“There has always been an acknowledgment that this is critical. It was just a question of what do we actually do about it,” says Sven Schrecker, chief architect for IoT security solutions at Intel, and co-chair of the IIC security working group. “In [the framework], we explain what to do about it at a number of levels.”
The IIC believes that original owners of industrial equipment shouldn't be responsible for implementing security, but rather the systems integrator, “who can lean on the device builders, components builders, chip builders and software vendors” to include security. “When all of that flows from the bottom up, it is much more manageable security solution.” Since its release, the new framework has received “tremendous response,” he adds.
Some IoT device providers think security is a shared responsibility. “Manufacturers of IoT devices need to focus on cyber secure design, development and deployment,” says Jason Rosselot, director of global product security at Johnson Controls, which has provided internet-connected building controls, security and fire technologies for more than a decade. Equally important, Rosselot says, is that “consumers of IoT devices must prioritize security in those devices,” including deploying updates and patches as soon as they become available and changing passwords from factory defaults to complex passwords.
How can companies protect themselves?
Organizations need to assess what internet-connected device they currently have, their vulnerabilities, and how they will address them, Evans says. Gartner classifies IoT devices into four categories. Passive, identifiable things like RFID tags have a low threat risk. Sensors that communicate information about themselves, like pressure sensors, have a moderate threat risk. Devices that can be remotely controlled and manipulated, such as HVAC systems and self-driving cars, hold the highest risk for sensitive data loss, malware and sabotage.
At the most basic level, default user names and IP addresses should be changed. Prevention measures could also include micro-segmentation of devices to limit the damage caused by a breach or at least control or restrict the movement of cyber criminals who get inside. Enterprises could also opt for a “cognitive firewall,” which places security controls into the cloud instead of on the device, and uses artificial intelligence to determine if a requested action on a device is appropriate or not, such as “turn on the microwave for 100 minutes,” Evans says.
While the Dyn DDoS attack may be an opening salvo for future attacks, it may also mark the beginning of industry mobilization to introduce standards to IoT devices, Schrecker says. “Two years ago, I would’ve said it would be fruitless to pursue a standard for IoT security, but we’re seeing a collaborative effort now to solve this problem once and for all, so there may be a silver lining here.”
Sign up for Computerworld eNewsletters.