If we split IoT devices into three tiers, the top tier would consist of well-protected devices, like laptops that are complex machines with plenty of security software. The second tier would be made of occasional use, moderate-complexity devices like thermostats, TVs, and refrigerators. Then we have the third tier. These devices include HVAC, badges, implants, and electronic locks. Initially none of these tiers solely seem to pose a problem. However with more and more hackers taking advantage of these vulnerable, third tier devices to access valuable data, and with 96% of IT security professionals expecting to see an increase in security attacks on these connected devices, it’s clear that a one-size-fits-all approach to security for IoT is not acceptable.
IoT Security Risks
When exploring the security risks of connected devices, IoT and privacy go hand-in-hand. Shodan is an IoT search engine that lets users access vulnerable webcams. Users can find feeds from ski slopes, baby cams, cash register security cameras, and marijuana plantations. Thinking about it is enough for anyone to put a post-it over their laptop’s webcam, Zuckerberg-style.
However, for businesses, the risks are less personal. With around 70% of employees using their own devices to work on the go, or access company information, each new device is a potential conduit leading right into the company’s networks. This open access is a treasure trove for hackers and they will not think twice about compromising the physical systems where they could do real, tangible damage, as well as cause significant revenue loss.
One of the biggest issues is that while vendors of laptops, tablets, and phones see those top-tier devices as having a life cycle, they don’t see low-tier devices the same way. These companies invest resources in creating and shipping updates for high-tier devices that add functionality and resolve security issues, but low-tier devices are sold and forgotten. This lack of consideration for the life cycle of low-tier devices means they’re shipped without the same security expectations. These low-tier, end devices need to be secured in the manufacturing stage, or by the consumer, if there’s any hope of rebuffing security attacks.
If end devices are a mess of no-security access points, this is where Software Defined Networks (SDN) can help control the network itself. The segmentation it provides can mitigate invasive forays into the network. IoT security is taking a cloud-based approach, which means that SDN can also help route, optimise, and automate security services.
SDN Visibility, Adaptability, and Programmability
SDN can recognise devices as they’re added to the network. You can program the network to react differently depending on the nature of the device, its potential for maliciousness and the resources it requires. It also allows you to provision and de-provision the network automatically. This means you can program the network to look out for suspicious activity and divert it to a honeynet until it’s cleared for access.
As artificial intelligence and machine learning improve how they handle massive loads of data, and the responses to such information, this strategy will be more viable. Right now the best bet is a nesting-doll approach to IoT security. Instead of having one firewall at the edge of the network, we can use SDN to create a series of firewalls at different network distances. This allows us to respond to various attacks.
By virtualising network components and services, you can program automatic, adaptive responses to network devices to reroute traffic and apply access rules. This should help secure data delivery, even from end devices. You can segregate network paths where a security breach is detected and investigate it from a centralised point. This reduces the amount of time and effort needed to look at each potential security issue.
SDN is hardly an elixir for IoT security, but it is a helping hand. It won’t block access to the many under-secured end devices out there. It can prevent those access points from being highways into more potentially dangerous information. Again, there isn’t any one-stop cure-all for IoT security. However, we can take steps to mitigate the risks that come from the extreme proliferation of IoT devices.
SDN is the key to managing IoT.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.