One of the biggest risks posed by businesses in the digital age is that posed by cyberattacks. Keeping your data secure and out of the hands of bad actors is obviously paramount, but the potential risk increases with every digital touchpoint added. While many agree that digital transformation brings huge benefit to almost all aspects of business, the increased vulnerability brought by digital should not be ignored.
For many businesses, IoT is at the center of the plan for digital transformation and like any technology, with the benefits come the risks. In the case of IoT, there will likely be data stored in several locations — on devices, within applications and on servers where data is stored and processed. As well as data being stored, there is also the communication of data and the control of IoT devices to be considered.
This year, worldwide IoT security spending is predicted to reach $1.5 billion, a 28% increase on 2017 ($1.2 billion). This is hardly surprising, given that nearly 20% of organizations surveyed by Gartner observed at least one IoT-based attack in the past three years. On top of this, horror stories like the Mirai botnet have shown us that not only do hackers want to get at your data, they may also want to use your devices to do their dirty work.
The “Global State of Information Security Survey 2018” by PwC found that 29% of respondents reported loss or damage of internal records as a result of a security incident. The report states, “cyberattacks that manipulate or destroy data can undermine trusted systems without the owner’s knowledge and have the potential to damage critical infrastructure.”
The IoT security knowledge gap
As is the case with any emerging technology, IoT brings new challenges to organizations. There is confusion over standards, policy and governance, and at this stage, “best practice” seems like it is a million miles away. On top of this, there is a global skills gap in cybersecurity further compounding the problem for businesses trying to integrate IoT within their organization. According to a report last year by the Center for Cyber Safety and Education, the global shortage of cybersecurity professional appears to be worsening, with the latest figures suggesting 1.8 million information security-related roles will remain unfilled worldwide by 2022.
Connecting legacy systems not designed for connectivity
Due to the interconnectedness of formerly isolated systems, the internet of things brings a whole host of new threats to the organization. And as the ecosystem grows, and technological advancement continues, this problem is only going to get worse. What is secure now might not be secure tomorrow, and the IT department, as expert as they may be at keeping your business network secure, will need to continually update and refresh their skill set to maintain true network resilience.
Of course, this isn’t much different to how IT and infosec work today; however, IoT could increase the number of devices under the control of the IT department by orders of magnitude. On top of this, the currently fragmented nature of IoT also means that IT teams will need to learn new architectures, programming languages and, in the near future, will likely face new engineering challenges that we couldn’t even dream of today. In simple terms, your IT team will need to learn more and learn faster.
Security at what cost?
With businesses already trying to minimize the cost of hardware and connectivity to make deployment viable, for some, the added cost of security might seem like a prohibitive factor. According to a survey by Cisco last year, budget overruns were stated as one of the main factors causing IoT projects to fail. Bearing in mind that the number of devices requiring support could run to thousands or even millions for some organizations, bulletproofing the IoT network might not be possible due to high cost per device.
It’s important for businesses to weigh up the cost of security against the risks before deployment. Special consideration should be given to security in the design phases of a project. This will not only give a better idea of the total cost of deployment, but may also highlight different ways of achieving security at a lower cost to the business.
Breaches will happen
Breaches are inevitable. For this reason, you must assume that at some point in the near future your business will come under attack. It’s also worth bearing in mind that with so much of our business data being in the hands of other organizations, attacks and exploits may happen on systems that are outside of the control of the IT department. It’s simply not enough to lock your systems down and hope nobody gets in. Creating a secure network is only half of the picture. Every node, device and touchpoint on the network could be a potential access point. Ask yourself the following question: Is the data at this access point useful to an attacker?
No matter how good their network security might be, businesses need to have a plan of action for when that security fails. Because it will fail.
Guiding principles of IoT security
With a lack of cohesive standards, it’s hard to see where to start when it comes to securing the IoT network. Rather than simply building a big wall and hoping for the best, businesses need to dial into the devices and data. A strategic approach to IoT security needs to start with asking the right questions. The Internet of Things Security Foundation poses the following questions to consider when assessing the security requirements of your network:
Does the data need to be private?
IoT devices and networks trade in data — storing it and communicating it to and from other devices and internet applications. In cases where personal or sensitive data is concerned, consider this when storing or transmitting it. Where possible, make sure personalized or sensitive data is kept securely, and that security is appropriate for the types of potential threat and consider depersonalization of data wherever possible. Also, bear in mind the other systems to which your devices are connected. Could an attack on one of these systems expose the sensitive data at the edges of your network?
Does the data need to be trusted?
Where the integrity of data is key to mission-critical operations, businesses need to ensure that data cannot be corrupted or interfered with in transit and must ensure that only the right data reaches the right destination. Poor quality data could be the result of a faulty device, misconfiguration or a malicious attacker. As such, this data may adversely affect other parts of the IoT network. Building in a way to identify and isolate these devices quickly and securely will help mitigate against these risks.
Is the safe and/or timely arrival of data important?
In scenarios where the safe or timely arrival of data is important, businesses need to build in quality assurance measures to make sure that important data cannot be missed. These measures may include accurate timestamping of data to ensure that devices and users know how fresh the data is when it arrives.
Building quality of service (QoS) into the messaging between your devices and your IoT platform is another way to ensure data integrity. Platforms which use MQTT are advantageous in this scenario due to its built-in QoS.
Is it necessary to restrict access to or control of the device?
If a hacker gains access to one of your devices, he could potentially steal sensitive information or take control of the device itself. Ensuring that devices can only be accessed through secure, authenticated channels can help to mitigate these risks. Vulnerabilities at this level can also be reduced by building secure access in at the design stage, using secure coding standards and employing penetration testing.
Is it necessary to update the software on the device?
Out-of-date software can introduce security vulnerabilities and could also affect the reliability of data coming from devices. Businesses must make sure that software is updated in line with best practices without negatively impacting the functionality of the device. Making sure that updates can only be applied from a secure and trusted source will further reduce the likelihood of an attack on this vector.
