The recent DDoS attack via IoT botnets have again brought into the spotlight the dangers of connecting vulnerable IoT devices such as cameras, DVRs, and refrigerators to the internet. Furthermore, cyber-attacks on critical connected assets such as nuclear facilities, energy grids, steel mills and connected cars have grown over the recent years and more attacks are imminent. Cisco has been a pioneer in several IoT and Security segments. In order to extend Cisco’s market leadership, we at Cisco Investments have dug deep in to the IoT Security market to better understand the customer requirements, emerging startups, and our role in driving innovation through investing. In this post we want to share our lessons so far.
Why is IoT Security critical?
Device explosion: IoT Security is becoming increasingly critical due to the explosion in number of connected devices. The most conservative growth estimates put the number of connected devices upwards of 20 billion by 2020. Per Cisco’s Visual Networking Index Forecast, IoT will account for 50% of these devices. And as the recent DDoS attack via IoT botnets has shown, the less secure connected devices such as DVRs and cameras are used to compromise the broader network services and smarter devices.
IT/ OT network convergence: In the business environment, operational technology (OT) networks consisting of hardware and software used to control physical devices, operational processes and events are increasingly converging with IT networks. This convergence is making OT assets, such as supervisory control and data acquisition systems in the nuclear facilities and steel mills, vulnerable to IT security threats and the vice versa. And unlike cyber hacks, where access and information are compromised in the digital domain, the IoT security threats have more far-reaching and irreversible physical consequences (think accidents involving connected cars, industrial plants and nuclear facilities).
Why can’t current cybersecurity solutions effectively work for IoT? IoT needs its own security solution for a variety of reasons. First, IoT consists of numerous endpoints (10–20 times more than IT devices) that are spread across multiple sites, rendering perimeter-based security solutions such as firewalls and VPNs ineffective. Second, a lot of IoT devices have limited battery and computational power, not enough to run the IT endpoint security software. Third, IoT networks span not just WiFi but the full spectrum of wireless networks and protocols, including Z-wave, ZigBee, low-range low-power (LoRa), HaLow, 802.11ad, and Bluetooth, requiring tailored security solutions. Lastly, the security priorities of IT and OT differ. On the CIA Triad, OT security prioritizes system availability over integrity and availability, whereas it is the other way for IT security. As an example of the difference, a typical IT security policy would dictate that an infected device be taken off the network and quarantined, but this would be the last resort for an OT environment where turning off one machine might stop the entire manufacturing process.
A simple framework for IoT Security
IoT security solutions need to address four key functionalities.
Visibility: Most enterprises do not have a good handle of their connected device inventory and inter-connections. Visibility is the bedrock of any IoT security solution, enabling an enterprise to identify critical events, pinpoint the source of a problem, and effectively respond to threats.
Compliance: Setting up access control and enforcing it is the next step of an IoT security policy.A compliance offering should also generate a log of all the network activities for reporting and audit. Keeping the firmware of the devices updated is critical too, which is executed through the Connectivity functionality below.
Connectivity: Enabling secure communication requires provisioning user identities, managing credentials, and authenticating and encrypting communication over WiFi and a wide variety of non-WiFi wireless networks.
Intrusion Detection, Prevention and Response: Intrusion detection and prevention systems are required for identifying possible incidents and logging information about them. They are also used for identifying problems with security policies, documenting existing threats and deterring individuals from violating security policies. Incidence response involves addressing an active threat by attempting to prevent it from succeeding. This could be implemented by stopping the attack itself, changing the security environment or changing the attack’s content. In the context of IoT, solutions analyzing operational data (e.g. power, temperature, and pressure readings) to detect policy violations and behavior anomalies are more effective than traditional approaches focused on analyzing network behavior data.
It is also important to mention that IoT Security solutions need to be tailored to the industry and the communication protocols they are securing. For example, a solution for connected cars may not be directly applicable to an industrial IoT environment due to the different OT protocols used. The market has seen product extensions from incumbents including enterprise security companies and IoT platforms as well as entry of startups focused on IoT security. However, these solutions are far from comprehensive in addressing the aforementioned functionalities. If you think your startup does all of the above, we would love to talk to you! Security is the key to mass adoption of IoT in both enterprise and consumer verticals. The sooner we are able to create security standards for IoT the faster we will be able to unlock the disruptive potential of IoT. A big shout out to my colleagues Karthik Subramanian, Amit Chaturvedy, and Daniel Karp for their help in developing the framework. We would love to hear your thoughts here.