Everyone who has a stake in the internet of things, from device manufacturers to network service providers to implementers to customers themselves, makes important contributions to the security or lack thereof in enterprise IoT, attendees at Security of Things World were told.
“The key to all [IoT devices] is that they are networked,” Jamison Utter, senior business development manager at Palo Alto Networks told a group at the conference. “It’s not just a single thing sitting on the counter like my toaster, it participates with the network because it provides value back to business.”
“I think the media focuses a lot on consumer, because people reading their articles and watching the news … think about it, but they’re not thinking about the impact of the factory that built that consumer device, that has 10,000 or 20,000 robots and sensors that are all IoT and made this happen.”
The fact that IoT has security issues is well-known – Utter likens it to the case of Windows 95, which suffered from infamous security problems in large part because it wasn’t designed from the ground up to be secure.
“What we have is simplistic operating systems, running on simplistic hardware, that were not designed for security – just like Windows 95,” he said.
Sharing responsibility for security
IoT security isn’t qualitatively different than securing any other broad category of computing device, said Utter – it’s just the scale of the device pool and their computing limitations that makes the task challenging.
“Would you accept the same level of security on a car as on a sensor that opens the door? It’s just not appropriate, right? The asset is not as valuable. So what we have to accept is that endpoints will have varying levels of security.”
At the device, network, data and in the cloud, a patchwork of security implementations will be at play. “That’s why we have to design our security as holistically as possible, rather than trying to pass it off and saying, ‘You guys take care of it.’”
The network, Utter said, is the key battleground for future IoT security, largely because of economics – some endpoints simply aren’t able to be secured sufficiently without an unreasonable investment of money. If shipping crates with highly secure IoT endpoints attached to them cost too much, for example, that throws off a company’s entire business model.
“We need to start framing IoT in a slightly different way,” he said. “Everyone focuses on the endpoint … but I believe the network can actually be an enforcement point for IoT, because some devices will never be appropriate to have high-level security, it’s just not right in the economic model.”
Major mobile data carriers, Utter argued, have a substantive part to play in keeping IoT secure. Given that an increasing number of IoT devices use LTE, LoRaWAN and even 3G to connect, the carriers can make a contribution by scrubbing data, blocking malicious devices and other active security measures.
“They need to stop being simply a conduit for information, but also participate and help us be better about how to keep the pipes clean and keep the right things on our networks,” he said.
Visibility, analysis, automation, repeatability
According to Utter, there are four pillars of security for IoT. The first is visibility, which needs to go beyond “which devices are on the network” and delve more deeply into questions like “what are these devices actually doing” and “who is receiving the data they’re sending?”
“I can’t have blindness to what’s happening on my network,” he said.
The second is analysis – and since smart companies are already doing this in the name of business value, it shouldn’t be a major stretch to extend that analysis to security. Following naturally from that, automation to decrease the human workload of managing IoT networks can be implemented.
Doing all of this in a repeatable way leads to the final pillar, consistency. The major obstacle here is the patchwork of IoT standards in use across the industry, and the challenge of getting them all to talk to each other.
“It’s my belief that, in order to give IoT security the same level of security I give to financial, or to your PCI systems or to your ERP – I have to be able to deliver consistently to the networks and endpoints that run inside the IoT network,” he said.
Business can help secure their own IoT networks in a number of different ways, including vendor selection. By making sure that vendors know security is a priority, and doing business with those that take it seriously, companies can contribute to safer IoT, according to Utter.
“Manufacturers have to understand that they have a stake in the security posture,” he said. “And the security posture is really the business posture of their companies.”