Will ownership of the device need to be managed or transferred in a secure manner?
In situations where the device is tied to an end user, ownership of that device and/or some of the data may need to change hands. Ensuring that this can be done in a safe and secure way is highly important.
Does the data need to be audited?
Depending on the application, IoT services may require auditing, either internally or to meet the requirements of a regulatory body. IoT networks should be designed with this in mind, allowing secure, managed access to IoT data where appropriate.
Future-proofing IoT security
Given the rate of technological advancement in the field of IoT and technology in general, it would be impossible to predict the kinds of cybersecurity threats faced by the enterprise in 10 or even just five years. This is not a new problem for the IT department. As with the rest of the business IT infrastructure, an IoT network needs regular maintenance. This includes ensuring that network devices are always kept up to date and in fully working order. This can be helped by programming devices to report their health when something isn’t right. For example, if a device can’t find an update or hasn’t updated after a period of time, the network admin could be notified, and steps could be taken to solve the problem.
The next few years will be interesting for the internet of things, as new opportunities and threats will continue to change the landscape. Staying on top of security, making sure yours or your customers’ data is safe and keeping your devices under control are going to be essential going forward. It’s important that businesses start taking a strategic approach to IoT security right now. Those that fail to do this will almost certainly pay for it in the long run.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.
As IoT devices connect to our networks, we need to provide secure, reliable connectivity to the back-end applications that manage and extract information from these devices. But all too often, current security architectures risk exposing those applications to network attacks, such as denial of service, SQL injection and more.
When the IoT device in question is your refrigerator, downtime is nothing more than a nuisance. But for IoT to move from consumer curiosity to industry workhorse, organizations need confidence in the availability and performance of IoT architectures. Eliminating blackouts and brownouts is a requirement for manufacturing plants, making the difference between a positive or negative quarter. And when it’s a hospital medical system that’s taken offline, downtime can translate into something far worse — the loss of life.
IoT’s networking and security problem
Building predictable, reliable IoT networks has been complicated by the changes in enterprise networks. Traditional enterprise networks were secure because of the firm perimeter blocking external users from accessing internal resources. But as users and applications have moved beyond the enterprise, the perimeter has dissolved.
Today, attackers can easily gain access to internal networks, whether at a remote branch or in the headquarters, by taking advantage of mobile devices and BYOD policies. They do this by posing as on-site contractors or launching phishing attacks against employees. And by breaching the security of cloud providers, attackers can strike companies without bothering with the traditional perimeter.
Once attackers authenticate onto the network, they can connect to the applications used for IoT. With many enterprise architectures, cybercriminals can execute network-layer attacks — even if they are unauthorized to access the application — disrupting the service.
But that’s not the only networking issue facing IoT infrastructure. Moving traffic across the internet core exposes IoT infrastructure to connection blackouts and, more likely, brownouts.
Internet routing is based on economics, not application performance, which leads to the strange and indirect routes all too familiar to network engineers. Congestion, particularly at internet exchange points, only adds packet loss. Within well-developed internet regions, internet limitations are often masked by the relatively short distances and the plethora of routes between any two points. Between internet regions, though, is a different story. Latencies are much longer and, with fewer routes available, congestion is often higher.
Best practices around IoT management are also undermined by the realities of today’s networks. Many IoT best practices will struggle in the face of IT realities. The disaggregation of our networks has given us freedom of choice at the expense of visibility and control. The outgrowth of this is immense complexity, complicating even mundane tasks, such as patch management — the combination of which risks undermining IoT availability and predictability.
How SDP can help IoT
A shift in both how we secure our applications and how we build our wide area networks provides some clues as to how we might better protect IoT infrastructure.
Rather than allowing network users and devices to view and connect to all resources, many enterprises are looking at tailoring their view of the network. They can only see and connect to specific resources based on their role and privileges.
To make this model a reality, applications are hidden behind gateways that reject all connection requests except from authorized users. Users must authenticate first with a controller that informs the servers or gateways to accept connections from the particular user on a specific station. Only then can they connect to the requisite applications.
This best practices approach has long been advocated by standards organizations, such as National Institute of Standards and Technology, and was recently codified into an architecture, the software-defined perimeter (SDP) by the Cloud Security Alliances. Adapting this model to SDP protects the infrastructure from network attacks. IoT devices, like users, must authenticate first before accessing the requisite application.
How SD-WAN can help SDP
At the same time, such an approach increases network complexity. IT must either install SDP software on each host or deploy gateways to protect applications. What’s more, left unaddressed are the numerous performance and availability problems posed by internet transport. Secure SD-WAN as a service provides a way forward.
With secure SD-WAN services, a global SD-WAN backbone functions as one, massive next-generation firewall. Not only do the encrypted tunnels of the SD-WAN control branch access, but the security capabilities of the SD-WAN as a service restrict user access to defined network resources. Users must authenticate before connecting. Gone are the days of open network access that allowed for network-layer attacks to be launched against IoT components from other network locations.
Availability of IoT deployments is also helped by secure SD-WAN as a service. IoT traffic leaving a branch office is balanced across redundant internet access lines. Should one line suffer an outage or a slow-down, traffic can be automatically steered to the secondary connection.
And instead of forcing IoT devices to reach back across the internet, SD-WAN as a service provides a more predictable long-distance transport. A global, SLA-backed backbone connects all of the points of presence (PoPs) comprising the SD-WAN as a service. The sites housing the applications and devices in the IoT infrastructure connect to the closest PoP and, from there, traverse the SD-WAN-as-a-service backbone, not the internet, to the remote location. The short distance across internet access line (less than roughly 25 milliseconds) minimizes the internet’s impact of internet routing.
IoT made secure and reliable
Current remote access and networking approaches risk leaving IoT implementations grounded by internet performance and security problems. But by including security best practices as part of a global, secure SD-WAN as a service, organizations can improve the resilience, uptime and security of their IoT deployments wherever they may reach.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.
