Why generic solutions are no longer relevant for IoT security
The world we live in is rapidly becoming more and more connected, on every thinkable level. From home devices, through wearables and all the way to medical solutions. This, of course, is the Digital Revolution, enabling consumers, businesses and industries to make better, more informed, real-time decisions to provide the best experience to the end user. This goes hand in hand with the growing ease of doing business and seamless engagement.
This revolution is creating a brave new world for us, providing endless new possibilities for the human race.
There is, however, a downside, which is now becoming more and more apparent. This era of device connectivity means that devices which were once low-tech and harmless, are now connected to the web and consequently open to potential cyber-attacks. The picture is gloomier still, since the lack of focus on security for these devices makes them 'easy prey' for cyber attackers.
As the world begins to wake up to this huge risk factor, the challenge of actually securing these devices remains open. There are many factors making the security task a serious challenge, including: the multitude of different devices being introduced to the market, their different technological attributes and characteristics, unique purposes, unique implemented environments, unique HW, unique third-party software libraries, unique SDKs and open-source parts.
All of these factors make it almost impossible to apply a generic, scalable solution to this IT security challenge. This is also the reason why the standard 'generic' IT security solutions of today have very limited effect on properly securing these new IoT devices.
To make things even more interesting, any given IoT device usually has multiple players in the value chain contributing to its creation, design, assembly and distribution, such that the question of who 'owns' device security and at what stage it needs to be introduced, is very hard to answer.
Even where the issue of 'ownership' is resolved, it is always the case more than one player is involved in device creation, and this very fact introduces visibility issues into what security the assembled device actually has.
And there is yet another challenge in how much security is required in order to obtain the right level needed for the device and market segment. The lack of any one standard to aspire to means the stakeholders in the value chain do not know where to look for actionable guidance.
Of course there are already dozens of different regulatory bodies, alliances and bills which discuss different standards, but this is all high-level and very generic, with no real, actionable call-outs; or in some cases it is too specific, covering only sub-segments and particular verticals of the market, so cannot be leveraged on a wide scale. It is too much to expect the players in the ecosystem to make sense of all this and build a strategy around what is currently being offered.
These inbuilt challenges make it very hard to address the risk with a scalable, industry-wide standard. As a result, the first stakeholders to pay the price are the end users.
As things stand, the current 'price' may still be manageable; in the meantime, specific incidents like the Mirai attack are seen as isolated incidents and not a widespread phenomenon. At VDOO, we would argue that the key word here is yet. In our experience, what we are actually witnessing is a 'dry-run' for the attackers, to check that their toolkit is equipped and ready to launch massive attacks in the near future.
Based on historical patterns of the growth of cyber-crime into new spaces, we estimate that within the next 18-24 months we will be seeing widespread security breaches of IoT devices. Moreover, we believe that this will manifest itself through a high volume of IoT ransomware campaigns which is a very common modus operandi for cyber attackers in the traditional IoT space, with fantastic ROI. For them, the picture is even rosier due to the minimal investment required for a successful attack.
It is our belief that IoT device makers are those best positioned to lead this effort and 'bake' security into the device from conception. Since their main focus is on time-to-market, functionality and cost, recruiting such players to take action would mean that the proposed solutions would need to have minimal impact on business, be balanced and with limited investment on their part.
Such solutions would ideally be device-specific, taking into account device type and market segment, in order to best address its unique threat landscape. In order to reach this level of precision, one would need to first assess the security attributes of the assembled device and its recommended security posture, so as to identify the security gaps, as well as how these gaps can be bridged by making use of an array of potential third parties who provide services such as open source code, configuration changes or other mitigations. VDOO provides this entire process, including certification at the end of it, which attests that security has been adequately considered for each device.
To summarize: we are on the brink of a connected brave new world with limitless growth possibilities. The only thing standing in the way of the markets rushing forth into this exciting arena is trust, which stands to be breached through the lack of security employed by the pawns of this revolution. If we do not address this issue head-on and right now, we will find ourselves holding progress back.
Share this post