The IoT delivers compelling economic and social benefits. It presents great opportunities for the private sector and federal agencies but the scale of security and operational challenges is a big impediment for adoption. A recent report from the US Government Accountability Office (GAO), issued in May 2017 confirms the numerous IoT security gaps that need to be addressed. The report highlights a key challenge is the lack of consideration for security when designing IoT devices. Without standards and a strong security foundation for the IoT devices, the challenge becomes a safety issue and demands attention from Government bodies.
With the adoption of IoT comes the significant increase in the attack surface. But while the threats may seem innumerable, infinitely varied and ever-changing; the reality is they aren’t. We don’t have sizeable threat analysis data for the IoT yet, but we do have extensive threat analysis from the Verizon DBIRs (Data Breach Incident Reports), spanning over the last 10 years. While the motivation and impact of breaches may differ in the case of IoT, the type of exploits are similar to what we know in the current IT landscape.
According to these DBIR reports:
Evaluating the above DBIR threat analysis data, a suitable solution can be implemented for much of the breaches if Government involvement addresses the problems with well-known weak identities and vulnerabilities by enforcing appropriate standards. According to these reports and other experts, 85% of the threats could have been avoided if IT had taken the basic steps to address the identities and vulnerabilities.
IoT presents a new challenge for device identity given the large number of connected devices and its anticipated exponential growth. This exacerbates the problem further and creates a key barrier for IoT adoption.
It’s impossible to apply all the manual security operational tasks in use today for IoT use cases, making the human errors and operational challenges larger problems for IoT adoption and national security. Lack of interoperability and standards are making this a national crisis.
Till now, security has always been treated as an afterthought: layers of security, credentials are established with mostly manual methods. In the case of IoT, the weakest link in the chain is the device. There are no well-established standards or processes for device identities. While we have traditional PKI standards based technologies for device identity, there is no clear device identity model established and operationalized since the internet became mainstream.
While there is significant investment and development to address the security issues, since the accountability of the breaches is not propagated across the eco-system, much of these technologies are still treated as an afterthought. The focus is reactive in the areas of detect, respond and threat analytics, not in the foundational ‘prevent and protect’ technologies.
Take the recent Dyn attack example, neither the seller nor the buyer of the devices cares about fixing the weak credential problem. The owners of these devices don’t care. Like pollution, the only solution is to regulate. The Government could impose minimum security standards across the ecosystem with liability ownership to include the device manufacturers and software vendors so that companies like Dyn can prosecute them if any of these parties are responsible for DDoS attacks.
Without Government involvement and standards, the investments go in the patch work, and don’t solve the foundational issues mentioned above.
The safety and scale issues of IoT are now forcing the industry to design and implement security automation at the beginning. Without the operational automation, IoT adoption, economics and security posture would suffer.
KeyScaler uses extensively patented technologies to solve the trust foundation for the IoT ecosystem. These technologies deliver unique device identity, authentication, integrity and data privacy models required for IoT applications.
The KeyScaler™ platform employs agent at the device level with a unique patented trust anchor and a server interface to the IoT platform and applications. The agent footprint architecture accommodates from small sensors to smart Gateways.
With the trust anchor at the device, KeyScaler delivers:
Find out more in our KeyScaler download or visit our KeyScaler page.
You can also sign up to our next webinar, or meet us at upcoming events.
Please wait while you are redirected to the right page...