By Joyce Deuley
Day one of the conference in Vegas seemed to kick off right with the IoT Security Summit session series. I sat in on three panels that discussed the inherent vulnerabilities that exist when connecting all parts of the rich, diverse IoT ecosystem and how we can over come them from soup to nuts—or should I say from hardware to Cloud? Any good security buff knows there is no perfectly secure anything—give someone enough time and he or she will find a way to get it, usually through an overlooked weak spot. That’s why it’s so crucial to rely on multi-layered approaches to security when considering a deployment of any kind in IoT.
The first session, “Protecting and Defending the Edge,” kicked off at 1pm and was moderated by Clay Melugin Sr. Partner for RMAC Technology Partners. Joining him was Kenneth Lowe, Director of Business Development for Gemalto, and Vince Ricco, Business Development Manager of the Technology Partner Program for Axis Communications. Ultimately, the panel covered the need to protect billions upon billions of devices from serious attacks and examined the ins and outs of developing, managing and securing edge devices in an IoT network.
Bottom line: Encryption is not enough. The need for crypto cards and double crypto cards was discussed, as was the need to ensure that each device on the network has some level of encryption upon deployment and that updates or patches can be easily deployed with very little down time or manual labor. But that’s only one piece of the puzzle: What happens when companies deploy devices that have malware or viruses pre-installed on the device? If devices are compromised at the chip-level, how are businesses able to protect themselves from liability and vulnerability after a deployment? Building security into deployment and validating firmware prior to deployment can help companies avoid unnecessary risk; additionally, conducting routine risk analyses and penetration testing each quarter can help ensure that future attacks/risks are mitigated prior to a security breach.
Whether the challenges in implementing security measures into an IoT deployment revolve around a lack of consideration of liability, the economic impact of downtimes, or the potential increase in time to market, one thing is clear—locking the door, but leaving three windows open isn’t security. Companies need to invest in multiple layers of security that are cost effective and reflective of the value of the assets they’re trying to secure.
The second session, “The Core of Securing Networks”, was also moderated by Melugin and was joined by panelists Rohini Pardi, Sr. Product Manager for PubNub, and Matt Ramsay, VP of Business Development for Accelerated. The discussion revolved around whether or not the Cloud is a private or hybrid network, how companies connect edge devices, gateways, core and Cloud while minimizing and avoiding weak links, as well as deploying networks, managing IDs and protecting the network for hackers.
Pardi kicked off this session with an introduction on the data stream network, PubNub, and how the “Internet speaks PubNub” while providing developers with to send information in a globally secure way. Ramsay then followed up with how Accelerated operates in IoT security and noted the paradigm shift between connectivity and security. Ramsay also stated that metadata has become more powerful than the Internet.
Challenge in Securing IoT Networks
According to Ramsay, it isn’t enough to have smart connected devices, but also these devices need to be connected smartly, and with security steps in between—it isn’t so important as to which steps are taken, but to know what is needed and having a layered approach. Pardi encouraged the audience to look at it holistically, that these “amorphous clouds”, network layers that touch edge and internal devices, as well as data collection, aggregation and device control aren’t “open in bound parts.”
Do Customers Talk About Security?
Pardi answered that yes, customers talk about security, but mostly in the context of privacy. However, PubNub manages quite a bit of customer data and doesn’t want to see any of it—they want the payload to be encrypted, but suggest that customers use tags/metadata outside of the encryption, while the bulk of remaining info is untouched.
Risk Presented to Growth of IoT Market?
Ramsay said that security would be instrumental, and become a critical factor within the next five years. As more devices are connected, there are more opportunities for breaches to occur, which will then spark innovation and a battening of hatches, so to speak. And, as this goes on and more sensitive information is shared, the need to have strong security layers will be imperative for companies off all types.
How Do We Get Security out of Today’s Network? What Outside Elements are Required?
According to Ramsay, we can’t always influence a network—we can’t always control what goes on. In fact, we shouldn’t worry about that, not if we are using multi-layered monitoring: wireless/fixed/wired. We can’t continue to depend on the network for security or continue to rely on security through obscurity. It isn’t enough anymore now that there are multiple access points to a network through edge devices. More needs to be done. Pardi stated that encryption is dependent upon the links in the chain: if part of it is open, then there are so many points where data can flow back and forth. Risk depends on the application and where the data has been.
Additionally, encryption isn’t enough, since patterns in traffic can be determined and quite a bit of metadata can be gleaned from pattern recognition. So, the network security requirements to transport data should start with NIST standards, a continuous testing of the vulnerability of products and risk analyses should be conducted regularly.
The final session for the Security Summit was “Security at the Top”. This discussion covered enterprise challenges with BYOD policies and whether or not the use of web apps posed additional threats to security, as well as whether or not applications could be “locked” and not be used as gateways into an enterprise network. Melugin also moderated this panel made of Godfrey Chua, Principle Analyst for Machina Research, and Tim Hahn, Distinguished Engineer for IBM.
The IoT has amplified attack surfaces and has put security into a broader context. There are several foundational areas of the IoT that have been affected:
—Industry Transformations: evolve new business models
—Applications & Solutions: mask complexity and reduces risks
—Platforms: build and manage IoT solutions
—Device Networks: connect devices into platforms
In order to secure each of these levels appropriately, we need to use different “locks” for different products, applications, solutions, etc. The security of each is directly related to its value. From a design and manufacturing perspective, we need to ensure that a company has secure engineering practices, designs for privacy, tests for security and continuous delivery, all while preserving integrity.
Successfully reducing risks in IoT deployments require that OT and IT departments cooperate and recognize that the responsibility (and liability) for security is a shared one. As IoT systems continue to demand rapid, easy-to-upgrade/install updates cost effectively, we will see more collaboration and innovation across the stack. Additionally, operating within closed system, or heavily monitored systems, is another way for companies to mitigate breaches. By making security a priority across multiple departments and implementing layers to cover as many gaps as possible will help separate concerns and can better mask vulnerabilities prior to being attacked.
While having such a security-centric summit at the beginning of the conference included some heavy discussion, it was an intensely rewarding experience. There was tons of audience participation and each session was packed: so much so that the hotel staff had to bring in more chairs to accommodate the audience. I am confident that the IoT Evolution conference next year will have a similar summit with even more impactful panel discussions and dynamic views on the future of security in the IoT.