Internet of things technologies play an important role in helping businesses improve their bottom line, from smart inventory trackers to advanced data mining and process tracking and improvements in productivity allowing workers to accomplish large-scale tasks quickly. These benefits and more are pushing businesses toward a mad rush on IoT devices, with the goal of purchasing the technology now before it becomes more expensive down the road. However, what many businesses forget is that IoT devices are not typically secure. In fact, they are designed to remain cheap and lightweight, which makes them difficult to manage once they are connected to the network. There are several reasons why IoT devices create a visibility challenge, some of which can be solved by referencing the below-mentioned tips and others which will have to wait for regulatory enforcement (that seems likely in 2018).
Avoid inventory oversight
One of the main and more obvious reasons that it’s so difficult to see IoT devices is that many IoT devices aren’t registered in IT inventory records or catalogues. There are horror stories of hospital employees physically checking each room daily to make sure that each device is accounted for, creating significant room for human error. Even IT professionals can forget to add an IoT device, like a smart coffee machine or HVAC system, to the list of inventoried connected devices because the technology many not seem “important enough” to track. This level of IoT oversight is likely to cost organizations down the line — potentially cancelling out the bottom line benefits mentioned above — as they are leaving these unmonitored devices open to unwarranted access. What’s more, IoT devices are usually protected through a simple operating system and default username or password (some of which can be found online), creating ample opportunity for unauthorized access, data leaks or malicious device activity. If you think about it, these “zombie” IoT devices are like the Terminator that you can’t turn off.
These risks and more can be easily eliminated by maintaining a current and detailed inventory of all network-connected devices (or even those not connected, but present in the office or factory). The inventory can be automatically updated once a device connects, with the help of a mobile device management or network access control technology, and manually verified on a monthly or bimonthly basis. Understanding your IoT device inventory shouldn’t be an annual event; the more you know about the devices on your network (or near your network), the better your organization will be able to effectively respond to IoT security breaches, which lately are increasingly common events.
To know thyself, first know thy device
Technically, IoT devices have been around for decades (because really, the term refers to any device that can connect to the internet), but in practice, the IoT devices that have the most value for today’s businesses remain a mystery. The seasoned IT professional will be well-versed in the IoT technology available on today’s market and may be tasked with suggesting devices that should be adopted by the company, but even they know that each device comes with its own challenges.
Most IoT devices are known for their low CPU, minuscule memory and unique operating system (that often needs to be studied from scratch). Many IoT devices are “protected” by factory-derived usernames and passwords that are rarely changed. Furthermore, these devices are designed to connect to the wireless network, and most won’t function at all without a connection. These challenges make discovering and managing the devices a significant challenge, especially if they aren’t being accounted for as part of IT inventory. To track their presence on the network, IT teams need dedicated visibility tools with a price point that outweighs the relative low cost of adopting the IoT devices themselves. As a result, many IoT devices are given free reign over the network and can’t be seen in regular endpoint or vulnerability scans.
You may be thinking that the answer to this challenge lies with the device manufacturers. Indeed, this thinking is correct, but due to a lack of regulation on IoT security, manufacturers are only now starting to realize that a lack of security presents a barrier to implementation. Therefore, it is upon IT professionals themselves to start discovering and managing the devices with the goal of establishing a baseline of normal behavior that will help them identify imminent threats. This can be achieved with a network visibility tool that provides insights into the device, which port or area of the network it is connected to and which data it has access to. In addition, security administrators should set network policies that control access for IoT devices, particularly for data-sensitive areas of the network. Finally, make sure that you know every about the device and the manufacturer. Though many IoT devices cannot be patched, some manufacturers now issue firmware updates that should be installed whenever possible. These updates help prevent hackers from gaining access — which can be relatively easy to achieve once the credentials for access have been discovered through websites like the Shodan network and others.
When in doubt, segment it out
Another reason that it’s difficult to see IoT devices on the network is because they are grouped in with all of the other connected devices on the network, such as BYOD, mobile, laptops, PCs, printers and more. In fact, they may not even be “grouped in” or assigned a specific group/role-based policy due to their ubiquitous purposes — be it a kitchen appliance, connected security camera or heating/cooling system — leaving them free to roam around the network. No one user or group of users is assigned to manage the device (data collection may be automated), so responsibility for ensuring the device’s security status and authorized areas of access is left up in the air. The result: IoT devices become free agents that can be easily turned to the side of hackers and other malicious actors. The numerous distributed denial-of-service botnet attacks of late are the best examples of how hackers can manipulate a feeble IoT security policy to gain access to corporate data or even shut down operations entirely (see the attack on Dyn).
With a combination of forces out of security’s favor when it comes to IoT, the best solution is to segment. The segmentation process begins with conducting a thorough inventory of devices: which IoT devices are in use, by which employees and for what uses. Also assess the nature of their connectivity: Are they connected to the VLAN or LAN networks? Do they need to access to more than just an internet connection to perform their functions? And how do these devices transmit their data (in what form)? Answering these questions ties back to the importance of knowing the device in use and its functionality. Once all of the ducks are in a line, it’s easier to start segmenting.
A suggestion for segmentation is not to group all connected devices together, but rather specify certain categories, such as infrastructural devices, data-collecting devices, organizational devices, and maybe even wearable devices. By understanding the unique functionalities of each device, it will be easier to create a network security policy that can serve their purpose and maximize their results. Another idea is to ask technically minded employees to monitor a certain IoT segment that they work with on a regular basis. This will not only help them collect better data and manage their technology needs, it will emphasize the importance of securing and managing the devices. Segmentation can also be useful in the unfortunate case of a breach by allowing for rapid remediation that involves quarantining or entirely blocking access for those devices from the network.
