10 months ago


Internet of Things IOT -

Internet of Things IOT - THE GOOD AND THE BAD WITH AS MANY AS 30 BILLION MACHINES AND OTHER PHYSICAL PRODUCTS EXPECTED TO BE HOOKED UP TO THE INTERNET, CAN ORGANISATIONS REALLY STAY SAFE? BRIAN WALL REPORTS Intelligent Internet-powered integration is catapulting entire sectors of the economy into a new digitally enhanced era populated with innovations like real-time positioning in logistics, machine-to-machine communication across national borders, electric, self-driving taxis and smart buildings, to name but a few. A recently published study by the market research and consulting firm IDS predicts that by 2020 there will be as many as 30 billion machines and other physical products hooked up to the Internet. But the IoT brings with it a plethora of problems around security. Breaches are commonplace and organisations highly vulnerable through leaving themselves wide open to exploitation. In response, some of the biggest tech giants in the world - IBM, Nokia, Palo Alto Networks, Symantec and Trustonic - have recently joined forces and formed IoT Cybersecurity Alliance, aiming to use their combined expertise to allay business concerns about the Internet of Things and solve its security challenges. It's a move that could yield fruit, if they get their strategy right and collectively can find a way to meet the needs of organisations in all their diversity. EFFECTIVE ENFORCEMENT "Comprehensive security guidelines and industrial standards for IoT manufacturers could be a very helpful thing," says Alex Mathews, lead security evangelist at Positive Technologies. "IoT Cybersecurity Alliance is not a first attempt - last year, Industrial Internet Security Framework (IISF) was developed by several big IT industry vendors. However, it's hard to believe that all IoT manufacturers will tighten security standards just by themselves, as many security limitations are not profitable for them. So, from a practical point of view, we would expect two other ways of security enforcement to be more effective. "The first way is industry self-regulation via 'lost reputation chain'. IoT manufactures and service providers will go for tighter security checks of 'smart things' and better customer education after their breaches are publicly exposed. In November last year, 900,000 routers of Deutsche Telecom customers were crashed by malware and, following the incident, DT officially claimed it would review its business relationship with the supplier of vulnerable routers. We hope to see more stories like this one," states Mathews. "The second way is new government regulations on IoT security. The Industrial Control Systems regulations already developed in many countries could be used as an example to follow. In fact, many IoT systems are close to ICS by their functionality, as well as by potential dangers for citizens. 26 computing security March/April 2017 @CSMagAndAwards

Internet of Things Yet, unlike ICS security, IoT security isn't usually described in modern state laws at all. "The Internet of Things is a very complex mixture of technologies and services, with lots of security issues on every link of the delivery chain. With all these security problems in consideration, we expect the rise of IoT attacks in 2017. The range of targets will widen, including smart TV, cars and other transport systems, home appliances, medical equipment and wearable gadgets," he adds. "In addition to known types of attacks - DDoS, ransom, information and money theft - we may also see vulnerable IoT used as a first step for more serious targeted attacks on critical infrastructures that will lead to physical disasters. According to our research, building automation and energy management systems are most common among vulnerable control systems available online." LOOMING REGULATIONS Sean Ginevan, senior director of Strategy, MobileIron, feels that, even with proper security precautions, looming regulations mean IT will need to tread carefully and strike a balance between collecting proper data to drive business value, whilst ensuring proper security to prevent substantial fines. "The upcoming General Data Protection Regulation (GDPR) will mean that enterprises need to be particularly cautious with any personal data about an individual. GDPR is broad as to what is 'personal'. Ultimately, any information relating to an individual, regardless of whether it applies to their public, private, or professional life, is in scope. In short, hoarding huge swathes of data can be profitable, if companies know how to use and protect it; but, with insecure devices floating around, it can also be a ticking time bomb." Enterprises need to start developing the use cases today for potential IoT applications tomorrow, he says. "In parallel, enterprises will need to build their data classification programs, particularly around any personal data collected within the organisation. With use cases understood and data classifications defined, enterprises can specify the infrastructure and security requirements for IoT deployments. One of the common elements to think about is to ensure that connected devices only traverse trusted networks. Enterprises should segment their IoT network to ensure connected devices only connect to resources the IoT devices are intended for. This helps to limit the scope of damage, if an IoT device is hacked and protects repositories of personal or sensitive data." MULTIPLE ENTRY POINTS Given that a range of everyday devices, from wearables to medical devices, can now be connected via the Internet, a typical organisation can have even more entry points for attackers, putting their data at risk. "Whether an organisation is adequately protected or not largely depends on the software used by the IoT devices," points out Marc Sollars, CTO at Teneo. "Often organisations use a collection of isolated, proprietary systems that haven't been developed, based on current operating systems, meaning that many are running unpatched. "It can be difficult identifying where security controls are needed, particularly with the diversity of the devices that exist. Companies should work with security specialists to identify any gaps in security and mitigate potential risks in devices prior to use. As the device goes through various changes in use, penetration testing can closely monitor the device to protect against new potential vulnerabilities." Organisations have the means to - and should - implement a solution at the endpoints of networks to mitigate vulnerabilities in software, "and there are many technology options available from software firms. Implementing network Marc Sollars, Teneo: often organisations use a collection of isolated, proprietary systems that haven't been developed. John Smith, ExtraHop: many companies are pushing IoT offerings to production too early, without critical baked-in security features. @CSMagAndAwards March/April 2017 computing security 27