Unlocking the Full Potential of IoT
I recently had the opportunity to participate in a panel discussion at the 2017 IoT Security Summit, which was in New York City at the end of October. The session boasted an impossibly long title, “How data and devices are secured across Energy, Healthcare, Transportation”, but I was in great company with four other security leaders on the panel:
- Vijay Vedanabhatla, Principal Security Architect, UPS
- Arun Hegde, Principal Security Architect, Fortune500 Media Company
- Mandar Kawle, Senior Director and BIO, MasterCard
- Abel Sussman, Directory, Cyber Risk Advisory, Coalfire
Moderated by Shriram Ramanathan, a Senior Analyst at Lux Research, we dug into the security challenges and risks of IoT applications and devices. In so many ways, IoT security is about the device, but it also incorporates a broad ecosystem of users, data and endpoints, which demand layered security approaches and solutions. However, all of this is underlined by foundational component of visibility. How can you secure something if you don’t know it’s there?
The summit brought together a wide variety of professionals at the forefront of IoT and security innovation, and overall, I was impressed by the quality of the presented content and ensuing discussions. Here’s a quick summary of some of the key takeaways:
- The cybersecurity challenges we’re facing aren’t new, however with somewhere near 6 billion (and growing) IoT devices deployed, the consequences have become dire. In examining recent large-scale breaches, one panel discussed IoT vulnerabilities that bad actors are and will continue to exploit. For example, IoT endpoints tend to significantly increase the network attack surface, and unmanaged devices, in particular, are being weaponized for botnets, malware and assaults.
- IoT endpoint security is very device-centric today. In many cases, traditional approaches such as user-based authentication, software agents, anti-virus and even data encryption are either non-starters or are simply not relevant for these devices. It’s more important than ever to have a layered security approach that accounts for the devices themselves.
- Related to the above, another big theme was how device discovery, visibility and control are fundamental to securing IoT. Especially as devices are being deployed outside of normal IT channels, it’s essential that security teams have the ability to identify and monitor all connected devices in real time. This is especially critical in industries such where devices are geographically dispersed and physically exposed.
- There’s a clear need for industry standards and conformance testing across the entire IoT development chain. Manufacturers and enterprise customers will benefit as silicon and device development through to system deployments, are engineered within well-defined security practices and frameworks.
- Training is also a critical part of any enterprise security strategy, and it spans beyond IT security personnel. Organizations need to prep their entire workforce on protocols for preventing cybercrime, as well as how to respond when a breach does occur. Fundamentally, security must be an essential component of all employee training.
The intersection of highly visible cyberattacks and the rapid expansion of IoT is creating a new sense of urgency for CISOs and Security teams alike. The sheer number and types of connected devices require new ways of thinking about network and device security, and the summit was a great opportunity to drive the conversation forward, collaborate on best practices and to discuss considerations for securing the Internet of Things.
Topics: IoT Security