In the first in our series of articles on aspects of IoT tipped to be hot in 2018, we examined the growth of edge and fog computing. In this second feature, we look at security – and it’s hardly surprising that IoT security features highly in many predictions, with most of those forecasts pretty grim. So we’re going to look on the bright side and see what’s coming up in 2018 that might alleviate some of these problems.
But first, the bad news. Whatever security weaknesses exist in IoT, and there are many, they will be exacerbated simply by the growing scale of IoT: every connected device represents a potential vulnerability.
IoT aside, there are predictions of doom and gloom aplenty about cyber security that will impact IoT as much as the rest of the IT ecosystem. These include, to name but two:
- Commoditisation of malware components enabling hackers with minimal skills to assemble and execute attacks
- The growing use of artificial intelligence and machine learning by the cybercrime community to craft effective attacks and to reduce the time taken from penetration of a system to exfiltration.
So where’s the good news? One prediction that would be good news if it came to pass is that growth in botnets such as Mirai driven by compromised low cost and insecure IoT devices will force governments to regulate IoT device manufacturers starting with consumer-grade devices. Many of these have poor security, made worse by end users not knowing how to implement whatever security features they have.
There is certainly pressure for this. A couple of months ago we reported IT security company Gemalto calling for such in the wake of a survey it had undertaken that, it said, revealed widespread support for government intervention.
And back in August we reported the IoT Alliance Australia examining the possibility of a voluntary security ‘tick mark’. Meanwhile, in the US, a bill had been put to the Senate that would require government approval for IoT devices bought by Government.
None of these initiatives are likely to do a great deal to increase overall endpoint security in the short term, which leaves detecting a compromised device and neutralising it before it can do any harm as the next best option.
Monitoring operational technology
A number of companies are developing products along these lines but one of the biggest challenges is that, in order to detect that a device is doing something wrong, they need to know what normal behaviour looks like, which means gathering and feeding into the security system details of an enormous number of devices.
One such company, Indegy, has been named IoT Security Solution of the Year by UK magazine Computing; a Cyber Security Leader for 2017 by the US Cyber Defense Magazine; and a ‘Cool IoT vendor’ by Gartner.
Indegy’s technology is specifically directed at operational technology, used to monitor and control critical infrastructures such as energy, water, petrochemical and manufacturing.
The nexus of OT and IT has been identified as one of the greatest areas of concern for those charged with securing corporate networks. As IoT gathers momentum OT devices are increasingly being integrated into corporate networks but there is great diversity of technologies and protocols and many OT systems have been in place for years.
Indegy says its platform “detects anomalies, malicious activity and unauthorised access, including logic changes, configuration changes, and firmware uploads/downloads made to process controllers like PLCs, RTUs, and DCS controllers.”
Securing end points
Of course, the ideal solution is to prevent the bad buys getting access in the first place, by making those end points more secure and to that end Cog Systems, a startup we reported on recently, holds great promise.
The company has already produced a hardened smartphone that has been snapped up by the US Government and has just raised $3.5 million, money it says it will use to “expand the company’s D4 Secure Platform from mobile phones to other internet-connected devices, including the estimated eight billion [IoT] devices that are currently at risk.”
However, it has given no details of how much cost this would add to a device or what functionality the device might need to support its D4 secure platform: two factors that contribute to the insecurity of many IoT devices.
In a blog post commenting on the proposed US legislation – which he saw has being ineffective even if it became law – well-known IT security expert Bruce Schneier said: “Our biggest IoT security risks will stem not from devices we have a market relationship with, but from everyone else’s cars, cameras, routers, drones, and so on.”
He saw little prospect for improvement. “We can try to shop our ideals and demand more security, but companies don’t compete on IoT safety—and we security experts aren’t a large enough market force to make a difference.”
And concluded on a note of desperation: “We need a plan B, although I’m not sure what that is. Email me if you have any ideas.”
25 leading IoT security companies
Plan B could well be healthy growth in an IoT security industry developing and marketing technologies designed to detect and protect against threats launched from those billions of easily compromised IoT devices.
Not surprising then, there is a growing ecosystem of companies focussed on IoT security, comprising startups and established vendors adding IoT security to their product portfolios.
The IoT Institute recently published a list what it said were the 25 leading IoT security companies, saying “criteria for ranking included firms’ degree of focus on enterprise and industrial IoT security and the innovation and market traction of their product offerings.” The 25 are not ranked, they are simply listed alphabetically.
Nevertheless the list demonstrates the level of activity and the diversity of approaches to IoT security, which is hardly surprising given the scale of the problem and the growing importance of IoT.
Will these and other vendors manage to reduce the number and impact of incidents like Mirai in 2018? Unlikely. The development of security tools is often reactive and their uptake invariable lags the escalation of cybercriminal activity.