Can IoT Planners Learn From the Cloud Security?
Dan Lohrmann
Cybersecurity Leader | CxO Advisor | Bestselling Author | GT Blogger: 'Lohrmann on Cyber' | Global Keynote Speaker | CISO Mentor
The Internet of Things (IoT) is growing exponentially. But security and privacy concerns are piling up at the same time. How can we understand where this trend is heading? Here's what we can learn from the history of the cloud.
IoT. Everybody is using it — whether they know it or not.
From smart home assistants to smart city parking and from walking robots to flying drones, millions of new devices are placed online every week. This new "Internet of Everything” is growing in breadth, depth and width of new offerings.
And yet, hackers seem to be laughing all the way to the bank.
So where are these trends heading? How can we connect the latest IoT security dots?
To start, check out these recent technology magazine headlines and IoT security report summaries:
- Dark Reading: IoT Security’s Coming of Age Is OverDue
- PC Magazine: IoT Security Is (Still) A Gigantic Mess
- Telecoms.com: 58% of UK business can’t detect IoT security breach
- State of IoT Security Report: Summary of Findings
Here is an excerpt from the IoT Security report from Pepper.me, which focused on how economics is driving a “race to the bottom” with IoT pricing focused on winning market share.
- "Several of the devices we tested were painfully insecure.
- A few of the associated smartphone applications that control these devices were terrifying in the extent to which they can access our personal data.
- There are a large number of IoT companies and startups, but many appear not to care about security, and neither, apparently, do the retailers who sell these devices to consumers.
- There is cause for concern about China’s role in IoT.
- Using cloud infrastructure does not mitigate security threats.
- Patching will not fix the systemic issues we uncovered."
Ever feel like you’ve seen (a slightly different version of) this movie before?
I certainly do — and the evolving events remind me a lot of the developments in cloud security — only IoT security seems to be almost a decade behind.
A Brief History: Where Have We Been with IoT Security?
Rather than rehash some familiar IoT security topics, here’s a quick recap on IoT security highlights over the past few years, which include smart city security stories which are a piece of the Internet of Things. Notice the progression in IoT security themes.
- 2014: The Internet of Things (IoT) is taking off in smart directions
- 2015 (Crain’s Detroit): Why businesses should focus on securing the 'Internet of Things'
- 2015: (RFID Journal): Six Questions for IoT Security Expert Dan Lohrmann
- 2016: Where Next on Internet of Things (IoT) Security?
- 2017: Lack of Trust in IoT Security Shows More Regulation Is Coming
- 2017: Can We Take People Out of Internet of Things Security?
- 2018: Bridging the smart cities security divide
This webinar was from 2016, which identified many early IoT security challenges. But we still face most of the same IoT issues today.
Three IoT Security Trends to Watch as We Head into the 2020s
As we look to industry answers to IoT security challenges, we can learn from the processes, solutions and organizations that have led the global cloud security challenges. Groups like the Cloud Security Alliance, which was founded in 2008, can help. We can learn from the roads they traveled, and the decisions that led to where we are today.
Also, the federal cloud developments with the FedRAMP program, offer an important track record worth considering. I describe more recent cloud security developments in this piece from 2018.
Here are three specific areas to watch as we head toward 2020:
1) Interoperability Standards — Consider this quote from RFID Journal: Are Smart Cities Secure?
“More troubling is that the interoperability standards specified in the new smart-city tenders were minimal. There were the primary syslog and SIEM requirements, but no STIX/TAXI, XML/JSON or similar to pass or consume threat intelligence data. I can understand an agency's systems sending alerts and data to an SOC, but not the need to receive any data back. It could be argued that related agencies will use the same systems, but the tender process may prevent that. That is why it is essential to document and require all necessary interoperability standards.”
NIST has been working on smart city and other IoT standards, and this video shows some of the ways.
Also, NIST has sponsored the Global Cities Team Challenge (GCTC), which I describe in more detail in this piece.
2) Data Breach Trends and IoT Missteps are Driving IoT Product Change — and Vendor Action
Consider these quotes from an article at IOTforall.com:
“The gap between companies that are the most security-savvy about the Internet of Things (IoT) and those that are the most security-challenged is huge, according to a recently released 2018 State of IoT Security Survey. That chasm has led to costly security missteps. …
The bottom-tier companies pointed to a few particularly troublesome spots. In comparison to top-tier companies, bottom-tier companies are:
- More than 6 times more likely to have experienced IoT-based denial of service attacks (44 percent of bottom-tier companies versus only 7 percent of top-tier companies)
- More than 6 times likelier to have experienced unauthorized access to IoT devices (62 percent of bottom-tier companies versus 10 percent of top-tier companies)
- Nearly 6 times more likely to have experienced IoT-based data breaches (69 percent of bottom-tier companies versus 12 percent of top-tier companies)
- 5 times likelier to have experienced IoT-based malware or ransomware attacks (68 percent of bottom-tier companies versus 15 percent of top-tier companies)”
Another key question will be whether more government regulations are coming for IoT in the near future. If there is a big mistake, such as a death related to insecure IoT, more regulation will happen quickly.
3) Competing Platforms — IoT platforms — everyone seems to be developing one.
This article from Network World attempts to show why they are so confusing. IoT for All, meanwhile, says: “IoT platforms are the support software that connects everything in an IoT system.” In this model, IoT platforms:
- Connect hardware, such as sensors and devices
- Handle different hardware and software communication protocols
- Provide security and authentication for devices and users
- Collect, visualize, and analyze data the sensors and devices gather
- Integrate all of the above with other web services
… Back in 2017, IoT Analytics compared a whopping 450 IoT platforms. (That number was up from 260 in the firm’s 2015 analysis and 360 in 2016. But though leading products are growing at more than 50 percent a year, the market remains highly fractured.)”
If we are looking to the cloud journey for answers on IoT security, will a CASB-like model emerge for IoT? Probably, or something very similar. No doubt, the competing platforms will play into this trend, and there are already security tools that will help enterprises find rogue IoT devices.
For the rest of this article, including some final thoughts, see: https://www.govtech.com/blogs/lohrmann-on-cybersecurity/to-understand-iot-security-look-to-the-clouds.html
Question: What are your thoughts on Cloud Security and IoT Security? Please leave a comment.
You Can Follow Dan on Twitter at: @govcso
Or, reach-out and connect on LinkedIn
Writer at Cybersecurity Insiders
5 年"IoT. Everybody is using it — whether they know it or not."? You nailed it Dan
新加坡宥云亚洲有限公司 - 加密远程办公-协助中小型企业成功转型使用云服务提高效率减低成本
5 年Thanks for sharing your thoughts on this
Subject Matter Expert, Information and Cyber Security at ICEX | intellectual capital exchange
5 年Couldn't agree more, Dan - this is an area I'm looking at more and more closely over the next few months. The challenges in this area are mind-boggling. This is likely the next landscape for cyber warfare as well. And the problem is compounded by the need to understand the different perspectives from both the IT and the OT sides of the equation, and what it means to be a producer and a consumer in this space.?