Photo: Sharat Sinha
A few years ago, the idea of having home and office appliances connected to a network may have seemed like something straight out of science fiction. Today, however, as technology continues to develop and evolve, this is fast becoming a reality that is increasing in complexity and sophistication.
Commonly referred to as the ‘Internet of Things’ (IoT), this connectedness is seeing a surge in growth, as everyday appliances are being IP-enabled and connected to the network. Clearly, it is a trend which seems set to continue.
Last month’s Internet of Things (IoT) Asia Exhibition and Conference, held in Singapore, reflected the direction local enterprises are moving towards to enhance their competitive advantage, with devices in the IoT used to better address their consumer and/or enterprise needs. But the benefits of IoT, while often cited as significant, have been countered with talks of increased security risks, which could be substantial, particularly in areas such as critical infrastructure, where they become targets for nation states and criminal organisations intent on accessing confidential data and information.
What are the vulnerabilities posed by IoT?
Analyst group Gartner projected that by 2020, the number of IP-enabled devices, not including PCs, tablets and smartphones, will hit 26 billion units globally, while IDC’s assessment pegged that number at 212 billion units. These numbers are significant, as each device represents another potential entry-point for hackers to launch targeted attacks on enterprises. With more devices communicating and sharing potentially confidential and sensitive data, coupled with the emergence of unprotected networks, the conclusion is obvious: there will be far more vulnerability points for security breaches.
Secondly, vendors with little or no security expertise are likely to overlook the security aspect of their low-cost IP-enabled devices that can be hooked up to the IoT. Thus, it may not be surprising to find basic security features absent in these devices. Moreover, there are no security standards to conform to in the majority of these devices—each differing in purpose and construction, utilising different operating systems and plugging into different parts of a network or system. As a result, protecting these devices and the communication between them has become a big challenge.
The third major risk is the devices’ connection to cloud-based applications and services. New data is constantly being uploaded, processed and deposited in the cloud, bringing the issue on data sovereignty into question. Moreover, data collection is often vague, with little clarity on access control and management, resulting in further complexities to segment and secure these massive volumes of data.
How to secure the Internet of Things
Fortunately, securing the multitude of potential attack points exists. This involves leveraging the same strategy as other IP-based communications.
Firstly, it is important to identify and understand which devices are part of the IoT network. Crucial knowledge about the nature of IoT devices is one of the stronger approaches in making decisions to protect the device and manage its data, similar to the security functions currently in existence for mobile endpoints. If a device is infected with malware, for example, it can be blocked from accessing the IoT network.
As IP-enabled devices differ in functionality, the most logical solution is to secure these devices at a network level rather than the endpoint level, thereby overcoming the limitations present in endpoint security functions. Depending on the support of inspection of IoT communications protocol, IoT can also leverage on existing network security solutions like firewall and IPS. In addition, by using the Zero Trust principles of least privilege access with granular segmentation, enterprises can secure IoT data and application access.
While the IoT may offer potential for improving the way that enterprises and government currently operate, it is fundamental to overcome the biggest challenge faced: the regulation surrounding IoT data collection system and the way these records will be used, shared and secured. To achieve this, it is imperative for enterprises, governments and standard organisations to collaborate and leverage expertise to overcome IoT’s complex, multi-faceted security vulnerabilities.
Sharat Sinha is Vice President, Asia Pacific, Palo Alto Networks
[Source: MIS Asia]