The IoT delivers compelling economic and social benefits. It presents great opportunities for the private sector and federal agencies but the scale of security and operational challenges is a big impediment for adoption. A recent report from the US Government Accountability Office (GAO), issued in May 2017 confirms the numerous IoT security gaps that need to be addressed. The report highlights a key challenge is the lack of consideration for security when designing IoT devices. Without standards and a strong security foundation for the IoT devices, the challenge becomes a safety issue and demands attention from Government bodies.
With the adoption of IoT comes the significant increase in the attack surface. But while the threats may seem innumerable, infinitely varied and ever-changing; the reality is they aren’t. We don’t have sizeable threat analysis data for the IoT yet, but we do have extensive threat analysis from the Verizon DBIRs (Data Breach Incident Reports), spanning over the last 10 years. While the motivation and impact of breaches may differ in the case of IoT, the type of exploits are similar to what we know in the current IT landscape.
According to these DBIR reports:
- Weak identities (passwords or other credentials) are the holy grail for hackers. In 2016, 63% of the incidents were related to weak credentials. Recent Mirai and BrickerBot attacks used weak credentials as exploit vector.
- Contrary to the popular belief, the NSA and other APT attackers don’t rely on “Zero Day” exploits. As per Verizon DBIRs 9% of the vulnerabilities exploited were already well known.
Evaluating the above DBIR threat analysis data, a suitable solution can be implemented for much of the breaches if Government involvement addresses the problems with well-known weak identities and vulnerabilities by enforcing appropriate standards. According to these reports and other experts, 85% of the threats could have been avoided if IT had taken the basic steps to address the identities and vulnerabilities.
The Scale of IoT = Bigger challenge for identity
IoT presents a new challenge for device identity given the large number of connected devices and its anticipated exponential growth. This exacerbates the problem further and creates a key barrier for IoT adoption.
It’s impossible to apply all the manual security operational tasks in use today for IoT use cases, making the human errors and operational challenges larger problems for IoT adoption and national security. Lack of interoperability and standards are making this a national crisis.
Why are we not addressing these problems immediately?
Till now, security has always been treated as an afterthought: layers of security, credentials are established with mostly manual methods. In the case of IoT, the weakest link in the chain is the device. There are no well-established standards or processes for device identities. While we have traditional PKI standards based technologies for device identity, there is no clear device identity model established and operationalized since the internet became mainstream.
While there is significant investment and development to address the security issues, since the accountability of the breaches is not propagated across the eco-system, much of these technologies are still treated as an afterthought. The focus is reactive in the areas of detect, respond and threat analytics, not in the foundational ‘prevent and protect’ technologies.
Take the recent Dyn attack example, neither the seller nor the buyer of the devices cares about fixing the weak credential problem. The owners of these devices don’t care. Like pollution, the only solution is to regulate. The Government could impose minimum security standards across the ecosystem with liability ownership to include the device manufacturers and software vendors so that companies like Dyn can prosecute them if any of these parties are responsible for DDoS attacks.
Without Government involvement and standards, the investments go in the patch work, and don’t solve the foundational issues mentioned above.
The safety and scale issues of IoT are now forcing the industry to design and implement security automation at the beginning. Without the operational automation, IoT adoption, economics and security posture would suffer.
Choose a security solution which solves the identity, privacy and operational challenges:
KeyScaler uses extensively patented technologies to solve the trust foundation for the IoT ecosystem. These technologies deliver unique device identity, authentication, integrity and data privacy models required for IoT applications.
The KeyScaler™ platform employs agent at the device level with a unique patented trust anchor and a server interface to the IoT platform and applications. The agent footprint architecture accommodates from small sensors to smart Gateways.
With the trust anchor at the device, KeyScaler delivers:
- Identity provisioning at the time of device manufacturing
- Automated IoT device onboarding and policy based device provisioning
- Automated password and identities management
- Policy based, transport independent end-to-end data privacy and integrity
- Mitigate the security and safety risks associated with the weak identities (63%+) for IoT eco-system
- Enable partners to address the known 9% of the risky vulnerabilities quickly
- Address the policy based end-to-end data privacy and integrity, well suited to IoT implementations
- Automate operations at IoT scale