Home » Security Bloggers Network » To Understand IoT Security: Look to the Clouds

To Understand IoT Security: Look to the Clouds

by Lohrmann on Cybersecurity on February 11, 2019

IoT. Everybody is using it — whether they know it or not.

From smart home assistants to smart city parking and from walking robots to flying drones, millions of new devices are placed online every week. This new “Internet of Everything” is growing in breadth, depth and width of new offerings.

And yet, hackers seem to be laughing all the way to the bank.

So where are these trends heading? How can we connect the latest IoT security dots?

To start, check out these recent technology magazine headlines and IoT security report summaries:

Sponsorships Available

Dark Reading: IoT Security’s Coming of Age Is OverDue
PC Magazine: IoT Security Is (Still) A Gigantic Mess
Telecoms.com: 58% of UK business can’t detect IoT security breach
State of IoT Security Report: Summary of Findings

Here is an excerpt from the IoT Security report from Pepper.me, which focused on how economics is driving a “race to the bottom” with IoT pricing focused on winning market share.

“Several of the devices we tested were painfully insecure.
A few of the associated smartphone applications that control these devices were terrifying in the extent to which they can access our personal data.
There are a large number of IoT companies and startups, but many appear not to care about security, and neither, apparently, do the retailers who sell these devices to consumers.
There is cause for concern about China’s role in IoT.
Using cloud infrastructure does not mitigate security threats.
Patching will not fix the systemic issues we uncovered.”

Ever feel like you’ve seen (a slightly different version of) this movie before?

I certainly do — and the evolving events remind me a lot of the developments in cloud security — only IoT security seems to be almost a decade behind.

A Brief History: Where Have We Been with IoT Security?

Rather than rehash some familiar IoT security topics, here’s a quick recap on IoT security highlights over the past few years, which include smart city security stories which are a piece of the Internet of Things. Notice the progression in IoT security themes.

2014: The Internet of Things (IoT) is taking off in smart directions
2015 (Crain’s Detroit): Why businesses should focus on securing the ‘Internet of Things’
2015: (RFID Journal): Six Questions for IoT Security Expert Dan Lohrmann
2016: Where Next on Internet of Things (IoT) Security?
2017: Lack of Trust in IoT Security Shows More Regulation Is Coming
2017: Can We Take People Out of Internet of Things Security?
2018: Bridging the smart cities security divide

This webinar was from 2016, which identified many early IoT security challenges. But we still face most of the same IoT issues today.

Three IoT Security Trends to Watch as We Head into the 2020s

As we look to industry answers to IoT security challenges, we can learn from the processes, solutions and organizations that have led the global cloud security challenges. Groups like the Cloud Security Alliance, which was founded in 2008, can help. We can learn from the roads they traveled, and the decisions that led to where we are today.

Also, the federal cloud developments with the FedRAMP program, offer an important track record worth considering. I describe more recent cloud security developments in this piece from 2018.

Here are three specific areas to watch as we head toward 2020:

1) Interoperability Standards — Consider this quote from RFID Journal: Are Smart Cities Secure?

“More troubling is that the interoperability standards specified in the new smart-city tenders were minimal. There were the primary syslog and SIEM requirements, but no STIX/TAXI, XML/JSON or similar to pass or consume threat intelligence data. I can understand an agency’s systems sending alerts and data to an SOC, but not the need to receive any data back. It could be argued that related agencies will use the same systems, but the tender process may prevent that. That is why it is essential to document and require all necessary interoperability standards.”

NIST has been working on smart city and other IoT standards, and this video shows some of the ways.

Also, NIST has sponsored the Global Cities Team Challenge (GCTC), which I describe in more detail in this piece.

2) Data Breach Trends and IoT Missteps are Driving IoT Product Change — and Vendor Action

Consider these quotes from an article at IOTforall.com:

“The gap between companies that are the most security-savvy about the Internet of Things (IoT) and those that are the most security-challenged is huge, according to a recently released 2018 State of IoT Security Survey. That chasm has led to costly security missteps. …

The bottom-tier companies pointed to a few particularly troublesome spots. In comparison to top-tier companies, bottom-tier companies are:

More than 6 times more likely to have experienced IoT-based denial of service attacks (44 percent of bottom-tier companies versus only 7 percent of top-tier companies)
More than 6 times likelier to have experienced unauthorized access to IoT devices (62 percent of bottom-tier companies versus 10 percent of top-tier companies)
Nearly 6 times more likely to have experienced IoT-based data breaches (69 percent of bottom-tier companies versus 12 percent of top-tier companies)
5 times likelier to have experienced IoT-based malware or ransomware attacks (68 percent of bottom-tier companies versus 15 percent of top-tier companies)”

Another key question will be whether more government regulations are coming for IoT in the near future. If there is a big mistake, such as a death related to insecure IoT, more regulation will happen quickly.

3) Competing Platforms — IoT platforms — everyone seems to be developing one.

This article from Network World attempts to show why they are so confusing. IoT for All, meanwhile, says: “IoT platforms are the support software that connects everything in an IoT system.” In this model, IoT platforms:

Connect hardware, such as sensors and devices
Handle different hardware and software communication protocols
Provide security and authentication for devices and users
Collect, visualize, and analyze data the sensors and devices gather
Integrate all of the above with other web services

… Back in 2017, IoT Analytics compared a whopping 450 IoT platforms. (That number was up from 260 in the firm’s 2015 analysis and 360 in 2016. But though leading products are growing at more than 50 percent a year, the market remains highly fractured.)”

If we are looking to the cloud journey for answers on IoT security, will a CASB-like model emerge for IoT? Probably, or something very similar. No doubt, the competing platforms will play into this trend, and there are already security tools that will help enterprises find rogue IoT devices.

Final Thoughts

Let me be clear that we will be in this IoT security battle for a long, long time. There are NO SIMPLE ANSWERS that work in every situation. No doubt, the RSA Conference in San Francisco will be dominated by IoT Security in 2019 — and throughout the 2020s.

However, as I have said many times before, we can learn from history — in physical storms and cyberstorms and even security audit findings.

So if you want to connect the dots on where IoT security is heading — look to the road traveled by cloud security. Not all the answers are there, but the road will be similar in many respects as we try to establish reliable standards and overcome threats from evolving cyberattacks.

And yes, both cloud security and IoT security journeys continue to evolve. It is just that the cloud is a bit further down the yellow brick road.