Why the Internet of Things is so Difficult to Secure

A recent Forbes survey found that 39 percent of corporate executives surveyed say IoT programs at their companies have been delayed due to security concerns. While this statistic is significant, that figure should arguably be higher due to the unknowns in most IoT architectures. The IoT security problem is primarily a cultural one. Take a smart television as an example. For the average person, if it continues to function as required, should they care that it happens to be part of a botnet? Unfortunately, that answer is “no”. The average person only cares that the smart device continues to function in line with expectations; the fact that it may be insecure is secondary if the device was not primarily intended for use as a security control point. This is true in both consumer and corporate worlds.

There is little regulation mandating that a minimal level of security be built into IoT devices. However, this is starting to change. In August 2017, The United States Senate introduced the IoT Cybersecurity Improvement Act of 2017, which requires that vendors providing internet-connected equipment to the U.S. government ensure their products meet a baseline set of security standards. While this is a good start, it is not the norm. More needs to be done by regulators globally, working in conjunction with those attempting to secure our digital lives, to help ensure IoT devices meet security standards.

For businesses, additional IoT security challenges include: • Devices are usually low powered. Limited computing capabilities mean difficulty implementing security controls (e.g. encryption).

• Keeping devices up to date is not something that is currently well managed, leading to security vulnerabilities potentially remaining un-patched indefinitely.

• The sheer number of emerging connection protocols makes devices difficult to manage and secure.

• Devices are increasingly unlikely to be in physically secure sites, significantly increasing the opportunities for attackers to compromise their integrity.

• IoT deployments are largely uncontrolled environments where the number of devices grows exponentially, making it extremely challenging for security teams to govern and manage.

People and companies do not “buy IoT”. They focus on improving the way their businesses run or that make lives better. The fact that something is IoT-related technology is secondary to the buyer and user experience. Therefore, IoT will eventually become the norm. The term will lose its lustre and we will simply be attempting to maintain cyber safety for organizations and the general population. Security practitioners would serve the world best by getting ahead of this reality and approaching the problem not as “protecting IoT”, but in building next-generation cyber defenses. Instead of security, cyber defenses must focus on cyber resilience using a risk-based approach. This is how we best set ourselves up to succeed in the ongoing war against cyber-attackers.