As the economic advantages of IoT technologies become increasingly clear, and as device manufacturers aren’t required by consumer protection laws to integrate security features, now is the time for enterprises to focus on gaining complete IoT visibility. It starts with understanding the inventory of connected devices and ends with segmenting those devices into areas of the network with limited access according to their needs. While many businesses and even consumers feel helpless in the hands of device manufacturers, rest assured that there are readily available and relatively simple ways to achieve the level of visibility you need.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.
The biggest promise of the internet of things is also arguably its biggest weakness — namely its scale. While the prospect of billions of IoT devices has the potential to alter the global economy, it also creates an enormous attack surface for hackers to exploit. Luckily, blockchain technology is providing new security benefits, which have caught the attention of companies worldwide.
The traditional method of network security is the client-server model, which attempts to protect the confidentiality, integrity and availability of each layer of the networking stack. However, this centralized security model is struggling to meet the demands of large IoT deployments, which can easily include tens of thousands — or more — of endpoints deployed across large areas. The sheer scope of such IoT deployments can overwhelm traditional network administrator professionals, while also creating a sizable attack surface. It can also be challenging to run security software on many IoT devices because of the constrained computing resources of many of these devices, increasing the need for alternate cybersecurity strategies that are compatible with low-bandwidth devices.
In contrast to the client-server model, blockchain is distributed ledger wherein transactions are verified and an immutably recorded across the network, not a single central authority. This means blockchain technology can help distribute security-related decisions, allowing IoT devices themselves to play a role in detecting and reacting to network anomalies while assuring that data within the IoT network is not tampered with. In addition, blockchain is inherently resistant to outages and is open source. As a default, the technology is permissionless, allowing anyone to enter the network and join in the process of creating consensus. But blockchain can also be configured so that it is permissioned and private, which is preferable for many IoT security applications.
Increased adoption rates
Blockchain technology is steadily gaining ground for enterprise applications with companies like Nasdaq, JPMorgan, Spotify, UPS and Barclays deploying the technology. IoT World’s recent study (note: registration required), “What’s Keeping IoT Executives up at Night in 2018,” surveyed over 100 IoT executives and found that 46% of respondents are currently considering the use of blockchain technology in their IoT strategy. With blockchain adoption rising, it is important for companies to consider its benefits — and limitations — when implementing an IoT security plan. Blockchain’s transparency, tamper-proof record and decentralized nature give it an edge in preserving data integrity compared to a repository under the control of one entity, which could become a single point of failure, and can be used to secure everything from financial transactions to voting and medical records. Although the technology can prevent tampering once data has entered the distributed ledger, care must be taken to ensure that the data entering the system is accurate.
For the companies that are seriously considering how to incorporate blockchain, there are many potential benefits to consider justifying investing in the technology. Our survey respondents valued blockchain’s ability to reduce the risk of collusion and tampering (15.05%), followed by building user trust with blockchain-based cryptography (13.98%) and accelerating transactions by reducing the settlement time from days to nearly instantaneously (12.9%).
As IoT adoption accelerates and matures over time, blockchain seems destined to be a powerful tool to help organizations both secure their IoT deployments while also enabling complementary services such as smart contracts, proof of payment in IoT-related transactions, and helping enable traceability in the supply chains. Furthermore, blockchain can help ignite cross-sector collaboration and knowledge-sharing. An emerging number of organizations are stepping up to test the power of distributed ledger technology for IoT deployments, giving new meaning to sci-fi novelist William Gibson’s proclamation that “the future is already here — it’s just not very evenly distributed.”
IoT vulnerabilities continue to surface, causing confidence in the ability of manufacturers to deliver products that are secured by design to continue to erode. Already this year, several vulnerabilities have been exposed, including:
- Security flaws in smart cameras — Researchers discovered vulnerabilities with Hanwha Techwin surveillance cameras. The flaws existed not only in Hanwha Techwin cameras, but all smart cameras manufactured by Hanwha Techwin.
- Vulnerable medical devices — Medical imaging devices, such as MRI or CT systems, are becoming increasingly vulnerable to cyberattacks, according to researchers from Ben-Gurion University.
- Hackable smart home hubs — Security flaws were discovered in a smart hub used to manage all the connected modules and sensors installed in the home, putting smart home owners at risk.
IoT vulnerabilities are being discovered and exposed across all industries, and hackers are certainly not discriminatory when it comes to who they will target. Throughout countless examples, security flaws are regularly being found in IoT devices, putting sensitive data and even personal safety at risk.
The fundamental issue is that IoT devices are not being built with security in mind. As adoption of these technologies continues to rise, this has created a growing attack surface that does not take a particularly high level of expertise to exploit. Everyone is eager to jump on the IoT innovation train, but in doing so, the critical element of securing these devices is often neglected.
However, despite the risks, organizations are continuing to gather sensitive data from IoT devices. The “2018 Global Data Threat Report” found that nearly three-fourths (71%) of organizations are aggregating data from the millions of IoT devices already in use.
While IoT security as a whole remains lacking, we are nonetheless seeing more organizations starting to apply measures to protect IoT data. The “2018 Ponemon Global Encryption Trends Report” found that 49% of enterprises are either partially or extensively deploying encryption of IoT data on IoT devices.
Organizations are taking a step in the right direction by recognizing that encryption of IoT device data — done correctly — can effectively protect privacy and confidentiality, but challenges remain. At the end of the day, it comes down to trust. If trust is not established regarding the identity and overall integrity of the device, then encrypting untrusted data is not accomplishing the desired goal. And if the device and the data it collects cannot be trusted, there’s no point in going to all the trouble of collecting it, analyzing it and, worst of all, making business decisions based on it.
How to build trust in IoT
Here is what is required to enable trust:
1. A root of trust to enable device authentication
To securely participate in the internet of things, every connected device needs a unique identification. There are various methods used today to prove an identity, from passwords to biometrics to digital certificates and more. However, when it comes to proving the identity of an IoT device, the choices available for authentication depend on the capabilities of the device.
