Defining and Securing the IoT
The Internet of Things represents a new genus of the Internet, and enterprises and government agencies are searching for ways to better serve customers and spawn new growth.
Experts predict that by 2020, there will be 4.3 Internet-connected devices for every man, woman and child on the planet. North America is currently the most saturated market, already boasting an average of 13 connected IoT devices per household.
Each of these connected devices generates data that is pushed, pulled, collected, sorted, analyzed, stored and examined. This data, and the information being extracted from it, has become the foundation for what is being called the new Digital Economy. Revenue resulting from the IoT is estimated to exceed $300 billion in 2020, with a global economic impact of $1.9 trillion.
Defining the IoT
Sometimes it’s helpful to define the IoT with more precision; it can be divided into three broad categories. The first is Consumer IoT, which includes the connected devices we are most familiar with, such as smart phones, watches and connected appliances and entertainment systems. The other two, Commercial IoT and Industrial IoT, are made up of things many of us never see. Commercial IoT includes things like inventory controls, device trackers and connected medical devices, and the Industrial IoT covers such things as connected electric meters, water flow gauges, pipeline monitors, manufacturing robots and other types of connected industrial controls.
Increasingly, Commercial and Industrial IoT are cohabiting within local, national and global infrastructures, creating hyperconnected environments of transportation systems, water, energy, emergency systems and communications. Medical devices, refineries, agriculture, manufacturing floors, government agencies and smart cities all use Commercial and Industrial IoT devices to automatically track, monitor, coordinate and respond to events.
In addition, architects and operators often link IT (Information Technology) and OT (Operations Technology) networks together. Data collected from IoT devices that is processed and analyzed in IT data centers, for example, might be used to influence real-time changes on a manufacturing floor or deliver critical services, such as clearing traffic in a congested city in order to respond to a civil emergency.
Understanding IoT Security Challenges
Because of the hyper-connected nature of many systems, untrustworthy IoT behavior could be potentially catastrophic. OT, ICS, and SCADA systems control physical systems, not just bits and bytes, where even the slightest tampering can sometimes have far-reaching—and potentially devastating—effects. Compromising things such as transportation systems, water treatment facilities or medical infusion pumps and monitors could even lead to injury or death.
The security challenges of IoT are ones of both depth and breadth. Many IoT devices were never designed with security in mind. Their challenges include weak authentication and authorization protocols, insecure software and firmware, poorly designed connectivity and communications, and little to no security configurability. Many are “headless,” which means that they cannot have security clients installed on them, or even be easily patched or updated.
And because IoT devices are being deployed everywhere, securing them requires visibility and control across highly distributed ecosystems. This requires organizations to tie together what is happening across IT, OT and IoT networks, on remote devices and across their public and private cloud networks. Integrating distinct security tools into a coherent system enables organizations to collect and correlate threat intelligence in real time, identify abnormal behavior and automatically orchestrate a response anywhere along an attack path.
To accomplish this, enterprises need to implement three strategic network security capabilities.
1. Learn – Enterprise security solutions require complete network visibility to securely authenticate and classify IoT devices. Real-time discovery and classification of devices allows the network to build risk profiles and automatically assign them to IoT device groups along with appropriate policies.
2. Segment – Once armed with complete visibility and management, it is necessary to understand and control the potential IoT attack surface. Segmenting IoT devices and communications into policy-driven groups and secured network zones allows the network to automatically grant and enforce baseline privileges suitable for a specific IoT device risk profile.
3. Protect – Policy-driven IoT groups combined with internal network segmentation enable multi-layered monitoring, inspection and enforcement of device policies based on activity anywhere across the distributed enterprise infrastructure. An integrated and automated security framework enables the correlation of intelligence between different network and security devices, as well as the automatic application of advanced security functions to Industrial IoT devices and traffic anywhere across the network, especially at access points, cross-segment network traffic locations and in the cloud.
A “Security First” Mentality
Finally, IoT cannot be treated as an isolated or independent component of your business. IoT devices and data interact across and with your extended network, including endpoint devices, cloud, traditional and virtual IT and OT. Isolated IoT security strategies increase overhead and reduce broad visibility. To adequately protect IoT, organizations require an integrated and automated security architecture.
An architecture of this type spans the entire networked ecosystem, expands and ensures resilience, and secures distributed compute resources – including routing and WAN optimization. This ensures that you are securely connecting to known IoT devices that have associated risk profiles in order to better appropriate network segments or cloud environments. In doing so, this enables the effective monitoring of legitimate traffic and the checking of authentication and credentials, and imposes access management across the distributed environment.
About the author: Phil Quade serves as Fortinet’s Chief Information Security Officer and brings more than three decades of cybersecurity and networking experience working across foreign, government and commercial industry sectors at the National Security Agency (NSA) and U.S. Senate. Phil has responsibility for Fortinet's information security, leads strategy and expansion of Fortinet's Federal and Critical Infrastructure business, and serves as a strategic consultant to Fortinet's C-Level enterprise customers. Prior to Fortinet, Phil was the NSA Director's Special Assistant for Cyber and Chief of the NSA Cyber Task Force, with responsibility for the White House relationship in Cyber. Previously, Phil also served as the Chief Operating Officer of the Information Assurance Directorate at the NSA, managing day-to-day operations, strategy, and relationships in cybersecurity.
Edited by Maurice Nagle