Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Maintaining security hygiene in the Internet of Things

Diana Kelley, Executive Security Advisor, IBM Security | March 4, 2016
Diana Kelley of IBM Security discusses the security risks of IoT devices and how enterprises can counter these new security risks.

This vendor-written piece has been edited by Executive Networks Media to eliminate product promotion, but readers should note it will likely favour the submitter's approach.

Times are changing when it comes to keeping an organisation's digital assets secure. For decades, enterprises have relied on security hygiene activities such as patching, system and activity monitoring, and malware, etc. Completing these activities in an efficient and timely fashion was the hallmark of a robust security posture.

The dawn of the Internet of Things

But recently, an influx of new devices with built-in computing and networking capabilities, commonly known as the Internet of Things (IoT), is adding more complexity to the mix.

Researchers are already discovering security issues in a range of devices not normally covered by traditional IT or OT security and risk mitigation activities. These include keyless entry mechanisms, automobiles, televisions, thermostats, and appliances etc. that could represent an area of potential risk to the organization. In other words, a misconfigured or vulnerable thermostat or smart TV could just as easily represent a pathway into an organization as a server or workstation.

The security risks of IoT Devices

It is therefore important to recognise that almost any device can have vulnerabilities or security issues. However, dealing with a vulnerability found in a smart device can actually be more complex than one found in an operating system or application.

Here's a few reasons why.

More often than not, the management of smart devices isn't actually undertaken by the same team that owns the management tasks for IT and operations technologies. For example, if you have a vehicle fleet, is IT involved in vehicle purchases? Probably not, right? So who's monitoring for vulnerabilities in the firmware of these automobiles? Who's responsible for installing firmware updates to mitigate these vulnerabilities?

The same is likely equally true of other smart devices such as televisions, thermostats, smoke detectors, etc. Oftentimes, people don't realize that such smart devices also require periodic monitoring or updating, leaving its security unattended.

Another area of complexity lies in the fact that there is relatively little standardisation in the current mechanisms used to deliver firmware and other updates. The lack of standardisation means that it's hard for enterprises to know which devices have measures to ensure the integrity and authenticity of an update and which do not. Consider, for example, the recent case of a large auto manufacturer that issued a software update in response to a security vulnerability. This automaker employed a USB stick containing the update as the mechanism to install the update.

A methodology like this raises questions. How is integrity ensured? How does the organization know the USB stick it received contains the approved update and hasn't been tampered with? Installing the approved update is obviously critical, but it's also important to have assurance that the update is legitimate and will not further compromise the vehicle.

 

1  2  Next Page 

Sign up for CIO Asia eNewsletters.