In environments where security and safety are paramount, a hardware-based root of trust provides the strongest means to establish and maintain an authenticated device identity. Digital certificates issued from a trusted public key infrastructure provide a proven mechanism for this, however the storage and processing demands of traditional RSA keys have driven some to favor elliptic curve cryptography (ECC). ECC provides equivalent protection to RSA with much smaller key sizes, and its operations require significantly less processing, making it appropriate for devices with less storage space, processing power and battery life.
Unfortunately, many IoT devices aren’t being designed with even the most basic of security protections, such as requiring default administrative credentials to be changed upon installation. A reasonable level of trust cannot be established in a device until there is a solid means of device authentication in place, and that that the integrity of the device can be assured over time through mechanisms such as secure boot protection and code signing. These are important to prevent introduction of malware especially during firmware updates.
2. Encryption to protect data
With a proper root of trust in place, it is increasingly important to have means in place to protect IoT data which is sensitive, personally identifiable or proprietary. In IoT, this means protection on the device itself, when the data is being transmitted to intermediate points, such as IoT gateways, and when it is en route to final destinations, such as the cloud or a data center for storage and analysis.
This requires not only process steps to identify the specific data to be encrypted, but also a key management scheme to distribute and manage the keys that are used to encrypt the data. Secure storage and access control for keys requires planning — they must be available to permissioned people/entities to enable data access, but properly segregated from the data and stored securely. It might sound easy, but IoT scale and speed is a game changer. Keys have a finite lifetime based on their length and the algorithm being used, and therefore must be rotated at regular intervals. Lose a key that is used to encrypt data and you lose the data. Key management is a crucial capability for IoT deployments with sensitive data.
The adoption of IoT technology is not expected to slow down anytime soon. In fact, Gartner predicts the number of connected devices will rise to 20.4 billion by 2020. Trust is recognized as a key enabler for IoT to deliver the intended results, and authentication and encryption are two critical capabilities in the IoT trust playbook.
Security has been the subtitle for all discussions about the internet of things. But a lot of that discussion has been based on some bad assumptions and misinterpretations. IoT can be secured, but just not in a lot of the ways that are being discussed. Here are six of the most common IoT security myths and the reality behind each of them.
1. Lightbulbs and industrial robots are secured the same way
IoT is really a superset of two very different technologies. The first part is what we think of most with consumer-grade tech: think lightbulbs, TVs and vacuum cleaners. The second part is operational technology, or OT: industrial robots, water turbines, elevators and power plant relay actuators. The essential difference is that OT is serviced and maintained by a dedicated team, usually closely backed by the vendor, whereas IoT, as consumer-grade tech, is not. This difference is significant to how they are secured, and to the impact of being insecure. OT vendors, however, are typically less experienced than IT vendors in the ways of security. This is a rough differentiation though. Cars, for example, although a consumer technology, are in the OT classification because of manufacturer involvement.
2. Standards will secure IoT
This is a common myth. I hosted an OT/IoT roundtable in the UAE, and the majority voted that they believed standards would fix the IoT security problem. This is certainly how things should work when viewed through the lens of safety: safety standards work well in OT and IoT, with established national standards bodies and labs. However, the reality is much different.
There is hope, but no time soon will standards play a role of any impact. Standards play almost no role in IT security today, so our hope for them in IoT is aspirational.
3. IoT vendors will start patching their devices
Product makers don’t want insecure stuff. All IoT is patching-challenged, but for different reasons. This short description won’t completely do the topic justice, as this is a very nuanced and complex discussion.
OT teams do have a strong desire to patch, however their software update cycles are often magnitudes slower than IT patching. Many OT devices will never see a patch, so the development and delivery of time-critical security patches is not part of their corporate DNA. Similarly, patch management is not traditionally part of the OT group’s DNA — there is no “Turbine & Water Filtration System Monday” equivalent to Microsoft Patch Tuesday, nor are patch management tools often in use in OT environments. Much of the patching must be done locally and manually.
IoT has different issues with patching. Most IoT devices were designed without any prospect of patching. Some IoT vendors do not keep a software team in house, making patching problematic. A portion of IoT software is embedded in firmware — chips containing the flaws that can require a replacement — meaning usually the whole device must be replaced. I spoke with one IoT component manufacturer that told me it would add about $0.02 per chip for them to extensively test code and provide patches for security vulnerabilities, whereas the price of their nearest competitor was $0.01per chip, and the manufacturer said the company had never had a buyer factor security into a purchasing decision.
4. OT will make it all better
What is not a myth is that there is usually tension between enterprise IT departments, and the OT staff is responsible for the technology of the shop floor or production environments. The OT teams certainly know their environments best, however they come less equipped and experienced than IT staff concerning modern threats and patch management techniques. OT teams usually lean on their familiar vendors — the manufacturers of the equipment. However, these vendors reflect the OT teams in that they are slow to adapt to the new and incredibly hostile environment. Most of these vendors do not even have any kind of bug bounty or vulnerability research interface. Think about it — OT and their vendor-scape are required to go from 0-100 overnight; from an air-gapped low-threat world to an IP-enabled one attacked by nation states and custom-crafted malware. OT teams do understand their environments the best, so they are rightly skeptical of IT teams. Which leads us to …
5. IT will make it all better
Early on in IoT and OT security, it was assumed that the current IT techniques would be the fix. Just do what we do on the corporate network and everything will be alright. Unfortunately, it was immediately evident that things weren’t business as usual. Not everything is IP-enabled, we cannot risk connecting critical infrastructure to the corporate environment, the service-level agreements for outage or downtime was several magnitudes less forgiving than IT, strange protocols were involved, and there was little if no coverage of these devices by vulnerability research. IT security has the triad of CIA as its foundation: confidentiality, integrity and availability. Suddenly, a new leg was added to that: safety. IT security and ops departments were not equipped to perform their current tasks with that level of impact.
