Analysis: It’s a wild cyber world out there as innovation is ahead of security… so how can businesses secure devices as Shadow IoT emerges?
The hope for 2016 is to see the IoT make its way into people’s lives, companies’ strategies and the nation’s roadmaps. However, the approach to safeguarding against the threat of cyber attacks is lagging behind the rate of innovation and development.
In an exclusive roundtable with Telefonica, Kaspersky and NMI, industry experts stressed the need in understanding the real impact that an insecure IoT product or service can have.
A key point was "how much the IoT is spreading beyond the fridge" into the masses and what threats that is creating and avoid keeping security behind of innovation. This is driving the growing prevalence of shadow IoT which is growing on a daily basis as IoT expands its reach.
Just like with shadow IT, where employees are using IT systems and solutions without the organisation’s consent, organisations will now start to see shadow IoT and wearables, mobile apps and other smart products and services.
Chema Alonso, CEO of Telefónica‘s ElevenPaths and Telefónica’s Global Head of Security, said: "We have a problem with shadow IT, things that the IT manager does not know. Most employees are using their personal stuff, personal cloud, and so on.
"Shadow IT is increasing day by day, and that is a problem we have. With IoT it is the same sort of thing. As things get more connected, all of them are connected to the internet, and those are different connections.
"If you have everything connected, you know that internally you have a lot of attackers, who can be malicious employees. The shadow IoT is going to be a big problem in IoT security. You cannot hire an expert every day to test your network.
"You have a different scenario on a daily basis. Right now, we are focused in developing technologies that analyse things 365 days a year. Work continuously to test things that are changing day by day, hour by hour, minute by minute. That is our vision about security. You cannot regulate everything."
Chema Alonso, CEO of Telefónica’s ElevenPaths
In a report, Telefónica has found that the almost infinite benefits of IoT in a hyper-connected society must be counterbalanced by caution to avoid the catastrophic risks posed by cyber attacks.
The "Scope, scale and risk like never before: Securing the Internet of Things_" paper, also says that security threats from the IoT are not so different from those in other environments. On the other hand, they have evolved from areas such as industrial security, distributed networks and information security.
For example, threats from identity theft are still a reality, although they now extend to one’s own identification between devices.
On top of this, denial of service (DOS) threats are posed from a cloud perspective while malware has been developed, infecting all kinds of systems.
Alonso said: "IoT right now is a very fancy word for all the devices connected to the internet, but the truth is that we had a lot of devices connected to the internet before [such as webcams, etc].
"The problem is that today these devices have been lowered in price, which means people can go out and buy a super computer with Arduinos and so on. That allows you to connect anything to the internet.
"[And] we do not understand ‘things’ until we have a real problem. IoT is huge, and it is going to be bigger than today."
As shadow IoT is only going to grow, companies will have to address the issue by creating new response models.
John Moor, VP of segment development at NMI, said: "Firms will have to rethink how they deliver services. Security as a service is the new trend."
Security as a service (SECaaS) serves as a cost-cutting tool for online businesses, integrating security services without on-premises hardware or a huge budget, according to Cloudbric.
Moreover, a service is exactly what people will be looking for in the IoT ecosystem, beyond connected fridges, worktops and cars.
Moor said: "One of the big trends we are seeing is that as a society we cannot continue being a physical consumer society and this is where servitisation comes in. We want services and this is where IoT can help. The scale is large, the scope is everywhere. Unless we get security right, it will stall."
Also speaking was Andrey Nikishin, special project director for future technologies at Kaspersky Lab. He said that usually it is much easier to hack one device than access the cloud, and hack thousands of devices, "and still make some money out of it".
Nikishin said that devices should have security embedded from the very beginning, an important part to fight shadow IoT.
"Designers should have this in mind. You should raise the bar and make hacking really expansive and hard. Security in the architecture of the device."
Nevertheless, how do you get rid of unwanted devices? Alonso said that the recommendation is to ban them from the network. "You need to ban it from the network. You need a policy."
José Palazón, CTO of Telefónica’s ElevenPaths said: "You never spend more on security than the cost of something. You need to balance things. You give it to the proper department and they will destroy it or wipe it a thousand times.
"In the industry you have plenty of safety regulations. You need to know which frequencies you are creating. It is very regulated. Regulating these things is very hard. We do not want someone doing a regulation, creating the product and putting it out there. There is a lifecycle; security is a lifecycle."
Nikishin said that in the corporate world it is absolutely necessary to bring in the security culture into the ecosystem, "especially in manufacturing".
"Cybersecurity should be and has to be part of the [company’s] culture. If you just follow the basic rules, the number of incidents reduces dramatically. Follow security."
IoT 2.0: When IT and OT collide
To avoid threats from impacting the benefits of IoT, the industry is also starting to look into the merging of IT with OT.
OT, which stands for operational technology, controls, for example, the supplies of water, electricity and gas we consume, as well as running the factories that make the ‘things’. Overall, OT is the practice of computerising industrial controls, according to Telefonica.
In a way, IT is designed to be interconnected, while OT is almost exactly the opposite. Antonio Guzmán, scientific director at Telefónica’s ElevenPaths, said: "A combination of the worlds of IT and OT allows us to incorporate real-time data from devices in the field into the business logic of an organisation.
"The combination of IT and OT teaches some very important lessons about how the future IoT can be secured."
He said that the legacy of OT has meant most IoT deployments have a proprietary protocol using security through obscurity as a defence.
The explosion of the number of devices and verticals is, however, helping fuel a number of initiatives purporting to create open standards for communication with examples including MQTT, Zwave and ZigBee. "These are likely to help create more open, usable security standards," Guzmán said.
Moor said that for instance, the automotive industry is one of those sectors that is showing the vulnerabilities of when IT and OT are brought together.
Jaime Sanz, telco technical account manager at Intel Corporation Iberia, said: "IoT can allow a change in productivity anywhere. Taking the security measures early could actively build better productivity. For once, security and regulation do not have to be an enemy of innovation."
Looking ahead, there was a general agreement that IoT can in fact change humankind; however, security is paramount and cannot be forgotten from the very beginning.
Palazón said: "It comes down to good design and user experience. Interface and design are important."
Nikishin said:"[IoT] is unstoppable, it will rule the world in five to ten years time. Until now, security always followed innovation. Now, you see that [security is coming] before some innovations are implemented. Security first, then innovation. I see a very bright future for security.
"In five to ten years time, security will become an investment to help improve productivity. Security is set to become an [even more] important part of the board."
At the end of the day, as developers design new IoT solutions, "we need to worry about security even if we are going to have a small reduction of innovation," according to Alonso.