• United States



Assistant Community Editor

5 ways to prepare for Internet of Things security threats

Dec 08, 20147 mins
Data and Information SecurityInternet of Things

Excitement over IoT benefits may soon give way to concern over the uncertain security outlook.

For businesses and consumers alike, the Internet of Things is helping create smarter, more efficient devices. For enterprise IT and security professionals, it’s also creating a headache.

Many businesses are eager to deploy smart devices and the Internet of Things (IoT) to capitalize on the many benefits. That excitement, however, may be clouding their judgment when it comes to the security risks. A recent survey of both IT executives and professionals published by cybersecurity company Tripwire found that 63% of C-level executives said they were likely to adopt the IoT to increase productivity and efficiency, while just 27% reported being “very concerned” about the security risks.

On the other hand, just 30% of responding IT professionals said their company is even equipped to determine whether IoT products would be secure in their environment, and 59% of those working in mid- and large-sized businesses said they believe the Internet of Things could potentially become “the most significant security risk on their network.”

If they’re going to be ready for the Internet of Things, IT and security pros will need to understand the risks, as well as what they can do to mitigate them. Here are five places to start.

Don’t underestimate the security impact of the Internet of Things

The Internet of Things has already been targeted in real-world cyber-attacks. In January, security vendor Proofpoint revealed what it called “the first proven” attack on smart home appliances. Upon discovering a botnet involving more than 100,000 devices that helped distribute more than 750,000 emails containing links to malicious software, Proofpoint found that more than 25% of the devices involved in the botnet were not classified as computers or smart mobile devices, including smart TVs and refrigerators.

A more enterprise-focused example emerged in the aftermath of the massive Target breach of late 2013. When it was revealed that the attackers used network credentials stolen from a heating and air conditioning contractor that worked with Target, security researcher Brian Krebs cited sources that pointed to the growing adoption of smart temperature control systems in retail stores to improve customer experience and better manage energy costs.

“To support this solution, vendors need to be able to remote into the system in order to do maintenance (updates, patches, etc.) or to troubleshoot glitches and connectivity issues with the software,” the source said, according to Krebs. “This feeds into the topic of cost savings, with so many solutions in a given organization. And to save on head count, it is sometimes beneficial to allow a vendor to support versus train or hire extra people.”

The contractor in question, which confirmed that it was part of the investigation, later denied that it was conducting any remote monitoring. However, Krebs’s speculation shined a light on a very plausible situation, exposing the inherent risks of opening the company network to the IoT. A third-party vendor tasked with managing devices that connect to its network could be the weak link needed for cybercriminals to gain access to their sensitive data. Considering how eager so many businesses are to implement similar smart technologies, this was a hypothetical situation that IT should take to heart.

IT and operations need to communicate when buying, deploying smart devices

Traditionally, businesses rarely had to take cybersecurity into account when buying equipment for the office. But now that many of these traditionally dumb devices are beginning to connect to the Internet, it can only help to keep IT informed of what new technology it might be dealing with.

In an interview with Network World last year, Gartner research vice president Hugh LeHong warned about the influx of smart operational technology, which ranged from high-tech medical equipment to break-room vending machines, which IT previously didn’t need to worry about. In the new reality of the Internet of Things, IT will need to be involved even when the company is considering a new vending machine.

“CIOs need to get an understanding of this. Even if they are not going to own the vending machines, they need to worry about things like that,” LeHong says. “That’s what we mean by convergence. OT and IT can’t sit in separate worlds anymore. They need to discuss things like governance, security, software licensing and maintenance.”

Keep track of software updates for smart devices

As IBM global lead network architect Kirk Steinklauber wrote at IBM’s Security Intelligence blog last month, “if we already have trouble today keeping our computers, smartphones and tablets updated with the latest version of code, won’t it be a nightmare trying to keep these millions of devices updated and free of security bugs?”

This applies not only to the device at hand, but also the applications used for controlling them, which could be deployed on any number of devices used throughout the company.

This reinforces the importance of cooperation between IT and operations when deploying the IoT and smart devices. IT should set strict processes and protocols to account for the software that will accompany any new smart devices. As many learned after employees started using their personal smartphones to access corporate data, trying to account for a diverse set of devices and their software bugs is much more difficult once they’re already in use.

Educate end users on the risks

Some organizations may be exposed to the Internet of Things against their will. Responding to Tripwire’s survey, about 75% of both remote workers and IT personnel said they access corporate documents on their home internet networks, which is a problem, considering Tripwire claims that between 25% and 50% of those same groups reported having at least one smart home device connected to that same network.

It’s not hard to imagine what could happen from there. Tripwire’s report cited the notoriously vulnerable USB port as an example. It’s used to charge any number of personal electronics, and could be the entry way for a strain of malware that could make the leap from an employees’ home to a corporate network.

Aside from bolstering its internal protection against malware, there’s little the enterprise can do to mitigate this risk aside from alerting employees to the threat they may be presenting with their remote working practices. If nothing else, IT will need to reinforce the importance of using the many tools that separate personal devices and data from corporate data.

Educate IT on the nuances of the IoT

The IoT is still in its early stages. Dozens of major tech companies are still trying to figure out which standards make the most sense, and no major platforms have arisen, as iOS and Android did in the mobile space. This combination of competing forces has made for an ecosystem that even established IT professionals will need to learn how to handle. Cisco acknowledged this in October when it announced a new consortium including educational institutions and recruiters aimed at helping established IT professionals develop the skills to handle the new challenges of security in the Internet of Things.

Of course, it’s been just two months since Cisco even announced its new educational initiative, so the IoT remains an unsettled area of IT in terms of skills. For companies that are not yet equipped to address all the security issues of the IoT, the best approach may be to wait until it’s easier to handle.

Assistant Community Editor

Colin Neagle manages blogs for Network World, including but not limited to those published on the Cisco Subnet, Microsoft Subnet, and Open Source Subnet. He also writes feature articles and blog posts about emerging technologies, among other things, and he usually doesn't write about himself in the third person, so please don't judge him by this bio.

More from this author