Interview: Security and scalability of the IoT in business

The Internet of Things' ability to gather and leverage data on a vast scale has meant that it now sits firmly within the scope of the business world. From delivery vehicles to ATMs, air conditioning systems to CCTV cameras, the scope for connecting devices in industry appears as big, if not bigger than, the comparable consumer opportunity.

However, the business world faces a major barrier to adoption; in their current state, the tools that help businesses deploy and secure IoT devices are simply not fit for purpose.

We spoke to Klaus Gheri, VP and GM of Network Security at Barracuda Networks about the challenge of securing IoT devices in industry and the tools being developed to overcome these issues.

There is a lot of hype about the security of the IoT in industry. Exactly how secure are IoT devices?

The sheer number of IoT devices and use cases makes it difficult to say exactly how secure or rather, how insecure the IoT really is. However, with its rapid evolution, it has certainly become more and more difficult for businesses to stay up-to-date with the latest IoT security threats. Typically, when companies decide to create an IoT device, the focus is placed on functionality and remote control. This leaves a critical gap when it comes to security for there are often weaknesses in the system’s design and architecture.

One of the main issues is the use of weak encryption and authentication schemes, which leaves these IoT devices vulnerable to data theft. The device systems might also be ‘closed’, meaning they are hard to remotely maintain and update. This is a key consideration when it comes to the IoT, because once organisations have a large number of devices, it becomes very difficult from an operational standpoint to get physical access to each device to fix any flaws.

Businesses want connected devices to be able to react to new information, automatically place orders for new parts or replenish stocks and record data on their efficiency. One of the biggest challenges for organisations is making sure that all this information is fed back to the central location without being eavesdropped, intercepted or modified at all.

What could you gain by hacking an IoT device? How hard is it to do currently?

If a hacker can get access to the device and work their way into some kind of a web console or login, then they could try a brute force attack to gain entry to the device controls. If the device was part of some critical infrastructure, such as electricity, gas or water networks, attackers could do some serious damage to expensive equipment or even harm citizens.

The scope and scale of attack is so much greater when you think about the IoT. For instance, hackers could use the same ransomware that consumers download in spam emails to hold an organisation’s entire connected infrastructure to ransom. The targeted device does not have to be part of an organisation’s infrastructure though; today’s cars are fully networked devices, and most come equipped with a SIM and a lot of computer equipment. Recently, a Jeep connected vehicle was hijacked on the freeway in the US. In this case, the vehicle, the driver and others on the road were put at risk.

To date, what have been the main barriers to securing the IoT?

One of the barriers to securing the IoT is simply that there’s not a ‘one size fits all’ solution. On one end of the spectrum, we’re talking about tiny equipment such as wearables and intelligent lightbulbs, on the other we’re talking about big machine equipment. Depending on what the IoT device is, there will be a different approach that is economically viable. The challenge is finding the right security for each use case. That’s why companies either have nothing securing their IoT network, or have something that is not really fit for purpose.

When the size of the IoT network goes into the hundreds or thousands, deploying both the device and a security solution for it becomes a logistical challenge – how do you deploy the equipment? how do you manage its lifecycle? how do you implement security policies? Once you remove those barriers, businesses are far more willing to embrace IoT and do more about security.

The challenge from the security vendor side of things is that the regular IT equipment that has been used in an office or a datacentre type scenario is not going to work for hundreds or thousands of remotely connected devices.

Which industry verticals should be most concerned about the security of the IoT?

Security is critical for industrial devices that could pose a risk to citizens if they were hacked. However, it should also be a top concern of any organisation that relies on machine connectivity to operate.

For example, we are currently working with wind turbine power plants. Each turbine needs to maintain connectivity to operators in order to feed back essential data. The largest wind farm in the UK has over 200 turbines, and generates power for 300,000 homes. If these turbines were hacked and held to ransom, or simply pushed off the grid, it could do real damage to its operator.

Another less obvious example is connected industrial fridges. No one thinks about industrial fridges as intelligent devices, but they are actually recording and sending back all sorts of data. If they get hacked and held to ransom, the fridge contents could spoil and the company could quite easily go out of business. We’re working a number of industrial refrigeration firms that are acutely aware of the dangers to their connected infrastructure.

What tools could these businesses use to roll-out and secure large-scale IoT deployments?

Any tool designed to provide secure, scalable connectivity for the IoT has to be relatively small, inexpensive, lightweight and mountable. It also needs to be easy to ship in large numbers and easy enough to implement and manage so that organisations don’t need to hire a whole new team of security or IT specialists. We had to take all these requirements into account when we were designing our new security and connectivity device for the IoT.

Many of the current security solutions available today are so expensive that it is simply not feasible to implement them. Others attempt to run an application that encrypts the data. In this case, there is no Denial of Service protection so the infrastructure is not properly secured. Unfortunately, today’s off-the-shelf security equipment isn’t fit for purpose.

As IoT deployment scales, businesses need something that’s purpose-built. So far we’re the only established security vendor that’s tried to create a new firewalling and connectivity device for the IoT from scratch. One of the companies we’re talking to has an IoT network of about 30,000 devices. They needed a solution that could be deployed rapidly and managed easily by their existing IT team. We’ve had to re-architect our policy management system to deal with this scale – a regular firewall management framework might be able to handle the policy management of a few thousand appliances, but here we are looking at deployment sizes an order of magnitude bigger, without any room for pro-rata operational cost increases.

Where do you expect to see this technology used in the future?

There are many use cases for secure scalable connectivity technologies. Obvious examples are ATMs, ticketing and gambling machines. All of these handle money and are therefore a prime target for attackers.

The automotive industry is a very exciting yet tricky concept. We have been talking to a supplier in the industry that wants to secure the communications between the power steering system and the other devices in the car. They want to create a ‘safe zone’ for their technology to ensure their systems are reliable. Our solution would work in this instance, but the numbers of connected devices would climb well above 100,000 units. It’s a much bigger challenge from a scalability standpoint, but in theory the concept would work.

In terms of how we want to adapt, the technology will become smaller and less expensive, with some more advanced functionality. For example, we want to add additional traffic inspection from the device itself and enable it to directly connect to the Internet, instead of back-hauling traffic to a central enforcement point.

This is all feasible as miniaturisation continues and computing power keeps going up, and it will be helpful for more rugged use cases.

Image Credit: Chesky / Shutterstock