Navigating the new world: IoT security Part II
By Benjamin Cher November 10, 2015
- Shadow IoT threatening to produce a snowball effect
- Need ‘security by design’ outlook, not latched on later
With the Internet of Things (IoT) fast becoming the default setting of our professional and personal lives, more attention needs to be paid to security. In this, the second of two parts, Digital News Asia (DNA) speaks to experts from a range of backgrounds. Click here for Part I.
IN their attempts to secure IoT devices, companies cannot bank merely on simple measures such as installing perimeter defences, or slapping on a hardware box.
To defend properly against the new threat vectors emerging in this new world, they have to navigate through seas buffeted by the conflicting needs of connectivity and security, said the security experts DNA spoke to.
And there are dangers lurking below the radar, according to Charles Lim, senior industry analyst of Networking, Information & Cyber Security at Frost & Sullivan Asia Pacific’s Enterprise ICT practice.
“One major challenge is that IoT transformations could occur in the operational space of a business that go unnoticed by the IT department running the business networks,” he said.
An example would be a wireless lightbulb whose colours a user can control using his or her mobile phone. If this person were to install such a device in the workplace, and if this goes unnoticed by the IT department, that user has unknowingly introduced a new vector for cyber-attacks.
“It has been proven before that it is possible to hack into the wireless network of an organisation via a wireless lightbulb,” Lim said.
The corporate world has been girding itself for ‘shadow IT’ – where employees bring personal devices to work, and install and use their favourite apps without the knowledge or approval of the IT department.
Now say hello to ‘shadow IoT,’ where employees use unauthorised or unapproved IoT devices in the workplace.
This is a concern shared by all the experts DNA spoke to.
“Shadow IoT poses as many challenges in the workplace as mobile devices,” said Gemalto’s South Asia & Japan M2M (machine-to-machine) Solutions head Manoj Kumar Rai (pic).
“This is simply because organisations and employees are not yet familiar with how to properly utilise them or protect the data on them,” he added.
Cognizant’s Emerging Business Accelerator chief operating officer Sean Middleton agreed, saying, “These devices can unknowingly make their way into the corporate environment and, if connected to the network, open an unsecured, uncontrolled and unnoticed hole in the company’s perimeter.”
“The modest risks of smart objects such as Fitbits, smart TVs in a conference room, thermostats … are likely to snowball into serious concerns if left unattended,” he added.
All is not lost, as the experts pointed out that there are various ways businesses can deal with the growing ‘shadow IoT’ element.
In doing so, companies should think from the employee’s perspective when implementing security policies and controls, advised Ashish Thapar (pic below), managing principal of Investigative Response at Verizon Enterprise Solutions.
“To combat shadow IoT, companies not only need strong governance and risk management controls, but they also need to think from their employees’ and departments’ perspective,” he said.
“In addition, an effective monitoring and event-log analytics system will help to control unauthorised IoT device usage and any associated intermingling with corporate data or networks,” he added.
CA Technologies Asia Pacific & Japan vice president of Security and API Management, Vic Mankotia, argued that API (application programming interface) management is crucial as well.
APIs are a set of routines, protocols and tools that access features or the data of an operating system, application, or service.
“This should be a manageable risk as long as robust, scalable, and integrated Identity and Access Management (IAM) systems are coupled with API management for mobile access gateways and portals,” he said.
When lives are affected
The inevitability of the IoT will lead to future where all kinds of devices are connected to the Internet. Companies need to balance between security controls and giving every device an Internet connection.
What they need to think about now is ‘security by design,’ said Frost’s Lim (pic).
“What worries us is that more of these machines or appliances are going to connect to the Internet without having security embedded in them,” he said.
“The possibility that they get compromised will always be there, and in some cases, it may become a safety issue that has a direct impact on human lives,” he added.
Middleton agreed, arguing that the onus lies on the companies, and not their customers, to secure the data IoT devices collect or transmit.
“To balance the need for security with the desire to connect devices to the Internet, organisations have to emphasise data protection and governance of IoT-generated data to address privacy expectations, notice/ choice, consent, context, re-purposing of data and data minimisation,” he said.
On the application front, CA’s Mankotia (pic) advocates managing access controls for APIs.
“A good start to securing apps is ensuring that access control systems are in place,” he said.
“This will allow developers to use only APIs that are responsibly exposed,” he added.
Ultimately, security is still about the big picture, with Gemalto’s Manoj arguing that a holistic approach to IoT security is needed.
“To safely and securely implement the IoT, it is imperative that the IoT stack is comprehensively secured at each level – from device hardware and software, to the network gateway and connectivity protocols to the WAN (wide-area network), service provider or cloud network,” he said.
“A collaborative and holistic approach is an important requirement in building a secure and robust IoT infrastructure,” he added.
These factors will influence the way companies approach firmware design, with Frost’s Lim arguing that collaborations with security vendors might be one way to enhance security.
“Certification bodies are also considering compliances for these devices to meet a certain level of security, just like what they have done for electrical safety,” he said.
There is also a distinct lack of secure coding and security scanning during development, he stressed.
“In a recent survey we did with information security professionals, only 24% conducted application security scanning during code development, whereas 30% never do so,” Lim said.
“This needs to be addressed with the right skills and tools,” he added.
This is also a need that resonates with regulators, according to Matthew Hunter and Aisling O’Dwyer from digital media law firm Olswang Asia.
“Regulators in the United Kingdom and the United States have stressed the need for ‘security by design,’ where security protocols are built in at the outset of the design process, and not tacked on as an afterthought,” they told DNA via email.
“The International Standards Organisation (ISO) and the Institute of Electrical and Electronics Engineers (IEEE) have also set up working groups to consider IoT security best practices,” they added.
The buck stops, or starts, with device manufacturers, said Verizon’s Ashish.
“They have a very important role in building secure systems right from the start, rather than as an afterthought,” he said.
“Firmware design companies definitely need to put in more of the ‘security sauce’ and have a much wider industrial collaboration in this arena,” he added.
Meanwhile, Manoj said IoT firmware design has to factor in the threats and assets being protected.
“A right design of the embedded devices could ensure data protection, privacy, and secure exchange of the data within the device and to the backend gateway over the Internet,” he said.
Companies also need to adopt a multi-layered approach to IoT security during design and implementation, said Cognizant’s Middleton.
“IoT systems by design will likely be deployed over long periods of time with continuously evolving capabilities and data,” he said.
“As a result, remote management of these systems is a must, and the ability to ‘reflash’ an IoT device’s firmware over-the-air (FOTA) will be required,” he added.
Navigating the emerging ecosystem
The IoT has to be seen as the sum of its parts, and not just loosely assembled forms of instrumentation, ventured Cognizant’s Middleton (pic).
“The architecture of an IoT ‘system of systems’ requires an understanding of the autonomy and trusted dynamic interactions across and between each system layer – sensor, device, gateway, network, and cloud.
“This is because the promise of the IoT is not realised by any one component, but by the sum of the parts,” he said.
“In order to enable secure self-configuring, self-diagnosing, and self-correcting systems, each component must inherently behave in a secure and trusted manner – and be able to rely on that behaviour from all other components in the system,” he added.
Cutting the wire: IoT security Part I
Invaders in the airspace: The problem with IoT security
Accenture opens IoT centre in Singapore
HP study on 10 smartwatches finds ALL vulnerable to attack
Security issue in fitness wristband, says Kaspersky researcher