The phrase ‘Internet of Things’ may conjure up images of smart TVs and smart meters, but in reality it encompasses much, much more – HVAC systems, industrial control systems, IP video surveillance cameras and a host of other devices that each will have to be secured.Therein of course lies the rub. Ubiquitous connectivity offers businesses the opportunity to use devices to improve business processes by collecting data and analytics in real-time. But it also introduces an increased level of complexity into the lives of both consumers and corporations.
In many ways, IoT vendors face some of the same security challenges that have always plagued vendors. A look at the Open Web Application Security Project’s (OWASP) ‘Internet of Things Top 10’ will turn up many topics that sound more than a little familiar, such as a lack of transport security and weak authentication mechanisms.
A real world example of these security risks came courtesy of TRENDnet. In February 2014, the U.S. Federal Trade Commission (FTC) approved a settlement with TRENDnet over charges that while the company claimed its SecurView cameras were secure, they had faulty software that left them open to online viewing – and in some cases listening – by anyone with the cameras’ Internet address. As part of the settlement, the FTC ordered TRENDnet to establish a comprehensive information security program to address risks that could result in unauthorized access or use of the company’s devices, and mandated TRENDnet obtain third-party assessments of its security programs every two years for the next two decades.
As attractive as having smart meters and other IoT technology may be, it is equally critical for organizations to understand the implications of connecting those devices to the network; to know for example how the device talks to the Internet, any sites or applications that talk to the device, and any cloud services that may host data.
By putting a device on the network, the organization is implicitly establishing a trusted relationship with not only the device, but potentially with more than one web service or cloud provider. In some cases, a single IoT device may be multi-homed – connected to more than one network – and therefore violate network security assumptions and potentially bypass firewall controls.
Given the uncertainty surrounding the security of the Internet of Things, organizations should segment these devices on the network to protect their other assets. First of all, this is simply a security best practice. But there are other reasons specific to IoT to do it as well. For example, if a device is configured for automatic updates, its entire software system might change at any time. While it may keep the device up-to-date with the latest patches, there may also be broader impacts on security that result.
From a management perspective, organizations need to understand whether the device will be managed by a third-party or by the businesses via a web portal. In either case, Internet access to the system must be secured. In its Top 10 list, OWASP noted that insecure web, mobile, and cloud-based interfaces are key components that need to be assessed for vulnerabilities. For example, organizations should test the interfaces to see if weak passwords are allowed and examine them for vulnerabilities such as cross-site scripting and cross-site request forgery. This will require conducting a vulnerability assessment and a penetration test that covers these devices.
The issue of data privacy is also critical. Many IoT devices are designed to collect data that can help a business. Unfortunately, this is not always done securely, and it is important for organizations to ensure that data is protected both in transit and at rest.
Further complicating security is the lack of standardization in the space. Though there are ongoing efforts to address this issue, proprietary protocols are common. This makes it difficult for products from different vendors to interoperate with each other, and can increase the possibility of vendor lock-in.
As it stands today there is little in the way of certifications for product security beyond vendor and third-party claims, which leaves it up to businesses to perform their due diligence about product and data security. To get the most out of the potential of the Internet of Things, business leaders should take a cautious and calculated approach to adoption. Before saying yes to smart devices, they must also say yes to security by researching the data privacy and network security implications those devices will have on the network.