Some security pros believe that Congress should get involved to develop regulations and oversight over device manufacturing. “If something happens, and your device is being used by a nation state, whether part of a million devices or just one, are you liable? Is Your ISP liable? Your manufacturer? Congress needs to put out regulations and guidelines for these manufacturers,” Harvey says.
On the ISP side, Harvey takes issue with today’s DNS architecture. “I don’t understand why ISPs and other organizations that provide internet access are not putting in a more geographically diverse DNS system,” he says, adding that he is not familiar with Dyn’s specific architecture. “DNS by nature is supposed to be fault tolerant” with two IP addresses assigned to a single device, for instance, but oftentimes both IP addresses are reconciled to the same data center, he says. With today’s DDoS threats, “Why do we have an architecture where you can target one ISP and take down half of the internet for the U.S.?”
For enterprises using IoT solutions, the security puzzle is complex. Any one IoT solution that an enterprise plugs in could involve 10 or more partners in the ecosystem, including the application layer, devices, gateways, communication and analytics pieces, Evans says. “Any weak link in the chain is where the cybercriminals can get in” and manipulate devices, he adds.
Even the public sector is taking notice. While most government agencies don’t use commercial IoT devices inside their own walls, the government workforce has established telework programs, and workers are going through their home broadband connections, says Sadiyg Karim, vice president of cybersecurity and CTO at NSSPlus, a network security systems provider that works with the Department of Defense and other government agencies.
“The DoD and federal government have instituted more standards and guidelines over what people should use from home, even if they’re going over VPN,” including changing default passwords, Karim says. Still, he thinks about the demographics of internet users today who are not IT professionals and are expected to carry out these security steps. “The capability is there for individuals to do it on their own, but the learning curve is very steep. It’s still pretty cryptic out there,” he says.
A security framework
Recent IoT device hijackings have targeted commercial devices rather than industrial devices, and the Industrial Internet Consortium wants to keep it that way. In September the group, made up of some of the biggest players in the IoT ecosphere, rolled out its Industrial Internet Security Framework, a set of best practices to help developers and users assess risks and defend against them.
The framework also lays out a systematic way for implementing security in IoT and provides a common language for talking about it. Consortium participants say the long-term goal is to make security an integral part of every IoT system and implementation.
Sign up for Computerworld eNewsletters.