The rapidly expanding Internet of Things (IoT) has ushered in some major cybersecurity challenges over the past few years. Indeed, we’ve known for some time now that security in the IoT is often severely problematic or even non-existent. 2016 saw the emergence of the giant Mirai botnet, which specifically targeted smart devices such as Internet-enabled digital video recorders (DVR) and surveillance cameras (CCTV). It was used to launch DDoS attacks of unprecedented scale, brought down Brian Krebs’ website in September and has since been used to target a whole range of organizations. We blogged in January about the enormous impact a Mirai attack had on Deutsche Telekom, for example.
The important point for business to understand here is that IoT-enabled devices are a potential security problem from two angles. First, devices within their network are vulnerable to being exploited and harnessed to become part of a botnet or other cyber threat. And second, their network is vulnerable to being pummelled from the outside by the biggest botnets the world as seen.
As a result, leading cybersecurity market commentators are calling for regulation of the sector. Last month at the RSA Conference there were calls for a new government agency to be set up in order to oversee IoT regulation. Then, just a few days later, it was announced that the US Department of Homeland Security is investing $1 million to fund five start-ups specifically focusing on securing the IoT.
The start-ups in question cover several crucial elements of IoT security, including device authentication, cryptographic protocols, network visibility and dynamic detection of devices, and secure wireless communications gateways. As you can see from the above article, Clavister CEO, Jim Carlsson, welcomes the news, underlining that innovation and investment in the sector is crucial in order to accelerate security deployments on smart, connected devices. It’s why Clavister recently announced that it has joined the Intel IoT Solutions Alliance, which comprises hundreds of companies globally, producing everything from modular components to full, market-ready systems – all aiming to help organizations enjoy the scalability and flexibility of the IoT without incurring risks to their networks or data.
Such investment should mean that in the months and years ahead, organizations deploying IoT-enabled devices can have greater confidence in their in-built security features, and mitigate the risk of part of the infrastructure being recruited to join botnets like the Mirai botnet. In other words, this is good news for one side of the IoT security threat – the risk of devices within the network being compromised.
However, organizations need to take responsibility individually for securing their networks from the external IoT threat – that of compromised devices being recruited into botnets launching DDoS attacks or attempting to infect them with malware. If you are deploying IoT devices in your offices or on your networks, you need to assess the security of the devices, lock them down by changing passwords and security controls away from the defaults, segregate them from other network devices, and restrict access to and from them. This way, you can stop your devices becoming part of the IoT security problem.