A recent bulletin from the FBI to private enterprises stated that the “exploitation of the Internet of Things (IoT) to conduct small-to-large scale attacks on the private industry will very likely continue.” This bulletin came just five days after the Oct. 21 DDoS attacks that sent us all into a bit of a panic. Our favorite sites were down Twitter, Netflix Pinterest, Reddit, GitHub, Etsy, Tumblr, Spotify, PayPal, Verizon, Comcast and the PlayStation network. Beyond these high profile sites, it is likely that thousands of online retail operations were disrupted. We all waited with anticipation wondering which big website was next. Was this the start to a cyber warfare attack?
Turns out it was hackers using a network (Mirai botnet) of internet-connected devices to attack a large Internet service provider Dynamic Network Services Inc., also known as Dyn.
While our fears subsided for now, this large attack that affected millions got me thinking, and apparently the FBI too. We have an interesting ride ahead.
IoT is still really in the early stages. Yes, it’s been around for years but its full potential is a ways off from being 100 percent realized. Much like the internet and the cloud, companies will also rely heavily on IoT as part of their business practices. We will continue to see it scale and our reliance on it grow as IoT makes its way into full production.
As we get used to this new way of life we are going to see similar issues to what we faced when cloud emerged as part of the IT data center. It’s a positive change, but with that change also enters challenges. I was recently in Washington, DC speaking to Congress just on this very topic. Security is the linchpin to the future of IoT. If consumers, enterprises, and the federal government don’t believe their data and privacy are protected, they’ll be hesitant to adopt new technologies no matter how efficient they are.
There are some things we can do to be better prepared. Here are six ways you can enhance the security of your IoT infrastructure:
1) Before starting an IoT infrastructure project, make sure your IT teams and CISOs are not only consulted, but involved in the process. Right now these programs are largely led by either operational technology or the business itself. IT should be involved so there’s a technology expert who can proactively work with the engineers in building the infrastructure (ideally, security and infrastructure architecture should encompass IoT).
2) Your IoT infrastructure has to be secure by design. Building security controls into the IoT solution from the get-go is far more cost-effective than adding them later in the development cycle or, worse, after deployment, when the vulnerability becomes public.
3) IT is required to have tools for managing and administrating the various gateway devices that bridge the connected ‘things’ and the Internet. This would eventually resemble a data center with thousands of end points and servers.
4) The architecture must consider data that should reside on the edge, and data that should be in the cloud. Most of these solutions will be a hybrid of both.
5) Traditional IT vendors must take a serious look at the IoT space and get involved in open source and standards consortiums.
6) Segmenting the network between the traditional IT side and the IoT side should be considered. Leveraging a SDN architecture would be a big enabler for this.
You will hear more from me on this topic in the future, in the meantime, please feel free to share your thoughts below.