IoT Is Becoming A Nightmare For IT

Uploaded on 2017-07-31 in NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-IT & Telecoms, TECHNOLOGY--Developments, TECHNOLOGY-Key Areas-Internet of Things

The Internet of Things, at its simplest level, is smart devices, from refrigerators that warn you when you’re out of milk to industrial sensors, that are connected to the Internet so they can share data, but IoT is far from a simple challenge for IT departments.

For many companies, it represents a vast influx of new devices, many of which are difficult to secure and manage. It’s comparable to the advent of BYOD, except the new gizmos are potentially more difficult to secure, aren’t all running one of three or four basic operating systems, and there are already more of them.

A lot more, in fact, IDC Research says that there are around 13 billion connected devices in use worldwide already, and that that number could expand to 30 billion within the next three years.

Interoperability

The full benefits of the Internet of Things are only realised when large enough numbers of devices are able to interact with each other, and therein lies a big problem. The number of different players in the market covers a wide range, both horizontally, in terms of functionality, and vertically, among different industries.

With a huge number of companies “doing IoT,” most big-name tech companies, including Google, Microsoft, Apple, Cisco, Intel, and IBM have various types of IoT play, all working to bring as many users as possible into their respective ecosystems, motivation to make sure IoT systems and devices from different companies all work with each other is sometimes lacking.

The problem, of course, is that nobody’s willing to give up on the idea of their own ecosystem becoming a widely accepted standard, think of the benefits to the company whose system wins out! and so the biggest players in the space focus on their own systems and development of more open technologies lags behind.

Work is underway to improve testing and standardisation, including at Underwriters Laboratories, which has a "Living Lab" it uses to test smart home devices. The Internet Engineering Task Force, too, has seven different working groups tasked with creating IoT standards.

Systems

But, for the moment, there’s a vast array of technology out there that can accurately be described as enabling IoT. Just at the networking level, there’s Bluetooth, Bluetooth LE, ZigBee, RFID, Wi-Fi, cellular, Z-Wave, 6LowPAN, Thread, NFC, Sigfox, Neul, LoRaWAN, Alljoyn, IoTivity, Weave, Homekit, MQTT, CoAP, JSON-LD, and plenty more that can and do play a part in IoT implementations.

All of these are technical standards, and there are huge overlaps in their areas of functionality, which means that any given device might work with one, several or none of them. So interoperability can be a problem

Making this even more complicated is that some of these technologies address different layers of the stack, whether they’re basic radio communication tech, or a transport layer, or a data protocol, all the way up to something like Homekit that's almost an entire operating system in itself – and others are aimed at the same layer. Several even address various combinations of layers.

What this means is that different IoT implementations can use vastly different technologies, at every level, to get the job done. For example, Swedish pest control company Anticimex has its smart traps send text messages, via a carrier network, to an SMS hub that relays those messages back to a control center. This means that compromising a simpler system like a smart trap doesn’t offer a way into the company’s network, the way a more direct connection might.

In contrast, the team at Red Bull Racing needs constant, real-time data from its Formula 1 cars, which are zipping around racetracks at up to 200 mph. This means a proprietary system that feeds data to a central hub on the car, which transmits wirelessly to a service provider, who encrypts the data for Red Bull’s use.

Security

Both of these systems are reasonably secure, but this makes them the exception, rather than the rule, as it's difficult to overstate the threat posed by IoT technologies on the network.

This threat is two-fold, but both of the main issues center on the fact that many IoT endpoints are not well secured, in part because it can be difficult in some cases to build robust security into small, simple computing devices.

The first major issue is that a compromised IoT device can, in some cases, offer a way onto a company’s network for a malicious actor. A badly secured smart TV, a security camera, anything that accesses the network is a potential vector for an attack.

The second is that even compromised devices that aren’t used to attack a company’s network directly can be conscripted into enormous botnets of other hacked gadgets, a la the infamous Mirai attacks, which saw armies of security cameras and other poorly secured gizmos blast some of the Internet’s biggest sites offline with floods of junk traffic.

Confusion rules the day around IoT security. One of the principal problems is that even cataloguing every connected device on a network is difficult, and many administrators might not be aware of the full IoT presence in their environments. It's tough to secure something when you don't even know it's there.

