Frequently, I am asked to speak at IT security industry conferences about a topic I know well – security for the Internet of Things (IoT). After presenting and during the Q&A sessions, I am often-asked, “Why are IoT devices so difficult to secure?”
To answer that question, I start by talking about IoT devices having unique characteristics that make them quite different from traditional IT assets.
The three characteristics that make IoT security a tough challenge are:
- The vast quantity and large diversity of IoT devices
- Most IoT devices have very limited resources to protect themselves in terms of CPU, memory, bandwidth, and power
- All these devices are connected online all the time, putting them at a higher risk for being hacked
Now, let’s look at each of these characteristics in more detail. First, on the quantity of IoT devices: it’s projected that by 2020 we’re going to reach 20 billion IoT devices. Can you imagine that?
A Field of Assets just too Diverse for Traditional Security Solutions
Clearly, that’s a huge number of devices as is but now add in a massive level of complexity with most of these devices being very different from each other with regards to operating systems, memory, hardware, etc. Now, imagine you needed a solution for billions of devices where most had different hardware, different operating systems, different applications running, and different protocols. It’s a field of assets just too diverse for traditional security solutions.
Since traditional cyber defenses are designed to protect against standard equipment and devices that are homogenous, a new and different type of security solution is needed to protect all these heterogeneous IoT devices.
Most IoT Devices Weren’t Designed to be Upgraded
As for the second characteristic, some of the traditional ways of protecting devices probably won’t work because many IoT devices weren’t designed with upgrading in mind, especially with their limited and primitive resources. For example, it’s very hard, if not impossible, to download antivirus software onto a NEST thermostat.
Online All the Time
Regarding the third major unique characteristic, devices that are always-on are more than likely mission-critical, making them high-value, high-reward targets for cyber-attackers. If these devices are breached, the consequences can be a lot more serious, or even dire, for an organization.
New Security Solutions are Needed
Based on these three characteristics and other inherent challenges that come with protecting IoT devices, it’s fairly obvious that we need new security solutions.
An attribute that makes this task more likely to be accomplished is that most IoT devices are purpose-built for only a few functionalities, unlike the PC and smartphone that allow you to do so many different tasks.
ZingBox IoT Guardian is able to analyze the network traffic to and from IoT devices and then establish a baseline, so that if any activity occurs outside the baselines, it will be red flagged and the customer would be alerted.
Also, most IoT devices require little to no human intervention so their traffic patterns can be a lot more predictable and that is something we at ZingBox leverage when building effective IoT security.
Interested in learning more about enterprise IoT Security? I will be speaking at IoT Security Summit in Boston next month, October 18, 2016. I hope to see you there.