We can all agree Internet of Things security is a problem, but how big of a problem is it?
A recent Deloitte survey stated that, for 40 percent of security professionals, IoT security was the single most significant threat to their organizations in the next year.
But we have reached a point with Internet of Things security where it is more productive to understand the ecosystem of security technologies and how they can work together for a given application said Aaron Allsbrook, chief technology officer of ClearBlade at a recent panel discussion at Channel Partners in Las Vegas. “I think people are appropriately scared at this point,” he explained. “I am optimistic around it. The bar has now been raised.”
A recent survey of executives with active IoT deployments from IoT World shows 61 percent of them are either creating an IoT security policy or currently enforcing one. “The biggest thing that I have seen evolve over the past few years [with respect to IoT security] is the recognition that the problem exists,” said Syed Zaeem Hosain, chief technology officer of Aeris in the panel. “It is something that 10 years ago, many people ignored. But now, the concept of ‘security by design,’ which I’ve been talking about for the past 10 years, is finally sinking in.”
A related trend is that a greater number of IoT vendors and security companies are beginning to partner to address specific threat models for given IoT deployments. Vendors are also partnering to determine how, for instance, cloud companies, silicon manufacturers and so forth can address IoT security jointly and how they can stay ahead of evolving threats. “In general, I find that people are afraid, but I think we can connect the dots,” Allsbrook said. “We are not naive enough to think that what we are doing today is going to be good forever.”
[Internet of Things World addresses the security concerns for IoT implementation in every vertical, attracting senior security professionals from the world’s biggest organizations. Get your tickets and free expo passes now.]
Connecting the IoT security dots can still be challenging in many cases, said Steve Brumer, partner at 151 Advisors in the panel. No single security technology can thwart all attacks, so most organizations deploy multiple technologies. But deciding which to choose and how to integrate them can be daunting. “Whose products do I install? Do I look at [embedded] SIM scenarios? If I am deploying [several] security products, what dashboard is it showing up on?” Brumer asked.
There is still a need for considerable education — for all players — involved in the IoT security landscape, Brumer stressed. “We also need to educate vendors. Vendors need to educate us on what IoT security is, and customers need to be educated by all of us,” he explained.
That education will help organizations identify what their risks are and what options are available to address them.
“You have to understand the consequences of a breach,” Hosain said. It is one thing to have a hacker gain access to a single temperature sensor. It’s another if they can control a car traveling down the road at a high speed. “You could have a violation of an oil and gas facility or water treatment infrastructure where you are affecting tens of thousands of people,” he added. “You have to understand what the breach is and then you can figure out how much money it takes to try to prevent that kind of a problem.”
It is vital to also develop an IoT security strategy that scales. “Any device you have today, you have to be able to update it in some way, shape or form,” Hosain said. “Once you deploy millions of devices, you are not going to be able to touch them. You don’t want to have a security approach that requires a human touch. You want to design it up front to be able to fix it. If you do that, you’ll survive the repercussions of a breach much better.”