Beyond simple visibility, the chaotic state of software development for connected devices is probably the biggest concrete security issue, not only are some devices insecure to begin with, but even if manufacturers issue patches for flaws, they can be difficult to distribute and apply in an organized way. Many don't patch at all, as ongoing software development simply isn't in the budget for certain types of devices.

Numerous experts, including entrepreneur and writer Anil Dash, told the Pew Research Center that the outlook for IoT security simply has to improve, or there will be serious consequences.

“People will continue to connect out of necessity, but the cost and severity of lapses and breaches will increase until it’s a constant, ongoing burden for all,” said Dash.

Yet others were more hopeful, including Wikimedia Foundation fellow Dariusz Jemielniak, who said that solutions exist for a lot of the security problems facing IoT.

“Current technology already offers much higher levels of security than the market actually uses; there is a scope for radical improvement if people demand it,” he said.

Applications

IoT is everywhere, but there are certainly a few verticals where it’s more prevalent. Heavy industry is arguably the sector that’s been working with IoT concepts for the longest, thanks to SCADA and robotics, and it’s got its own sub-type of IoT, industrial IoT, or frequently just IIoT. Sharing data for maintenance and operational purposes makes industrial equipment a lot more responsive and useful, and creates a much safer working environment, as well.

Agriculture is another area where IoT has taken off in a big way, planting, irrigation, harvesting and even soil monitoring have become centralised, thanks to high-precision GPS technology, soil sensors and other systems being wired together in an IoT arrangement.

IoT has changed the day-to-day operations in health care, the ability to share medical data quickly is useful for healthcare workers, even if privacy and security concerns are particularly worrisome in such a setting.

Network World

You Might Also Read:

Fraud And The Internet of Things:

Internet of Lousy Things:

 

« Cybercrime Is A Boardroom Issue
Data Threat: Your Ex-Employees »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Lutech

Lutech

Lutech is an Italian ICT engineering and services company. Business solution areas include cyber security.

CSIRT Malta

CSIRT Malta

CSIRT Malta supports critical infrastructure organisations in Malta on how to protect their information infrastructure assets and systems from cyber threats and incidents.

AFCERT

AFCERT

AFCERT is the national Computer Emergency Response Team for Afghanistan.

Guy Carpenter

Guy Carpenter

Guy Carpenter delivers a powerful combination of broking expertise, strategic advisory services, and industry-leading analytics.

OneWelcome

OneWelcome

Onegini and iWelcome have merged to become OneWelcome, the largest European Identity Access Management Saas Vendor.

Phirelight Security Solutions

Phirelight Security Solutions

Phirelight empowers an enterprise to easily understand how their networks behave, while at the same time assessing and managing cyber threats in real time.

Egyptian Supreme Cybersecurity Council (ESCC)

Egyptian Supreme Cybersecurity Council (ESCC)

ESCC is responsible for developing a national strategy to face and respond to the cyber threats and attacks and to oversee its implementation and update.

Hexnode MDM

Hexnode MDM

Hexnode MDM is an award winning Enterprise Mobility Management vendor which helps businesses to secure and manage BYOD, COPE, apps and content.

Safe Security

Safe Security

Safe Security (formerly Lucideus) provides Cyber risk assessment services and platforms to multiple Fortune 500 companies and governments across the globe.

Consortium for Information & Software Quality (CISQ)

Consortium for Information & Software Quality (CISQ)

The mission of CISQ is to develop international standards for software quality and to promote the development and sustainment of secure, reliable, and trustworthy software.

Gorodissky IP Security

Gorodissky IP Security

Gorodissky IP Security is a comprehensive approach to protecting your intellectual property on the Internet and beyond.

MyDocSafe

MyDocSafe

MyDocSafe is an all-in-one document security and e-sign software.

Cyolo

Cyolo

Cyolo’s Secure Access Service Edge (SASE) platform securely connects onsite and remote users to authorized assets, in the organizational network, cloud or IoT environments and even offline networks.

Teleskope

Teleskope

Teleskope are on a mission to empower businesses to protect sensitive data by default.

Buzz Cybersecurity

Buzz Cybersecurity

Buzz Cybersecurity systems and services are designed to proactively guard against common and uncommon cyber threats.

Screwloose IT

Screwloose IT

Screwloose IT are a national provider of information technology services. We specialise in managed IT, cloud services, cyber security, website design and digital marketing for businesses of all sizes.