IoT under IT is a bit better than OT, but still requires flexing which IT departments may not be willing to undertake. Most studies predict that IoT devices are growing at magnitudes greater than IT devices. Most IT security products are not equipped to deal with the scale of IoT, even if the teams are willing. For example, most security information and event products are already being challenged to handle the alert load, as well as firewalls handling connections per second. IoT adds an approximate 10x load in most enterprises, with IT departments again often unwilling to take on the load of managing and securing what doesn’t appear to be devices in their realm of responsibility. IT does not have the IoT security answer today. But that doesn’t stop the threat landscape from using IoT as an attack surface in the interim.
6. Special IoT security products will fix it all
Early on, there were IoT-specific security products that emerged. They tended to be either wireless focused — a good thing, since so much of IoT connectivity is wireless based — or from the OT device manufacturers. However, the impact has been limited. OT manufacturers have been slow to bring effective products, and the slow release of real dollars for OT and IoT has alienated vendors. The critical issue is that most IoT and OT security technologies are not linked to corporate IT security groups that are already organizationally decoupled, making the job of a security operations center response almost a manual task of calling coworkers to find out information.
The answer will most likely be via partnerships between OT vendors and IT security vendors, taking the already advanced security technologies and hardening them to work in the organizational, cultural and technical OT environments. IoT is a more difficult issue in that these “unpatchables” must be segmented and surrounded by intrusion prevention systems and antimalware. Instead of a pre-patch shield, this becomes a never-can-patch shield. Segmentation and shielding, especially via wireless connectivity, become the future state.
The bottom line is that not all IoT is created equally, and can’t be secured equally. But IoT is here and the baddies know it to be a soft underbelly. The “two solitudes” of the organizations representing IT and OT can together secure OT, but it is up to mostly IT to embrace and secure consumer-grade IoT technologies. Don’t fall into the traps set by these myths — be informed and get to work now on fixing these … things.
When it comes to the internet of things, perhaps the key enabling technology is wireless networking technologies. Without the two primary wireless data networking technologies — cellular and Wi-Fi — almost every IoT device would require a wired connection to the internet, dramatically limiting the ability of developers to create IoT applications that deliver value to businesses and consumers.
However, thanks to these two wireless networking technologies, IoT is big and getting bigger — research firm Gartner forecasted that in 2017, 8.4 billion connected things will be in use worldwide, with this number reaching 20.4 billion by 2020. With as many as 10 billion additional connected devices forecast to be deployed over the next three years, IoT application developers face an important question as the market continues to mature — given each technology’s bandwidth, cost, coverage and security characteristics, should they design their IoT applications to use cellular, Wi-Fi or both?
While the differences between Wi-Fi and cellular in terms of bandwidth and cost have been narrowing or disappearing, cellular is expanding on its coverage advantages. By definition, Wi-Fi is a local area network (LAN) which provides great coverage in a very limited area. Yet, the moment a connected device leaves that area, coverage is lost, which results in significant design limitations for IoT application developers. On the other hand, cellular data coverage today is extensive and growing, as wireless network operators compete with each other to offer better coverage to their customers. In addition, standard low-power wide-area (LPWA) cellular IoT technologies (LTE-M and NB-IoT) provide deeper coverage than traditional cellular technologies, expanding cellular connectivity to underground spaces, buildings and rural environments. While LPWA is new, it is rapidly being embraced by network operators, as upgrading 4G LTE infrastructure to support LPWA only requires a simple software update. For developers who want to deploy IoT applications around the world or to remote, underground or similar hard-to-reach locations, cellular provides clear advantages — advantages that will only grow over the coming years.
When evaluating the security differences between Wi-Fi and cellular, one must always remember that no network can ever be made 100% secure. Nonetheless, cellular does possess several security advantages over Wi-Fi. First, all cellular data is encrypted by default. Wi-Fi data can be encrypted, but this encryption has to be turned on. This introduces human error into the Wi-Fi security equation, and as seen in recent cybersecurity attacks, such human-error related vulnerabilities can and will be exploited by cybercriminals. In addition, cellular security updates are made by network operators who have dedicated cybersecurity staff in place and very strong financial and reputational incentives to ensure such updates are made as quickly as possible. However, Wi-Fi depends on individual Wi-Fi network owners to make security updates, and it is easy for individual Wi-Fi network owners to delay or overlook these updates. The problem with overlooking such updates was recently demonstrated by the Key Reinstallation AttaCK, aka KRACK, on the key exchange handshakes used in the Wi-Fi Protected Access (WPA) and Wi-Fi Protected Access II (WPA2) security protocols. Another security issue with Wi-Fi is cybercriminals can create “fake” Wi-Fi networks that unsuspected device owners connect to, allowing these criminals to hack into these owners’ devices. While creating fake cellular networks is theoretically possible, cellular’s built-in security advantages, as well as size and scale of network operators, make the creation of similar fake cellular networks much more difficult. As cyberattacks continue to increase, cellular’s security advantages give it a leg up on Wi-Fi for developers building applications where security is a key design consideration.
For years, Wi-Fi had a significant advantage in bandwidth over cellular, with older 802.11b/g/n Wi-Fi technologies offering speeds up to 450 megabits per second and the newer 802.11ac Wi-Fi technology offering speed up to 1.3 gigabits per second (Gbps). However, cellular technologies based on the 4G LTE standard are now as fast as 1 Gbps, making cellular bandwidth comparable with Wi-Fi. In addition, while new Wi-Fi technologies based on the 802.11ax standard promise speeds of up to 10 Gbps, new cellular technologies using the 5G standard will offer similar speeds. With cellular now able to come close, if not match, Wi-Fi in regard to bandwidth, when it comes to video and other high-bandwidth IoT applications, there is little to no difference between the two technologies on speed.
