Security MEA speaks with Darren Anstee, Chief Technology Officer at Arbor Networks on the challenges that IoT presents in the security arena.
What are the emerging trends in IoT with regards to security?
We will continue to see IoT devices being compromised and leveraged for a variety of purposes by cyber criminals. The sheer number of devices already deployed, many without much security consideration, means there is a significant capability waiting to be exploited. Unfortunately there is no magic wand that we can wave to instantly protect the entire infrastructure – and thus further compromise of IoT devices is almost certain.
This means we will continue to see more, and possibly larger, DDoS attacks from weaponized IoT botnets, and will likely see further evolution in this area around the use of IoT devices as proxies, as jumping off points for data-theft etc., within organisations.
Which industry verticals are more forthcoming in adopting IoT?
Manufacturing, transport and utility organisations are the early adopters of IoT as these verticals can gain significant operational benefits and improve their agility by leveraging IoT technologies.
Is security a real challenge in IoT or just a hype and why?
Security is a real challenge, especially in IoT, for a number of reasons. Firstly, many IoT devices have been deployed as appliances, without much (if any) consideration for the security implications. This can mean there are default passwords, open management interfaces, insecure services and unpatched vulnerabilities present. In some cases, the devices incorporate old or outdated operating systems and applications, where patches are either unavailable or too risky to apply (for fear of taking the device offline). Another reason is that many IoT devices have been deployed onto corporate networks without any kind of network segmentation i.e. they have access to both the Internet and other key pieces of infrastructure. If they are compromised they represent a valuable foothold for the attacker.
Lastly, if IoT devices have had their access to resources constrained by network segmentation they are, in some cases, operating on networks where there is no telemetry to indicate what is going on. We need pervasive visibility of activity across our networks so that suspicious or malicious activity can be identified wherever it occurs.
In this era of connectivity, what challenges do organisations face in terms of skill-set availability and how can they be overcome?
The IoT security situation is more of a question of applying the right people to the problem, rather than one of skill-set. In many organisations IT/Security teams have the right skill-set to manage the risks around these devices – but they haven’t been involved in their purchase, deployment or management – as the devices aren’t considered a part of IT infrastructure. Better collaboration between the teams responsible for the IoT devices, and the IT/Security teams is what is needed.