billion this year, per Gartner, and will more than double that by 2021. That’s a lot of salad to safeguard thermostats, remote control apps, wearables and devices in the six categories of IoT. But will it be enough?
IoT vendors continue to go to market fast to be first with new products while sacrificing security measures that can elongate time to market. Vendor security failings such as weak passwords, plaintext password storage, sending firmware updates in the clear, and publishing default passwords are the by-products of these practices.
Vulnerable devices and communications lead to root-level access and control, man-in-the-middle attacks, and eavesdropping with crackers stealing private data and adding compromised connected gadgets to botnets for DDoS attacks. Lawsuits that targets of DDoS attacks file can cost companies millions. Don’t count on privacy suits being far behind.
Yes, manufacturers can consider voluntary security standards and frameworks, and the government may someday intervene with regulatory restrictions and fines. But if your enterprise needs help now, network-level security is for you.
IoT security standards, frameworks
The Industrial Internet of Things Volume G4: Security Framework is a broad yet thorough, meaty document that draws from many recognized sources such as the IEEE, the IETF, MITRE, the OWASP, and dozens more.
The guidance from the Industrial Internet Consortium details how to protect IoT devices against threats and vulnerabilities using physical security, secure architectures, and identity and access controls (and many other methods). Though the framework targets Industrial IoT, stakeholders should find it useful for securing other connected hardware.
The NIST Framework for Improving Critical Infrastructure, Cybersecurity offers higher-level guidance to “help an organization align and prioritize its cybersecurity activities with its business/mission requirements, risk tolerances, and resources.” The document introduces safeguards for IoT together with cyber-physical and critical infrastructure security.
NIST has more in the works for IoT, having asked the industry for input into specific security practices. NIST has also published Considerations for Managing IoT Cybersecurity & Privacy Risk and is working on a “NIST Cybersecurity Framework application to IoT” publication.
The OWASP’s IoT Security Guidance conveniently lists specific steps in securing IoT environments. Tips cover authentication, passwords, encryption, and secure interfaces (and much more). The document is concise yet thorough, an excellent place to start for quick access to the data you need.
Using network-level security
Until vendors adopt security standards and frameworks voluntarily, or the political winds change, and the government enforces security requirements, you can take a stand against IoT threats using network-level security approaches like these:
- Continually update your network configurations, capabilities, and rules to listen and detect new devices on the network.
- Discover all connected devices on the network including IoT, Shadow IoT, Rogue IoT, and BYO-IoT.
- Use network security that understands and addresses the broad array of IoT device abilities and protocols.
- Segregate your IoT devices on a separate network.
- Develop a knack for using NAC that defends IoT without frustrating users.
To learn more about how to install a layered defense approach, read "Defense-in-depth and the Distributed Gateway Platform"
David D. Geer (https://www.linkedin.com/in/daviddgeer/) writes about cybersecurity and technology for national and international publication. David’s work appears in various trade magazines from IDG in the U.S. and around the world in several languages. ScientificAmerican, The Economist Technology Quarterly, and many magazines and companies have used David’s content. David’s Google Scholar Page is at https://scholar.google.com/citations?user=ZkKA3fsAAAAJ&hl=en.