Security, bandwidth and coverage are not the only capabilities developers need to consider when deciding whether they their IoT applications should use cellular, Wi-Fi or both, but they might be the most important. In terms of cost and bandwidth, cellular has in recent years caught up to Wi-Fi, and today Wi-Fi’s advantages in these areas are minimal or non-existent. However, when it comes to coverage and security, cellular has significant advantages over Wi-Fi, advantages that it will build on over the coming years.
Despite these advantages, Wi-Fi is not going away anytime soon. Wi-Fi has a strong established base in most households, and the fact there are no additional costs to connect multiple devices to a Wi-Fi network means that Wi-Fi will likely continue to be used for many consumer and smart home IoT applications over the coming years. In addition, with costs coming down for both technologies, building IoT applications that support both Wi-Fi and cellular connectivity is an increasingly attractive option for developers looking to cover all their bases and differentiate their consumer versus enterprise-level services. However, with cellular increasingly equal to or better than Wi-Fi in terms of bandwidth, cost, coverage and security, many developers who previously might have only considered Wi-Fi for their IoT applications are likely to be looking at, if not switching to, cellular over the coming years.
In 2016, ISACA conducted a survey about how consumers today perceive augmented reality. About 60 to 70% of consumers saw clear benefits in using augmented reality, with about 69% believing that AR could help them learn new skills at work.
Its application in real-world scenarios is rapidly making it an integral tool in every sphere. Mega construction sites are usually a congregation of heavy machines and equipment. A single machine breaking down can hamper the workflow of the entire site, which can take hours or even days to repair. However, AR is reducing this downtime by completely changing the manner in which troubleshooting is done. With AR-enabled devices, technicians can now simply scan the machine with their mobile devices and view the technical issues of the equipment on their tablet or smart glasses — feature by feature — to investigate. AR enables them to see the insides of the machine as a 3D overlay, share the visuals with other teams and determine the solution — all at once.
This is the power of augmented reality that has opened up new realms of possibilities for business owners across the world. This paradigm shift is helping business owners save precious time and thousands of dollars, thereby enhancing their ROI significantly.
Almost every industry is poised to transform with AR. However, there are some prominent verticals that have already integrated AR in their daily workflow processes:
- Healthcare: Healthcare is among the leading industries undergoing a radical transformation as more and more healthcare professionals are using AR tools and technologies to solve complex healthcare problems. Augmented reality is helping doctors examine patients across geographical divides. Doctors can even resort to less-invasive surgeries with the help of AR devices and provide substitutes that can help with diagnosis and treatment.
- Real estate: Realty and construction is another industry where AR is making serious headway. Instead of showcasing 3D models on 2D screens, architects, designers and engineers can now present their work to clients as an enhanced holographic. This helps visualize every little nuance of a new space. Instead of poring over cramped floor plans that provide little detail about the value of the space, AR is helping give a more immersive walkthrough to clients and help them in their decision-making.
- Retail: In the retail sector, AR-powered glasses or virtual mirrors are helping customers virtually try on different apparel, makeup and accessories. This method has immense potential, especially in e-commerce, and is already being adopted by several online shopping portals.
- After-sales/customer service: When buying or servicing home or industrial appliances or complex machines, field service representatives often need to resort to printed installation guides that can be tedious. They may even need to consult experts at the office or service center in case of major issues or breakdowns, which can be time-consuming. With augmented reality, field reps can access interactive installation guides where they can see the machine broken apart, making it easier for them to figure out the process. It can also help in connecting with remote experts and following guidelines by overlaying information on a video that both parties can see. This can make field technicians quick and efficient at servicing, thereby saving time and resources for the company.
- Logistics: DHL, the leading global logistics company, has been one of the early adopters of AR. AR-enabled smart glasses help workers by guiding them through the warehouse to pick items for order fulfilment. According to DHL, this has helped the company reduce shipment errors and has allowed for a 25% increase in efficiency. This kind of impact in a modern business can emerge as the key distinguishing factor between close competitors. On-field workers can now access a plethora of information, including schematics, videos, workflows, instructions, charts, lists and so on, enabling them to make quick decisions and actions.
- Travel: This is one of the primary consumer-centric segments for using AR devices and systems. Travelers often need information quickly, whether it be about a particular destination, routes, ordering transportation, or restaurant and accommodation recommendations. AR apps are helping travelers access this information. AR apps can bring printed materials to life and even filter and personalize information depending on the current location and requirements of the user. AR can help hotel owners and travel agencies to better engage with their customers by offering special offers, discounts and reward points which can be accessed by scanning their brochures, and ensuring better brand recall and higher ROI on advertising expenditure.
Augmented reality is changing the way we live, work, play and entertain. The next few years will see the rise and rise of AR applications that will make our interactions with the virtual world more stimulating.
From immersive virtual reality training to interactive augmented reality product experiences, mixed reality experiments are making their way from pockets of innovation within corporations to full-fledged programs — –that is, if they don’t fall prey to “innovation cannibalism” first.
Companies are under increasing pressure to constantly innovate, often guided by a digital transformation or corporate innovation charter that is mandated by the C-suite, supported by middle management guidance and executed by grassroots “intra-preneurs.” This mounting pressure can serve as both a blessing and a curse for survival. Change agents strive to not only brainstorm the next big idea that will push the company into a new era of technology revolution, but also simultaneously hide their efforts from colleagues and other departments in order to get the glory of being the smartest person in the room.
Hence, innovation cannibalism is born, and virtual and augmented reality (VR/AR, or “XR” as a catchall term for “extended reality”) pilots are its latest victim. Rather than moving the company forward, these competing technology proofs of concept (POCs) ultimately compete for executive budgets and attention, rather than operating toward a common goal. Preceded by myriad other bright, shiny technologies under the innovator’s microscope, XR serves as the next tool primed for real market testing and even companywide rollout, if it can make it out of the corporate innovation vacuum.
