Industry Needs Common Security Standards to Thwart IoT Attacks
XCONOMY | By Robert R. Ackerman Jr. | December 21, 2016
A silver lining has emerged in the wake of the massive and well-publicized denial-of-service attack launched less than two months ago by hackers using millions of IoT devices to cripple the websites of major companies like Amazon, Netflix and Twitter. This ambush has triggered a redoubling of efforts to focus on the need for industry-led cybersecurity standards for IoT devices.
Even some in Washington, such as U.S. Senator Mark Warner, favor an industry-based approach before seeking some sort of government IoT security standards implementation. Security-minded business coalitions are stepping up activity in this area— and the more, the merrier.
After all, it isn’t clear in the United States who is supposed to be protecting the Internet. Most IoT (Internet of Things) devices have been hooked up to the Web in recent years with little concern for security, with weak password protection or none at all. There is no formal watchdog — not the government, nor for that matter, anyone else.
Instead, every organization is responsible for defending its own tiny piece of the Internet landscape. Companies and social media hubs are supposed to invest in protecting their websites and often do, but that doesn’t accomplish much if the connections among them are severed, as was the case in the October attack.
There is no way to know for sure if an industry-based IoT unified security approach will work. But it is certainly worth a shot. We know that the highly fluid nature of cyber threats nearly guarantees that government’s traditional approach to regulation (fixed and inflexible) is almost certainly doomed to failure. I believe that the Trump administration must envision and enact a concerted initiative to insure that America is “cyber secure”—but in a broad sense, leaving the specific details to industry players. Industry participants and their suppliers should assume the actual responsibility for stitching together best practices by which to meet government mandates. Ultimately, they are in the best position to combat evolving threats.
The dearth of effective IoT security is no secret. A survey of 220 information security professionals who attended the Black Hat USA conference this year found that 78 percent are concerned about the weaponizaton of IoT devices for use in distributed denial-of-service attacks. Similarly, a survey by Tripwire, a digital security firm, found that only 30 percent of the organizations polled are prepared for security risks associated with IoT devices.
It makes sense for the business community to take the first swipe at resolving the IoT security issue. Some experts suggest some basic security safeguards that manufacturers should provide, such as a unique user name and password for each IoT device. Even more folks are talking about some sort of up-to-date industry “seal of approval” or comparative ratings system regarding the security readiness of IoT devices. The private sector also would do well to try to tap into the expertise of the U.S. intelligence and defense communities, which are rumored to have developed expertise in IoT security.
Separately, collaboration between industry experts and standards groups is already robust. The National Institute of Standards and Technology has a Communications Technology Laboratory examining security in the context of IoT and 5G networks. Other groups, such as the International Standards Organization, Underwriters Laboratory, ATIS, IEEE and the 3rd Generation Partnership Project are collaboratively working on similar issues.
At the same time, at least two industry groups — the Online Trust Alliance and a separate coalition of security firms, including Symantec and ARM Security Systems — have also stepped up to the plate to improve IoT security. The security firm coalition has developed the Open Trust Protocol to provide secure architecture and code management to protect connected devices. The OTP’s architecture uses technologies deployed in banking and for handling sensitive data on smartphones and tablets. It’s designed to work with security software to protect IoT and mobile devices from malicious attacks.
Meanwhile, the Online Trust Alliance, a non-profit with the mission to enhance online trust, has established the OTA Trust IoT Framework as the first global, multi-stakeholder effort to address IoT risks comprehensively. It includes a baseline of 31 measurable principles that device manufacturers and developers should follow to help maximize the security of devices and data collected for smart homes and wearable technologies.
What these consortiums know all too well is that a specific IoT device may not be the actual target of an attack. That device, however, might be highly attractive as a gateway to the network to which it is connected—the real targets being the valuable enterprise assets on that network.
This problem, I should add, isn’t limited to the enterprise. It can also impact home security.
Consider, for example, a smart home equipped with a garage door opener with the added ability to deactivate the home alarm upon entry. This is good for a homeowner entering his home in a hurry. The catch is that now the entire alarm system could potentially be deactivated when only the garage door opener is compromised.
The broad array of Web-connected home devices — including TVs, home thermostats, door locks and home alarms— creates myriad connection points for hackersto gain entry into IoT residential ecosystems.
While companies and industries unite to correct such shortcomings in the home and in the enterprise, individual corporate CIOs, in particular, must push to address the challenges associated with IoT security.
The most important interim step is for CIOs to create a strong governance framework for IoT devices to meet corporate security standards. Such devices, just like any other touch points, must fit within an organization’s security strategy as a whole to prevent data leakages and other privacy breaches. Proactive planning of network and infrastructure upgrades is essential to enable proactive defense.
Having taken meaningful steps already, hopefully the private sector will work toward a viable, agreed-upon solution to the current IoT security nightmare. I, for one, am confident this will happen, albeit with a time lag. Despite some shortcomings, cybersecurity overall has made substantial progress in recent years. It’s time that IoT joined the club.
Article found here: xconomy.com