The insecurity of Internet of Things (IoT) products is a common bon mot, but plenty of the biggest security problems are also the result of companies not knowing what they’re doing, members of an expert panel have warned.
“People aren’t consciously aware of what they are actually connecting” when they install much-hyped solutions,” BlackBerry Cylance ANZ country manager Jason Duerden noted during a panel session at this month’s IoT Festival in Melbourne. “So probably the biggest question we are facing is how we can practically bring that into general society.”
The operational nature of IoT sensors, which were often being deployed to provide visibility of remote equipment controlled by programmable logic controllers (PLCs), often results in security configuration delegated to remote maintenance staff who “don’t necessarily have any expertise” in security, warned George Cora, CEO of IoT consultancy Ardexa said.
“You can’t expect these remote guys who mow the lawn or fix turbines to know this stuff,” Cora said.
Even where security was considered, companies were often losing sight of just how vulnerable their legacy systems are – and assuming they can be protected by wrappers to improve their accessibility.
This approach is fraught with problems, Cora warned: “If you are going to throw a PLC on the network, remember that most of these solutions allow you to read and write to locations – and that a 40-year old protocol is not going to do anything, or let you put a TLS or HTTPS server on it.”
“From a security perspective that’s about as bad as it gets.”
Many companies were compromising IoT security by adding network-capable devices and exposing them to the Internet and certain compromise, Duerden warned.
Fixing that issue was a key reason to use the cloud “as an intermediary to manage access to the devices”, he added.
Yet even well-meaning companies were struggling to maintain compliance with industry governance requirements as they faced up to fundamental security problems.
Certification of devices as secure – especially crucial in government deployments – can be lost when a single security patch is applied.
“It reminds me of 1998,” said Lani Refiti, CEO of IoTSec Australia, noting that “IoT means engineering – but some of the companies that build IoT are really horrible at engineering.”
“Once you apply one patch, it loses accreditation – but you can’t do that because you need to patch every day. It is quite counterproductive.”
The difference between intention and execution had been particularly pointed in local governments that are actively pursuing smart-city initiatives – often to their own chagrin.
“People who work in government are very passionate about their communities and delivering outcomes,” said Cora, “but their resourcing is fairly poor even in terms of technology process.”
“They’ve got vendors that are selling to them, big monolithic platforms and many of those would be shelfware within two-three years. This is, basically, because they’re looking to buy an outcome as opposed to developing one.”
“At the end of the day it’s caveat emptor,” he added. “Make sure your choices are good ones.”