ARtillry Intelligence projects enterprise mixed reality alone to grow from $554 million in 2016 to $39 billion by 2021. Growth is dependent on both perceived and proven value as organizations look to competitors and other industry best practices in order to gauge potential success. XR is sitting in the sweet spot for corporate innovators looking to reference existing case examples from early adopting enterprises in order to make their case, while still offering plenty of open water to brainstorm that next big idea to differentiate. And the sea of opportunity is indeed wide, spanning both industry and departments in potential use cases to increase efficiencies, improve employee experience and positively impact the bottom line.
In our latest Kaleido Insights report, “Prepare for the New Reality of Super Employees: How VR and AR Technologies Enhance Workforces to Transform the Enterprise,” my co-author Jeremiah Owyang and I detail the top six use cases for enterprise mixed reality (see Fig. 1 infographic below), as well as the challenges encountered along the road to fruition and a checklist of considerations for implementation. From training employees on dangerous tasks in a completely virtual (and safe) environment, to cutting theft of high-ticket item merchandise in-store, organizations are experimenting with reinvention of legacy procedures and methods to future-proof their businesses.
Though these mixed reality experimentations are typically driven straight from a corporate innovation charter and brought to life by innovation teams, labs and outposts, these change agents aren’t the only catalysts of XR testing. Other sparks that set POCs ablaze include:
Middle management pursues efficiencies
In tandem to XR charters led by innovation groups, other typical leaders of mixed reality initiatives rise from useful, real-world applications. When management in more technical roles — like field service, warehouse logistics or engineering production — come across use cases where XR could make their lives easier, they reach out to internal or external resources to begin experimentation. “Our customers are those who are dealing with challenges upfront and see VR as a way to solve a problem,” shared Jakub Korczyński, CEO of VR solution provider Giant Lazer. “These people get VR’s potential the quickest as they envision immediate benefit.”
HR and marketing strive to impress
In an effort to impress current employees and higher-ups, as well as attract new talent, human resources leaders look toward new technologies like mixed reality. The right application will not only draw positive internal buzz, but also help to retain and inspire the existing workforce (while ideally improving their job experience). Similarly, marketing and digital leaders are often enticed by what they see as interesting XR applications on YouTube — even if these applications are not entirely feasible or applicable to the company.
Desire to compete with automation
Augmented and virtual reality enable employees to become “superhumans” in their own right, using these technologies to augment and support their bionic brains. With artificial intelligence and automation posing increasing threats to industrial manufacturing and low-wage employment, many companies are turning to XR to bring employees closer to their robotic counterparts in capabilities. Scope AR’s Co-founder and President David Nedohin explained, “AR is arming employees to compete with AI by putting them in the position to know exactly what to do to complete a task through real-time data and imagery display. Industrial IoT data can initiate the proper workflow, combined with machine learning analysis and AI, to transform employees and help them stay competitive in the workforce.”
Need for increased collaboration
During many internal processes — from product development to training to sales and service — it can be difficult to get multiple busy leaders in the same room for collaboration, especially across departments and geographies of decentralized organizations. The need for easier, more efficient and more frequent collaboration is a common driver of exploring XR’s engaging and immersive environment, where corporations see a valuable investment.
Though many XR pilots are born from corporate innovation programs, among other aforementioned catalysts, these POCs cannot achieve critical mass until supported by the company at large. Executive support is essential in spreading an innovation imperative culturally, as well as greenlighting budgetary allocation and employees toward mixed reality initiatives. Without top-down alignment and goal-oriented prioritization, grassroots XR efforts cannibalize one another in a battle for resources and attention. It takes a comprehensive strategy that examines the impacts and opportunities of all relevant emerging technologies to move mixed reality from catalyzing to testing to fruition.
Download the full research report (note: registration required), “Prepare for the New Reality of Super Employees: How VR and AR Technologies Enhance Workforces to Transform the Enterprise,” from Kaleido Insights’ website.
The benefits of deploying IoT are becoming clearer for many organizations, especially when the use case is identified for a business problem solved with IoT (see my other article for more on that). However, once an IoT technology “sticks,” additional security considerations prior to deployment may not be top of mind — but they should be.
Device security should be incorporated into any design, and IoT deployments are not exempt. The general approach is to use the CIA triad: ensure the confidentiality, integrity and availability of the technology. While there are many debatable concerns around the security of devices, such as smart locks, there also are concrete examples of internet-connected devices posing a security risk with default passwords. The viral video demonstrating how an internet-connected carwash using default passwords can be exploited helps put the urgency of securing IoT devices into perspective. Weak and default passwords on IoT devices and platforms can even put personal safety at risk. When securing IoT devices, seek integration with existing certificate frameworks.
From a reliability perspective, cascading failure is a consideration as well. Consider a smart refrigerator that could run the risk of being “bricked” due to an IoT device failure, misconfiguration, malicious use or bad firmware. If in a hospital use case, unreliable devices could risk ruining a very expensive inventory of medicines that require climate control or even put lives in danger. Device reliability may also be a consideration over time as conditions may change. Temperature and other atmospheric factors, quality of network connection, changes in network equipment and changes in logical configuration (such as routing to the internet) may all introduce small and seemingly irrelevant changes to an environment, but IoT devices may respond unexpectedly to these changes.
From a cost perspective, consider a fixed device removal (and replacement) date or cycle. Just as capital expenditures like PCs and desktops have a three- to four-year life span, IoT assets should have their own asset management cycle. The details of that cycle will depend on factors such as the device, cost and use case, but also consider the process for spare part management, both from a supplier and, possibly, from a private inventory within the organization. A fixed removal date also provides a possible remediation for vulnerabilities that emerge in the future for IoT devices, because updating them may be daunting. Additionally, we should expect that capabilities will increase and costs will decrease for individual devices over time.
While this view on IoT may seem alarmist, a single catastrophic failure or breach could wipe out any IoT benefit. The challenge today is to design with these considerations in place to avoid an unforeseen challenge that wasn’t addressed ahead of time.