IoT Security- it's complicated ...

IoT security is an extremely hot topic right now. I recently was asked by a friend (a VC partner) to talk with a very early stage startup offering a new angle for protecting IoT devices. As part of my preparation for the call, I spoke to a few friends in the field and some customers. It seemed this market became crowded very fast with many startups, each working hard to find the best way to differentiate itself. And many customers just confused.

I then decide this is a good topic for “IoT security a short review and what I noticed” post.

Internet of Things (IoT) security is the latest addition to the cybersecurity world. As more and more devices are being connected to the internet, and especially after large-scale attacks have occurred, it is clear that security should consider and integrate with IoT deployments. Gartner Says Worldwide IoT Security Spending Will Reach $1.9 Billion in 2019, and will raise to $ 3.1 billion in 2021, making it one of the fastest growing segments in the cybersecurity industry. 

But, as they say on Facebook, It’s complicated. IoT (like the cloud, and mobile before it) challenges are established perceptions about IT architecture and subsequently its security.

What is IoT?

At first, there were mainframes, then desktops and laptops, and finally mobile devices came along. These are all, in reality, computers (of different sizes and capabilities), with a processor, operating system, some user interface and some sort of connectivity.

IoT, however, is comprised of every Internet-connected device that is not mentioned above, including smart home appliances, water meters, security cameras, smart-city devices and many more. These devices are miniature computers running on Linux devices, with some computing power and the ability to communicate via web protocol (i.e., they have an IP address).

Smaller, less sophisticated connected devices are also part of the IoT landscape. These often function as sensors, are equipped only with short-range communication capabilities and are deployed in a mesh configuration, meaning that they communicate with the Internet using an IoT gateway, which is an industrial modem with some compute power. Some are connected directly to the cloud with a cellular modem.

One could argue that connected vehicles are also IoT devices, and so are planes and ships and any connected device (Although they are connected, they have dedicated security solutions and therefore fall under their own category) for the sake of simplification, I will focus on “Classic” IoT devices.

Which Verticals Does IoT include?

The verticals that have the most IoT devices to date are:

• Smart cities: lighting, parking, traffic, surveillance, air quality sensors (ShieldIoT, Cybeats).
• Physical security: CCTV, access control, intrusion detection (SecuriThings)
• Building automation: HVAC, fire and security systems (Radiflow, Indegy)
• Industry 4.0: connected machinery, agriculture (CyberX)
• Consumer: smart TVs, personal assistants, smart thermostat, wearables (Arcusteam, SAM)
• Enterprise: Connected printers, shadow IoT (Axonius, Armis)
• Medical: connected medical devices on hospital premises, consumer medical IoT devices (CyberMDX, medigate)

IoT Security Subcategories:

As you can see, the IoT landscape is complex, and so are the security solutions. These tackle the different challenges of IoT- device hardening, encryption, discovery, data protection, malware and anomaly detection, policy enforcement and more: 

1. Device hardening/chip security: These aim to harden the connected device itself and make it less prone to hacking. These solutions focus on the chip level or the SIM.
2. Encryption and authentication: The most common security solutions available today, these aim to ensure that only recognized devices can access the network and that the data they collect (and sometimes store) is secured.  
3. Protection of consumer connected devices: This is the largest segment of the IoT security space, with multiple vendors providing ruggedized routers or security software that is deployed by the ISP, aimed at securing home devices connected to the home WiFi network
4. Discovery: These solutions are aimed at enterprises that want to secure themselves from IoT-borne threats. As such, they utilize several types of receivers to intercept different IoT protocols (Zigbee, Bluetooth, and Wi-Fi), discover unknown IoT devices connected to corporate networks, and keep an inventory of these devices. More specialized solutions are also available. Some companies offer specific solutions for specific verticals, such as stadiums for medical devices/ hospital networks.
5. IIoT (Industrial IoT): These solutions are extensions of ICS cybersecurity solutions, aiming to secure industrial (OT) networks from external cyber threats.
6. IoT Platforms: Since most IoT deployments are managed on specific IoT-cloud platforms, it makes sense that these platforms will also provide security features. Recently, Cloud Provider Microsoft Azure Rolls Out Security Center for IoT. It is interesting to see whether these platforms will integrate external solutions (similar to the process that has happened with cloud providers and security vendors).
7. IoT Devices Security Management: This is the category aimed at securing “classic” IoT deployments, including large quantities of devices deployed in cities and homes. These solutions focus on securing the actual devices and identifying malware infections that can lead to large-scale botnet attacks like Mirai, which infamously infected and recruited thousands of devices to launch the world’s largest DDoS attack. IDSM can be delivered as a managed service to match the business model of its users, the IoT service providers. One such vendor is Cybeats.

Judging from startup financing rounds, the enterprise and industrial are the most mature of these subcategories.

Summary

IoT is growing so fast that there is an obvious need for proper solutions to address security concerns. It is only through the use of such solutions that the IoT revolution can be completed and the vision of a connected world manifested. However, without a mainstream industry standard for IoT security (such as the one NIST is working on) it will remain a somewhat fuzzy and complicated sector, and vendors will attempt to stamp their authority and grab as much of the market as possible. 

Keep safe! Dotan