The Myths of IoT Security
Conventional thinking about cybersecurity focuses on a basic concept: lock down every computing device in sight in order to keep out hackers, attackers and thieves. However, in a highly connected world—where a multitude of sensors, devices and systems feed data to one another—the concept is obsolete.
In case you haven’t heard, the Internet of Things is upon us big time. IDC forecasts that there will be 41.6 billion connected IoT devices by 2025. “There are simply too many devices and there are no boundaries,” explains Jamison Utter, senior business development manager for IoT at Palo Alto Networks.
What does this mean for your enterprise? If you’re stuck in the traditional approach to security, it’s time to reboot your security initiative to reflect a borderless computing environment. “The IoT is very different from IT,” says Renil Paramel, co-founder and senior partner at IoT consulting firm Strategy of Things. “It’s important to focus on the network and the overall data environment rather than the specific device.”
Here are five myths of connected security and how your organization can conquer them.
Myth #1: The IoT is simply the next phase of IT security. Nothing could be further from the truth. Connected devices and systems represent a more decentralized approach to computing—and cybersecurity. For IT teams, the move to the IoT requires a massive conceptual leap as they are no longer the buyer or device owner.
“The problem is that IT teams are trying to use the same tools and approaches they’ve always used to create Fort Knox,” Utter explains. “They are approaching a business problem as an IT problem. The IoT isn’t about laptops and smartphones. It’s not about securing user networks. It’s an entirely different world that revolves around securing business processes and data.”
Enterprise leaders who truly understand the IoT recognize that if they embrace a more holistic, data-centric approach, they can simplify cybersecurity rather than make it more complex.
Myth #2: IT should oversee IoT security. When the IT department is in charge of IoT security an organization usually winds up throwing conventional tools, technologies and approaches at the task. This one-size-fits all approach frequently produces disappointing results. The IoT extends beyond the boundaries of conventional computing systems. Data resides on different devices inside and outside a business and flows across many more touchpoints.
But there’s another, sometimes bigger, problem. Because the IoT spans teams, departments and organizations, it’s easy to get wind up with a siloed approach to cybersecurity. In some cases, different groups addressing security may duplicate efforts or even inadvertently use methods that conflict with one another—and ultimately leave an organization exposed.
Alignment between IT and cybersecurity teams is even more critical in the era of IoT. This requires close cooperation among CIOs, CSOs and CISOs. “You really have to conduct an analysis, identify all your assets and understand how, why and where data is used. Only then can you design a framework that is optimized for the IoT,” Paramel says. This may require hiring or retraining people with the right skill sets and expertise.
Myth #3: Conventional security tools and strategies will protect us.The castle and moat approach to cybersecurity can actually undermine IoT security. Malware protection and other legacy tools, while still valuable, weren’t designed to manage data streaming across sensors,edge environments and advanced multipurpose devices.
This doesn’t mean an enterprise should eliminate these protections–it just needs to use them differently–and add new capabilities as they become available. For example, this might lead to data encryption in transit or network monitoring tools that identify when data is specifically at risk. It could lead to establishing separate networks for different types of data. Then, even if someone hacks a device or a system, they may fail to obtain anything valuable.
Paramel says that once an organization fully understands how data is used across an IoT platform it can assign the right protections, including governance model, practices, processes and tools. This may range from endpoint and network monitoring to encryption in motion and even more advanced machine learning and artificial intelligence methods.
AI can find IoT devices on a network (including previously hidden devices), ensure that they’ve received critical updates and security patches, and identify other potential issues. Machine learning can place IoT devices in groups based on security risks while eliminating the need for additional security software and manual processes. This approach also lets you know when devices are performing “normally” or “suspiciously” through risk scores, and it aids in IoT policy enforcement.
Myth #4: It’s all about protecting the device. Applying conventional IT security thinking to the IoT opens up another trap. IoT security requires a broader approach that encompasses network authentication, connectivity, clouds and more. “It’s time to stop thinking of IoT devices as little PCs. Most of these devices are simple and dumb,” Utter says.
Thousands or tens of thousands of IoT sensors and devices make it impossible to secure each one individually across a smart enterprise, supply chain or city. While it’s critical to protect a medical device or automobile from hacking, many connected sensors and devices have read-only components that can’t be compromised. As a result, enterprise IoT protections must revolve around more complex relationships involving systems and data.
“You really have to start with the basics,” Utter points out. “That means establishing a zero-trust framework.” In this new order of the IoT the network is the thing—and all the sensors, devices, systems and data must be viewed holistically. “By classifying data, establishing zones, and whitelisting applications and processes it’s possible to identify the right protections and tools for the right task,” he notes.
This means moving away from a traditional model of putting all sensors and devices on the same network, for example. Instead, an organization may benefit by organizing assets by business task, data security level and trust level and then creating network nodes, compartments or zones along with tools and protections that match security requirements.
Myth #5: Vendor security protections are critical. The prevailing mentality is that vendors must build strong protections into their products. What’s more, if there’s a patch a user must install it post haste. Alas, this is a flawed concept in the age of connected devices, Utter says. This isn’t to say that security shouldn’t be built into products; it’s that an enterprise shouldn’t consider IoT device vendor security a primary form of protection.
Because many sensors are merely “dumb endpoints” that wind up replaced rather than patched, Utter points out. Even when they are more sophisticated devices, “Most organizations deploy IoT components and never upgrade or patch them.” Part of the problem is that firmware patches and upgrades become a nightmare with thousands of connected devices.
The takeaway? “Security on the device becomes a lot less important if you have data controls and network controls in place,” Paramel explains. “The IoT demands a more comprehensive overarching strategy that spans device vendors.”
In the end, locking down the IoT doesn’t have to prove tortuous. However, it does require the right expertise—and an understanding that conventional approach to cybersecurity needs to adapt. When executives understand this reality, they can skew decisions and budgets accordingly.