The Iot Headache and How to Bolster Defenses
By Dr. Mike Lloyd, CTO, RedSeal
There’s a saying in the security world: ’if it’s on the network, it belongs to the CISO’. And CISOs have
risen to the occasion, developing and honing a bag of tricks that work reasonably even in the face of
morphing attacks and unwitting employees. But now, with increasing numbers of very different devices
connecting to the internet, CISOs are realizing that their standard bag of tricks doesn’t work on the
Internet of Things (IoT).
First, what do we even mean by Internet of Things? I’ve discussed this with several experts in the area
and I find those thinking about security have the best definition – ‘it’s IoT when we can’t get standard
telemetry’. That is, the best definition I’ve encountered for the Internet of Things is about blindness and
lack of knowledge.
We now have the technical means to cheaply put just about any device online. But that very cheapness
is part of the problem – IoT devices compete on price and are hemmed in by strong cost constraints. If
we connect a lightbulb to the internet (and yes, people do), you can bet the network functionality will be
the cheapest version the manufacturer can get. Within that cheap functionality, security is one of the first
things to go.
One of the key tricks in a CISO’s bag is updating applications early and often with the latest fixes. But
they can’t update a lightbulb, or an industrial turbine, or every medical device in a hospital. Security and
patching infrastructures don’t exist for these special-purpose IoT devices. It requires specific expertise
and adds expense to keep up with the endless findings of security researchers. As a result, nobody is
responsible for managing security updates for all the Things we’re bringing to the Internet.
Other CISO tricks involve installing security agents on every device and scanning networks for known
vulnerabilities. But you can’t install a security agent onto an insulin pump, or an industrial controller, or a
lightbulb. And, you can’t use vulnerability scanning – the main method for finding known security
weaknesses in traditional IT infrastructure. If you do, at best a traditional scanner will struggle to identify
the special-purpose device, but at worst, it might even crash the fragile Thing you’re trying to identify.
So, what can our CISO do in this world where traditional
techniques don’t work well? It’s not as if a typical
organization can just refuse to go along with IoT – these
devices are proliferating rapidly. I’ve found that the
best strategies are segmentation and resilience.
Segmentation makes sure that IoT devices have no
access – even indirectly – to the outside world. These
endpoints cannot be trusted and can’t be forced to run
whatever control software you want. Instead, you must
contain them, keeping these fragile and risky devices
away from each other and anything else they could
harm.
That is, as the endpoints get dumber (due to their focus
on doing one job well), the network must get