Meeting Notes - IoT Security (South Hants IT event number 9)

We kicked off the 2020 South Hants IT forum with a highly topical subject, Security of Internet of Things (IoT) devices, as most people have Alexa / Google Home devices deployed these days. With an excellent turnout as a result of a slightly more focused administration approach, it was proven to be an excellent, educational and as ever interactive session delivered superbly by Sir Bob Vickers of Ordr (he’s not really a Sir, but he should be).

To give the presentation some context, Bob explained the current definition of what an IoT device would be, and the volume of devices in the market currently. An IoT device for the purposes of his presentation was a “Headless Device, ie one that generates data without a person inputting anything”. So does not include mobile phones, laptops etc, but does include CCTV, Smart Fridges, Internet connected Medical equipment etc. The scale of current deployed blew my mind, 5 billion devices in the “Enterprise” business space, and 21 billion devices in total (including consumer devices). So 3 devices for every person on the planet. Mental.

Ordr are one of a handful of security vendors that have made an active focus on IoT security, and Bob gave a good representation of this whole niche but growing market. Differentiation between the “usual” SIEM services and IoT specific functions are subtle but important, being able to recognise the normal operating / usage patterns of 5-21 billion devices is pretty complex, and this is why it will continue to be a growth area as IoT increases in rollout.

My takeaways from the presentation were:

• IoT feels like a bit of a buzzword but is clearly gaining traction across numerous verticals as intelligent and connected devices have broader and broader use cases. 
• One of the key differences between IoT device deployment and “normal IT” rollout's is the devices tend to be administered and deployed by non-IT staff, leaving potential security holes in their installation that may not be such an issue if IT staff were responsible. Very few non-technical people would bother to change the default password on their Ring doorbell for instance.
• According to Ordr, it takes on average only 30 minutes for a well qualified hacker to find a route onto a network with a poorly secured IoT device attached. Brute force, or more sophisticated, attack methods combined with “cheap” security deployed in some devices make them an easy target. One breached, hackers can gain access to the network fairly quickly and cause all sorts of problems.

There are 4 key steps in deploying an IoT Security solution:

• Get Visibility – use tools to discover the IoT (and other) footprint on your network, including understanding what sort of device and what patch level it is on. This gives you a view on attack service. Bob quoted a client who thought they had 10,000 devices on-net, and at this stage found 23,000 devices.
• Address Vulnerabilities – based on the above, create a programme of work to address known vulnerabilities through patching and configuration to reduce your risk profile.
• Behaviour Monitoring – create a “normal” usage profile, which devices talk to which devices at which rates / routes, such that this baseline can be used to derive any deviations for alerting. This phase is known as User and Entity Behaviour Analytics (UEBA)
• Alerting and Auto-Redress – once a normal pattern is derived, ensure that any deviation from the norm is captured and rules / work procedures put in place to identify and address these deviations.

The commercial model for this service is based on volume of devices managed, on a per month or annum / per device model, which makes for an interesting return on investment case. Bob explained that the market is buoyant with numerous clients concerned about their expanding IoT footprint, and this is definitely a market to watch within the already rapidly expanding Security sector. The view in the room is the case stacks up at in excess of 500 IoT Devices attached to the network, but I can imagine this is dependent on the criticality of data in the Enterprise, and any regulatory risk.

The group discussed future topics, and the next 2 sessions will be:

-         March – 5G

-         May – Smart Cities, with a specific contribution from the developers at Fawley which brings an interesting local relevance to the topic.

A big thank you to all people involved, attending or hoping to attend, in 2020 and also to Mrs Clark who has managed to get on top of the admin to such an extent that its looking increasingly likely that we’ll have surplus funds to go to a nominated charity this year.

As ever, the pub was fun afterwards although someone was disappointing by leaving early because he had only just got back from driving home from Plymouth – I am a lightweight and apologise profusely.

As ever, any questions, comments or feedback, please get in touch.

Phil ([email protected])