Securing the Internet of Things: 5 Easy Pieces
Purpose-built devices have security-critical vulnerabilities to the same degree that everything else does. A few things are different: First, manufacturers may not have the same kind of vulnerability reporting and response channels as, say, an operating system or application vendor would. Second, these devices are often closed architecture with a nontransparent and often proprietary code base.
The Internet of Things has been receiving quite a bit of attention. Definitions vary, but at its core the concept is a simple one: Extend computing and data-processing capability to the physical world around us. The earliest manifestations of this are starting to be seen already in the growth of smart devices: televisions, automobiles, appliances, electric meters, etc.
Certainly, one can imagine numerous scenarios in which our businesses can be streamlined through strategic application of this concept: dynamic inventory management; self-diagnostic capability for appliances (e.g., refrigerators); better logistics; increased efficiencies resulting from better telemetry; and so forth. These advantages promise rapid and prolific adoption as implementation comes to fruition.
However, there are also serious ramifications for security and privacy. For example, 51 percent of respondents to a recent global survey planned to capitalize on the Internet of Things -- and 45 percent believed it had already impacted their enterprises. The top governance-level concerns were related to security and privacy. Specifically, "increased security threats" were cited by 38 percent of respondents, followed by data privacy, which was a top concern of 28 percent of respondents to the ISACA 2013 IT Risk/Reward Barometer.
Gearing Up for IoT
Still, there have been IP-connected, closed architecture, specialized devices in the scope of many security programs for quite a long time. Consider the role of point-of-sale devices in retail, diagnostic modalities in healthcare (MRI machines and the like), and industrial control systems in energy and manufacturing. While wildly different in functionality and implementation, these devices have common aspects that can help shed light on the security challenges ahead as more and IP-connected, purpose-built devices come online.
These historical challenges can serve as a touchstone to prepare for the emergence of the Internet of Things. We can't solve all of them now -- there are too many unknown unknowns -- but anticipating now what capabilities we might need as smart devices become more prevalent has a few advantages. It can give us a leg up if enterprise use amps up quickly, as it is likely to, and also help insulate organizations against risks during early adoption, when guidance and standards are still emerging.
Although securing the Internet of Things is a work in progress, there are a few security capabilities to develop -- or hone, if they're already in place -- in order to prepare. These are things you can do today that have benefits right away but that also will be critical as IoT develops and smart devices proliferate.
Capability No. 1: Threat Awareness/Intelligence
Purpose-built devices, no matter what they are, have security-critical vulnerabilities to the same degree that everything else does. A few things are different: First, manufacturers may not have the same kind of vulnerability reporting and response channels as, say, an operating system or application vendor would. Second, these devices are often closed architecture with a nontransparent and often proprietary code base.
Thus, there will be varying degrees of transparency when it comes to vulnerability reporting. For example, some manufacturers may initially downplay the impact of vulnerabilities or be slow to report them. Having internal analysts with their ear to the ground for vulnerabilities in these devices --- and a process for rapidly reporting what they find -- can help expose vulnerabilities earlier than if the sole alerting mechanism is manufacturer notification. Likewise, tracking the tactics of attackers will help expose attempts to actively exploit these devices.
Capability No. 2: Inventory Management
As most security pros know from cloud and virtualization efforts, retroactively creating inventories of a rapidly expanding technology footprint is challenging. As previously unconnected dumb devices start to come with built-in network and computing capability, knowing what and where those devices are will be important.
Put those two things together, and it's probably a good idea to start tracking what they are, where they live (to the extent they're non-portable), and who's responsible for them. It's easier to start now while the problem is small than it is to wait and retroactively attempt discovery once usage proliferates.
Capability No. 3: Application Security
If you're a manufacturer producing a smart device, it behooves you to minimize the number of issues you have to fix once its in customers' hands. Likewise, if you're a consumer, it's helpful to understand the underlying protocols these devices use to interact.
Both require expertise in understanding how applications operate and interact: how the protocols operate; how security defects or misconfigurations arise; how other components are likely to impact the applications running on these devices; etc. These skills are forged in the subdiscipline of application -- that is, software -- security.
If, like many shops, you've underinvested in this arena in the past, starting to build some strength here might be a smart move.
Capability No. 4: Vendor Governance
Though it might not seem immediately apparent, securing the supply chain can be particularly critical when it comes to securing purpose-built devices. There are a few reasons. First, the practices of manufacturers (for example, their ability to build a hardened product) play a role. Second, implementers and VARs can leave configuration or other errors in deployment.
Lastly, maintenance and support may require granting access to external parties so they can troubleshoot and provide that support. Building a capability to assess these external parties in the supply chain can give you some transparency and help you assess the level of risk these situations might introduce.
Capability No. 5: Business Integration
All of the above capabilities require, at their core, one central thing to be effective: namely, knowledge of how an organization is employing the Internet of Things as part of its broader strategy. To get this, you need some knowledge about what the business is doing -- ideally, as rapidly as possible.
Being out of touch with business efforts has never been a good way to operate, but it's particularly risky now. Business stakeholders might not think to come to IT when making purchasing decisions about previously unconnected devices that now host both networking and computing capability.