Hollywood is known for portraying outlandish scenarios. This past summer, The Fate of the Furious depicted scenes in which a cybercriminal controlled thousands of connected cars from an aircraft to create a massive vehicle pile-up on the streets of New York City. While many of the foreboding scenes we see on the big screen will probably never come to life, the number of breaches associated with connected devices is on the rise.
From connected cars to smartphones, some sort of smart device or application links nearly every aspect of modern society. According to Gartner, there will be 8.4 billion connected "things" in use in 2017. Another study from PricewaterhouseCoopers found that more than half of enterprise leaders are not investing in an Internet of Things (IoT) security strategy.
Increasingly, company leaders are seeing the possibilities that IoT provides. A McKinsey report from July found that 92% of executives believe that the IoT will have a positive impact on business over the next three years. Still, many companies are struggling to fully embrace the IoT, in part due to security concerns.
In September 2016, a Mirai botnet distributed one of the largest and most disruptive distributed denial-of-service attacks in history, which stalled service to popular websites such as Netflix. With more IoT devices being added each day, more ways to connect are being created and there are more ways for bad actors to exploit vulnerabilities.
And policymakers have recognized these risks. Recently, the U.S. Senate introduced the Internet of Things Cybersecurity Improvement Act of 2017. The bill takes steps toward enforcing stricter cybersecurity regulation for connected devices the government purchases. Similar steps to ensure the security of devices and applications should be taken by private sector enterprises.
Securing the IoT begins with identity management. Every new connected device has an identity that must be authenticated and authorized to protect the security of the device and the networks it touches.
Here's a checklist for securing IoT:
1. Manage the Device Life Cycle
A company would never knowingly give a previous employee access to current corporate data. Likewise, a company should never allow a device to stay on its network after access is no longer needed.
Throughout the life cycle of every device, enterprise IT security teams must manage not only who has access to the device but also what actions the device is allowed to perform at what time. When the device is no longer necessary, the connection should be terminated.
2. Monitor Behavior
When it comes to connected devices, it isn't always clear when a device is compromised. Today, nearly all employees have their smartphones with them at work. These personal devices are often unsecured and could become vulnerable due to malicious applications.
Using risk and behavior analytics, the enterprise can accurately and efficiently monitor how IoT devices are behaving in order to identify whether the device has deviated from its normal limits. Any deviation can promptly signal a compromised device.
We can learn from how the credit card industry addresses fraudulent activity across accounts. When it comes to transactions, once an action is deemed unordinary from the customer's general spending habits, the credit card company restricts access to the card. This entire process is based on behavioral analytics that are used to determine the amount of risk associated with abnormal behaviors.
3. Authorize Device-User Interaction
The nature of IoT devices encourages interaction between devices and users and between the devices themselves. But each of these interactions must be authorized. This means that security teams must be able to authorize not only which users have access to certain devices, but also authorize the actions those devices are facilitating.
4. Authenticate Device Connections
When your family connects to your Wi-Fi router at home, every person uses the same password credentials to gain access. Under this premise, the network believes that every login is the same user.
When it comes to IoT devices, an automated authentication process must be in place to verify a unique identity for each device. In this past year's Mirai botnet attack, default credentials were used to compromise the network and gain access. If security teams can't distinguish between devices based on their identity, then they can't accurately address threats and mitigate risks.
5. Govern User Permissions
Similar to human access, we need the ability to revoke device access and control the level of risk associated with any given device. This is done by controlling the levels of permissions that authorize users to access connected devices.
Governing user permissions is not a one-step process. Enterprises must be able to govern permissions in real time for security and legal purposes. The use of street cameras across the US has sparked a series of lawsuits over the security of the personally identifiable information that is stored in the camera's data. As IoT devices become more widely used, there will be an increased need for governance to ensure private information doesn't get into the hands of the wrong people.
With Gartner estimating that there could be 50 billion connected devices in existence by 2020, our approach to device security must evolve. Approaching IoT with identity in mind will make our connected world — and your enterprise — a safer place to be.
- IoT Security Incidents Rampant and Costly
- IOTroop Botnet Hits Over a Million Organizations in Under 30 Days
- IoT: Insecurity of Things or Internet of Threats?
Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.