Coming Full Circle on IoT (In)Security

In thinking ahead to 2018, we can’t help but look back. We kicked off 2017 talking about the (in)security of IoT and the infamous DDoS attack on Dyn, via the Mirai botnet, which infiltrated tens of millions of IP addresses.

What’s changed since then? Unfortunately, not as much as we’d hoped.

As with most technologies, industry growth comes paired with opportunities and challenges. While IoT automation and interconnectivity lend itself to many new and innovative products, challenges arise around the security models of IoT communications. What’s often missing is a synergy between IoT and security that not only fosters innovation but also enforces information assurance principles on the communication.

Not Convinced? Look at the Facts

Not surprisingly, spending on IoT isn’t expected to slow anytime soon. Research firm IDC predicts that by 2021 global IoT spending – including hardware, software, services and connectivity that enables IoT – will reach nearly $1.4 trillion. Exciting growth to be sure…until you lift the curtain and see what’s on the other side.

A November 2017 survey released by ForeScout Technologies revealed that 82 percent of IT and line-of-business decision-makers worldwide don’t feel confident about passing audits – they admit they’re unable to identify all of the IoT and operational technology (OT) devices on their network. And, a June 2017 report from consulting firm Altman Vilandrie & Co. discovered that 46 percent of U.S. organizations using an IoT network have been breached recently.

Unless industry leaders dedicate the time and resources necessary to identify and fully understand all of the components – and the associated risks – involved in an IoT deployment, our security future remains bleak.

The API Crossroads

When evaluating the entire IoT ecosystem, we must include APIs, writes Dean Hamilton, SVP of IoT Products and Solutions for Accelerite. Hamilton explains that it’s important to consider these components “both in isolation and working together as a part of an integrated solution” – a solution that wouldn’t exist without API-based communication.

In order to manage the explosive flow of data, major vendors like Microsoft are adopting a Hub-based model to centralize IoT communications. While providing a more easily controlled environment for content and distribution mechanisms, the challenge of securing information exchange remains, allowing for device or system compromise. What’s lacking is the added layer of security to the various threads of communication, the APIs.

Marrying these capabilities, while also combining information assurance with identity authorization, is the API Security Gateway. Providing an extension to the IoT Hub model, it serves as a secure connector that both authenticates the device and enforces the expected communication patterns/behaviors of the IoT components. Importantly, the API Security Gateway provides transparency and serves as an enforcer of secure data handling: a recipe for success in preventing IoT compromise.

While small steps like the IoT Cybersecurity Improvement Act have been introduced to bring IoT security more to the forefront, the road ahead will likely be a long and bumpy one. The IoT is here to stay, though, and will indefinitely transform many aspects of our lives. Let’s just hope that industry leaders are able to establish sound security practices and architectures before embracing the full potential – and risks – of IoT.