What CISOs need to know about securing the Internet of Things (IoT)

The rapid adoption of the Internet of Things (IoT) is hard to ignore: Gartner estimates a compound annual growth rate of 31.7 per cent until the end of the decade. This means that, by 2020, 20.8 billion connected things – excluding PCs, tablets and smartphones, will join the internet. While it’s easier for organisations to roll out their own IoT services thanks to new mobile-based IoT platforms, there are not only opportunities arising from growing IoT, but also new kinds of risks.

Gartner predicts that by 2020 over 25 per cent of identified attacks will involve the IoT. Unfortunately, awareness of the risks is developing at a slower pace. To avoid costly headaches later, forward-looking Chief Information Security Officers (CISOs) should think about what strategies they need to put in place now to ensure the safety of their customers and employees. There are a number of points a CISO must consider to develop a suitable IoT security programme.

Defining customer-facing IoT

Gartner separates customer-facing IoT devices and applications into two distinct categories: smart devices and dumb devices. These categories operate in distinctly different ways and require a different approach.

Dumb devices

Dumb devices are simple objects fitted with sensors that can perform and communicate measurements and functions. These devices are generally ‘always-on’, for example fitness trackers, smart thermostats and some connected industrial objects. More recent use cases expand this category with task-specific devices. These are more complex devices to be treated as ‘exceptions’ and include smart glasses for manufacturing or law enforcement.

Dumb devices present risk as they can be used as vulnerable points to gain access to the wider system. In order to maximise security, organisations should lock them down t so that they’re only able to perform their designated functions. This limits the possibility of them being exploited as backdoor keys into other systems.

Smart devices

The emergence of ‘smart’ connected devices, like the connected car, means that data loss is no longer the worst outcome of a data breach. Smart devices can take autonomous action, as well as perform and communicate measurements. Breaches of these devices can now cause damage to physical assets and in serious cases injury to individuals, including customers and employees. For example, last year a major car manufacturer had to recall – at great expense – more than a million vehicles after one was hacked, with millions more vehicles needing to be patched for security vulnerabilities that impacted passenger safety.

Smart devices require a much more adaptive type of trust. Locking down smart devices limits their functionality. For smart devices, CISOs need protection that doesn’t inhibit usability.

Traditional trusted computing was a black and white affair. A device was either trusted or considered compromised based on a number of predefined properties. This isn’t effective for smart devices because they operate under varying levels of trust. CISOs can look at Android app permissions for inspiration. Apps are installed with a minimum set of permissions. If the user wants to undertake more complex actions, the app may request further permissions. This allows trust to build on less important actions.

Using data: A common protection

Many dumb and smart IoT use cases will be based on third-party cloud communications with smart devices, both of which are not under the direct control of the organisation. One example is a hosted application running on external cloud services and communicating directly with a customer device.

CISOs should focus on two technology areas to maintain a level of control without having full access to the communication flows – data-centric security and behavioural anomaly detection.

Data-centric security solutions provide identity-aware control over protected information without controlling the network, the device or the application. An example of this is digital rights management, which combines encryption with identity. Ultimately, the identity of users and things will become a central concept in IoT security. Solutions that can dynamically derive identities from things, and solutions that can authenticate users based primarily or solely on contextual information will boost efficiency.

CISOs should also have mechanisms in place that monitor the infrastructure for any behavioural anomalies. This allows them to identify a potential problem based on suspicious behaviour, and give their teams time to deal with any malicious devices. This kind of approach may trigger an alert or take a direct action based on the severity of the flag.

Lastly, it is paramount that CISOs ensure connected components can be updated over the air, or are removable and exchangeable with newer ones.
These simple points can provide a framework to tailor an IoT security strategy to a particular organisation. Understanding how IoT fits into your organisation is important as its adoption is likely to increase. CISOs who have the foresight to consider IoT security from the outset will circumvent avoidable breaches – saving money and time and instilling confidence in their customers and stakeholders.

Dionisio Zumerle, Research Director, Gartner

Image Credit: A-Image / Shutterstock