As the Internet of Things expands, so do the risks
Internet-connected devices offer hackers a portal to unsecured data
By Byron Acohido, ThirdCertainty
Get used to it. The Internet of Things is here to stay. In fact, IoT is on a fast track to make all manner of clever conveniences part of everyday commerce and culture by the close of this decade.
Tech research firm Gartner estimates IoT endpoints will grow at a breakneck 32 percent compounded annual growth rate for the next few years, reaching an installed base of 20.8 billion IoT units by 2020.
Tiny single-purpose sensors designed to collect rich profile data on individual behaviors, as well as on company systems, already can be found in all manner of medical devices, automobiles, TVs, gaming consoles, webcams, thermostats, utility meters, household appliances, manufacturing settings and wearable tech. Much more is coming.
It is incumbent upon the businesses that deliver both the IoT devices—and the new Internet-connected services IoT sensors make possible—to address the security exposures that are part and parcel of this rapid scale-up. Fortunately, cybersecurity vendors are stepping up innovation to do just that. Gartner projects that worldwide spending on IoT security will reach $348 million in 2016, up 24 percent from 2015 spending, and climb steadily to $840 million by 2020.
I recently sat down with Johnnie Konstantas, director of security solutions at Gigamon, a supplier of network visibility technology, to discuss what’s on the horizon. Text edited for clarity and length.
3C: What is the core security challenge accompanying our rapid deployment of billions of IoT sensors?
Konstantas: IoT sensors are quite small and pretty cheap, too, and they don’t have a lot of memory on them. Their whole point is to store a little bit of information and then just forward it on to the cloud. If you think about how we traditionally use things like encryption and a firewall to secure a mobile phone or laptop, that’s very hard to do on a small IoT sensor.
So what you have is a conduit into the corporate network deployed for the purpose of receiving intelligence, and you can’t really push perimeter protection out to these IoT devices.
There’s no question IoT sensors can potentially be a way in. The IoT endpoint could get infected with malware or it could be used as a lily pad to jump in deeper.
3C: What defensive approaches look promising?
Konstantas: A lot of it comes down to continuous monitoring. These devices are going to always be on, transmitting intelligence. The idea is to continuously understand what the IoT device is forwarding or receiving 24/7. Sounds like a tall order, but doing that allows you to essentially perform analytics on IoT-generated traffic. And with the proper kinds of security analytics in place you will be able to surface anomalies.
3C: Sounds like big data analytics with an IoT twist.
Konstantas: Yeah, exactly. Big data analytics is nothing new. Security analytics is nothing new. But both are actually seeing a resurgence. Call it SIEM (security and information event management) 2.0 for lack of a better word. This time SIEM is not so much about collecting large volumes of data; it’s more about getting the right kinds of data. It’s about pruning my data feeds to figure out whether I have any risks associated with my IoT deployments.
3C: What key developments are on the horizon?
Konstantas: I’ve been in security since ’98, so I’ve seen a few patterns play out. The one constant has been that when cool technology emerges—like our ability to do commerce on the web or virtualized storage and computing—adoption tends to be a lot faster than the arrival of the technology to secure it. So it’s fair to say that our desire to take advantage of sensor networks and IoT is going to outpace our ability to roll out security infrastructure to secure them as well.
More stories related to the Internet of Things:
Technological armor evolves to keep IoT devices safe from attack
Ripples from Internet of Things create sea change for security, liability
Consumers should brace for home network intrusions in 2016