READY OR NOT, HERE COMES THE INTERNET OF THINGS

BY GARY HILSON

If you thought the Internet of Things (IoT) was just about consumers — and that it hasn’t yet gained traction in the enterprise — then you are already behind the curve.

Welcome to 2016, where the pervasive idea of digitally connected devices being everywhere— in our homes, in our transport modes, and in our offices — is here. This is the year where IoT becomes more than a buzzword, say industry experts. Much like any emerging technology, IoT has many definitions but generally refers to the trend of connecting everyday objects to the Internet, be it wearable devices, smartphones, coffee makers, mobile phones, baby monitors, refrigerators, thermostats, and more.

Thanks to the rise of IPv6, the ubiquity of wireless networks, and how easy it is today to infuse WiFi technology into a device, it’s no wonder that, by Cisco Network Inc.’s estimation, there will be more than 40 billion active IoT devices by the year 2020. These Internet connected devices are dubbed “smart” and feature embedded electronic sensors and network connectivity that enable data transmissions and seamless communication with other endpoint products. Think Google’s Nest thermostats, children’s toys, or Internet tools for the enterprise.

Cool stuff, but for the security professional, this means one simple axiom: more devices, more problems. Simply put, the growth of IoT translates into the growth of IoT vulnerabilities. New opportunities and attack vectors abound for hackers when it comes to IoT devices. (It’s a tall order, but that’s why security pros make the big bucks, no?)

Again, welcome to 2016. IoT security, something that was conveniently ignored in the past, is now on the radar. Or it should be. Increased automation and digitization translates into emerging security concerns; not only is the security threat landscape changing, it’s incumbent this year on CSOs to devise a sound cybersecurity strategy that takes into account the emerging technology— while building a sound business case for wider IoT adoption in the process.

So what are the IoT security predictions and industry trends to pay attention to this year? The number of IoT devices is going to be huge in 2016, notes Ahmed Etman, general manager of cyber security for Cisco Canada, adding that the business model is changing and both the IT and corporate side need to accept that. This year, scale will be the biggest concern due to the number of devices; for the security professional looking to devise a cybersecurity strategy, it’s all about the changing threat landscape and the complexity of managing that, he added.

“More devices means more security is needed. It’s a very simple equation. There’s a rapidly changing threat landscape at the same time. This makes the complex environment less secure and adaptive. Business needs to adapt and adopt security technology that addresses these issues,” says Etman. “The wide range of technologies working in a less controlled environment is expected to introduce higher security complexity compared to what we see today. As devices get more and more intelligent, the risk level of the data will be completely different.

The current technology, the current tools needed to lock down — and do forensics and so on — are going to have to shape up according to how the IoT devices shape up in the future. It’s not going to appear overnight. It’s going to take some time.”

Nigel Wallis agrees. The IDC Canada research analyst notes that IoT, between now and 2019, is growing at a rate of five per cent; organizations will need to understand that 2016 will be the year where the theoretical security concerns become practical and demonstrable risks. “We are starting to see IoT permeating through organizations. (And) there’s no one IoT — it’s many markets that have been combined into one. Each industry will form an IoT plan that suits them,” says Wallis. “It’s an all new security threat vector. You may have your security set up for perimeter defences and the network. But now it’s about adding a whole series of edge devices that are increasingly intelligent and capable.

He argues that not only must there be a sound plan for installing security updates on IoT devices, there needs to be a strategy that establishes the proper safeguards to prevent interface and device updates from creating security gaps themselves. Organizations will need to establish a layer of analytics across the organization to keep up: “When’s the last time you updated your router? These are new attack vectors that you are not optimized for. They are in the field, devices are in the real world and exposed. Intelligent devices need firmware, need to be updated, and (organizations historically have been) terrible at that.”

That said, security professionals need to be pragmatic around the IoT security implications, according to Raj Samani, CTO for EMEA, Intel Security. While the threat is real, there’s “still a lot of noise” out there. There is a difference between vulnerabilities and these vulnerabilities being exploited,” he argues.

Security pros have got to cut through the noise and fear mongering that’s going on and the actual reality, he offers. “We’ve seen threats through point-of-sale (POS) and automated teller machine (ATM) attacks because they generate revenue. We will see more of those attacks, and the truth is this will be driven by monetary gain. There will more attacks in 2016, lower than anticipated, but the vulnerabilities will be there,” he says, adding the security department should be core and central to the business this year, if it’s not already.

“The responsibility for security is with the whole business, not just the security department. It’s ultimately unfair that every time you hear about a security breach, it’s the CSO that’s the first to be fired. CSO is an integral part of the business. That’s the measure of success, pushing and promoting what business can achieve in the 21st century.” Understand the actual use cases of IoT, says Cisco’s Etman. “Based on the use case, you will have to define different security priorities. It’s less of a concern around privacy, but around how does this overlap with the actual IT infrastructure. Understanding these use cases will determine the priorities of IoT.

“The number one security challenge last year was around responding to the changing technology and business environment. It’s not going to appear overnight. It’s going to take some time.”

In general, defining success for the CSO has been hard, primarily because success was defined by the lack of an event, notes Gabe Gumbs, vice-president of strategy, Identity Finder. But IoT is more than a trend, it’s here and security professionals will need to work closely with the corporate side to build both an IoT business case and forward-looking strategy. It’s about empowering those IoT security decisions in 2016, he says. “A lot of business will look for the quick fix to security issues and it’s their responsibility to not be ‘no-men’ but not ‘yes-men’ either.” In addition, it is imperative that privacy be given equal weighting in any IoT security strategy. “That privacy will be more important this year, front and centre. And it has to be put alongside security.” IoT is still thought of as a marketing term, and can be almost as nebulous as the cloud in some respects, says Neil Bunn, CTO at Scalar Decisions. That said, he notes that mobile security around IoT will play a huge role in any successful security strategy this year.

“The cost of the physical technology —making a device and adding WiFi— is lower than it has ever been,” said Bunn. Just think about the consumer side and products such as baby monitors and Dropcams being used in the home. And from the business side, think about your staff taking home their work laptops and plugging them into a VPN: “You’re basically taking an enterprise device and putting it into the weak underbelly of a home that has security holes in it. So the challenge is how to use those devices from a productivity, usability and do that in a secure manner, he says. “Now you have more gateways, and that’s a critical concern for every C-level executive and large organization.” Adds Ryan Wilson, Scalar Decisions’ chief security advisor, it is important to get proactive from a security strategy perspective. With IoT increasingly being featured in the enterprise, privacy is a major concern for all involved, and security pros will need to perform risk assessments on those devices prior to going into any production environment.

“Do I think this year is the pinnacle inflection point? No, not for commercial use,” he says, adding that security pros nonetheless will need to consider home networks and IoT consumer devices as a potential threat to the corporate network.

“IoT can be really scary, or really empowering for businesses.”