This post first appeared on Risk Management Magazine. Read the original article.
To build an effective security strategy for the internet of things (IoT), we first need to understand the value of the data that is generated. The ability to use data, collected from a variety of locations and sources, to drive decision making is a key asset of the IoT. This valuable data will help organizations to innovate, solve customer problems and reap the financial opportunities that IoT promises. But with that value creation comes the need to protect its value.
As IoT adoption increases, the natural question becomes: How do we secure it? To understand an effective security strategy for IoT, three important elements should be considered.
- Security must be an enabler. IoT will bring scale and that scale will drive management costs and new complexities that will immediately put tensions on security, data protection and privacy. Without building security in from the beginning, solutions will quickly evolve to meet business needs and security will be left behind.
- Every piece plays a part. Every component of the solution has a minimum security level. Things must have security, data protection and privacy built-in. The networks that connect and manage those things must pick up the slack on security by having higher levels of resilience and knowledge about things. The data consumers must robustly protect privacy. Every part of the system has a role to play.
- Everyone needs to get into the act. Who is deploying IoT in your enterprise? Is it your facilities management people, your value chain organization, or your lines of business? This is no longer “just” an IT security conversation. Multiple stakeholders are making decisions about deploying IoT projects, which means everyone needs to be thinking about security.
It is bigger than securing a “thing” within IoT, it is about building resilience for the whole system. Cyber resilience is about managing risk; identifying potential risks, evaluating the likelihood of them occurring and their negative impact, and deciding the appropriate actions to take. The challenge is that organizations deploying connected things, or extensive IoT projects, are faced with multiple component vendors that utilize disparate security methods. These inconsistent approaches are giving cybercriminals more opportunity to compromise networks and systems and steal valuable data.
Customers need to demand resilience practices from their IoT vendors; they need to set the bar for a core set of requirements that address critical security, data protection and privacy needs. The following practices will not entirely eliminate cyber risk, but when used together they create resilience to the risks and will build a formidable defensive posture to significantly reduce the impact of threats.
- Secure development lifecycle (SDL): Building a trustworthy and secure product means building in security starting at the design and development phase. It includes methods like threat modeling, to help understand and prioritize risk within a system. The SDL should also include penetration testing, proactive attempts to break into products and services to identify weaknesses and vulnerabilities in order to develop better protections against attack.
- Change default or weak passwords: Attackers often use the simplest methods to penetrate a system. Default passwords provide easy entry for an attacker when scanning for targets. It is important to require all users, including administrator accounts, to have strong passwords. Ideally, multifactor authentication should be used to secure user credentials.
- Ensure secure firmware and the latest OS updates: Connected devices within the IoT contain firmware, embedded software that provides control, monitoring and data manipulation of products and systems (i.e., sensors, traffic lights and security cameras). It is crucial that each device in an IoT system has the latest and most secure firmware and operating system updates.
- Data privacy: As data is a key enabler of IoT success, it must be planned for, managed and responsibly protected just as any other critical business asset. The SDL process should include “privacy by design” principles.
- Secure communications and authentication: As IoT project adoption accelerates, technology vendors need to carefully evaluate and streamline methods for device communication and authentication. One aspect of security is safeguarding the integrity and confidentiality of IoT data and the other is the authentication of each device placed within a network (i.e., verification of the security posture of the devices and authorization levels of the users before they are allowed access).
- Product security incident response: While all of the above are important, inevitably security risks will arise that need to be mitigated after the fact. It is critical that every vendor in the IoT system must have a responsive, easily reachable product security incident process. This process must clearly communicate with impacted users, be responsive to security researchers and customers alike, and ensure timely, complete resolution to what are often complex security issues.
These cyber resilience practices are the start of a good security posture and should be considered irrespective of IoT or not.
Now is the time to really amp up security and privacy by design at the endpoint device level. Customers must demand more of their technology vendors. Manufacturers should establish and adhere to baseline security requirements. Developers should be trained to design with security and privacy in mind. Even venture capitalists should play a role by asking hard questions about security, privacy and data protection before funding start up projects. As an industry, we need to form a common vocabulary that will enable buyers to compare products side-by-side from a security point of view. Similarly to nutritional labels for food, without common terms, comparisons are extremely difficult.
But what about IoT devices already deployed? According to Gartner, 8.4 billion connected “things” will be in use this year, a 31% increase from last year. Even if we dramatically upgrade the security capabilities of future devices moving forward, that does not help the billions of devices currently on the market protect themselves against attack or against being used as a vector of attack.
This is why it is important to keep your infrastructure up to date against the current level of cyberrisk and upgrade when it no longer has the capabilities needed to be resilient. Outdated components and software provide an opportunity for attackers to breach networks—such as in the recent WannaCry ransomware attack—increasing risks for unpatched machines as well as some legacy operating systems that are at their end of support. The costs of ignoring the problem of aging infrastructure can be devastating, risking lost data, revenue and customers.
Ultimately, IoT security is about more than risk mitigation—by providing a solid an secure foundation, it can enable growth and allow businesses to more quickly meet their goals.