Why IoT Security Needs an Inside-Out Approach

By   ISBuzz Team
Writer , Information Security Buzz | Jun 24, 2015 07:00 pm PST

The number and variety of devices getting connected to the internet are increasing everyday. Leading analyst estimates indicate that over 26 billion devices will be connected to the internet by 2020 creating the internet of things (IoT). Surprisingly this list excludes PCs, tablets and smartphones, representing an almost 30-fold increase from 0.9 billion in 2009.

Securing the internet of things is increasingly becoming a challenge. With every new device getting connected to internet, the ways in which a system can be compromised are also changing.  IoT devices usually have embedded systems, with minimal or zero inbuilt security features. New pathways and vulnerabilities that were once viewed as isolated phenomenon, are now becoming regular system vulnerabilities. New devices, network traffic and new protocols are increasingly getting aggregated becoming difficult to monitor and secure. They are providing cyber criminals innovative ways to enter a system.

Security and IoT

IoT is creating security issues on two fronts. On one hand, the number of connected devices is exponentially increasing, posing a security challenge in the form of new pathways and parameters for the cyber-criminal. On the other, the amount of data that needs protection is also increasing. More and more data is getting created and transferred everyday. The network traffic, database transactions and workloads are increasingly becoming overwhelming, leading to increase in data security issues.

Today there are more “devices with people (DWP)” connected to the internet, so we have intelligent human beings who can be made a part of the solution. However, tomorrow a situation will arise when more “Devices sans people (DSP)” will be connected as compared to DWP. In such a scenario, intelligence and responsibility will need to be built inside the devices itself. This is another problem, the solution to which is yet to be ascertained.

CIO and Security

Here the role of the CISO becomes very important in terms of defining the IT security strategy because the world of IT security is getting fundamentally transformed.

In the world sans IoT, very few devices existed in the Operational Technology (OT) layer, that were connected to the internet or IP enabled. At that time, only the devices in the Information technology layer were connected.  Hence, IT security primarily referred to the security of the IT layer and both the IT layer and the OT layer were controlled and secured differently. While IT security mainly focuses on confidentiality of data and network infiltration, OT security emphasizes more on physical security, safety, and business continuity that involves maintaining round the clock availability of critical systems.

It is increasingly seen that more and more devices are getting connected to the internet leading to the OT layer becoming increasingly IP enabled. This in turn is making the IT layer more vulnerable. So the traditional model of IT security – securing the IT layer and the OT layer differently, will have to change. A unified approach is the need of the hour. Today’s CISO will have to devise a unified IT strategy that takes into account the growing interconnected nature of the OT layer.

What this essentially means is that the following will be the drivers of any strategy that will attempt securing the IoT :

Visibility across every layer – The strategy and actions should provide visibility across the OT layer, the IT layer and other layers of the network considered untouchable so far. No layer or devices should be considered safe or untouchable.

Visibility across all kinds of threats – Known threats and attacks through them are soon going to be things of the past as newer devices provide new loop holes and new threat vectors. The strategy should help to see the potential vulnerability in the device, the moment it gets connected to the network and monitor all the potential vulnerabilities rather than waiting for something to happen. What is being referred to here is real time threat/ vulnerability assessment and definition. The library of potential vulnerabilities should get populated round the clock, based on the profiling of new devices added rather than new attacks.

Visibility across all platforms – The creation of monitoring resources should be such that they are platform agnostic. It is the world of continuous updates, open source and self imposed redundancy  as far as software platforms are concerned. So a system that is crafted to be platform independent in terms of its ability to monitor and see what’s happening will go a long way in securing the network.

Encryption of Networks – Entire internal networks will have to be encrypted. What we are pointing out here is a point to point and point to multipoint encryption based on network segments, protocols and network flows.

Remediation through automation – The IoT enabled security solutions will need to be developed and implemented in such a way that supports machine to machine intelligence for immediate security control that is automatic and which does no need any human intervention.

As IoT will gain ubiquity, it will change the world of IT through increasing scale, broadening scope and encouraging cooperation. Forward looking CISO’s who understand the need of the hour will be best placed to overcome these challenges posed by IoT and exploit the opportunities presented by it.

[su_box title=”About Prasenjit Saha” style=”noise” box_color=”#336588″]

Presenjit SahaPrasenjit brings with him over 23 years of management experience in global markets. Before joining Happiest Minds, Prasenjit worked as the Vice President, SBU/Profit Center Head for Enterprise Security Solutions division of Wipro Technologies. He was responsible for strategy, sales, business development, solution development, delivery, operations and P&L for the division for 9 years.Prasenjit started the Wipro Security division in 2004 and scaled it up to the third largest Global Security Service Provider with more than US$200 million business. During this period, the division witnessed more than 65% YoY growth under his leadership across more than 140 Fortune 1000 companies.Prior to joining Wipro, Prasenjit worked as a Senior Technical Manager in the Process Automation R&D unit at ABB till 1997. During his career at ABB, he advised, designed and implemented SCADA systems for power, chemical and other industry sector process automation plants. During his tenure at ABB, he also led the setup of ABB, China.Prasenjit started his career in 1991 in the Defence electronics division of BHEL working as an R&D Engineer developing SCADA and Software simulation products and solutions.Prasenjit holds a B.Tech (Hons) degree in Electrical Engineering with specialization in Automation and Control from Indian Institute of Technology (IIT), Kharagpur.He is an active member of multiple infrastructure and security advisory forums.[/su_box]