Security for IoT is emerging but fragmented

  • Global standards specific to IoT security don't yet exist, but will emerge as the technology matures.

  • For now, current measures like PKI and FIDO methodologies can help protect IoT devices and networks from cybercriminals.

The Internet of Things (IoT) market is exploding and expected to easily reach an installed population of more than 30 billion devices by 2020, according to International Data Corporation (IDC). When these units are deployed and connected to networks, each will become a point of access that potentially can be vulnerable to exploitation.

According to the AT&T 2015 State of IoT Security survey, 90 percent of organizations “lack full confidence” in their IoT security. AT&T network scans also recorded a 458 percent increase in vulnerability scans of IoT devices from 2013 to 2015. These two factors could be taken as an indication that cyberthieves see IoT devices as unsecured.

Although IoT security systems are currently being developed, there are no existing standards specific to IoT. The absence of standards is to be expected during a period of fast growth, but it means that IoT developers are on their own. Some are working proactively to include security within their systems. But while their efforts are commendable, those efforts are not likely to be comprehensive, and the measures developed probably won’t be useful across other systems. At the other extreme, some developers are eschewing security altogether and making quick deployment their top priority. Their systems are likely to become dangerous open points of access that can be used to penetrate other systems.

Implementing security now

Even with a lack of global standards, there are methods available that can offer some IoT security. The use of Public Key Infrastructure (PKI), for example, is one way to authenticate devices. This platform, which is used successfully in chipped credit cards, effectively creates a highly secure hardware device that can’t be cloned or duplicated. The standard developed by the Fast Identity Online (FIDO) Alliance, backed by a number of key industry players, is a variation of PKI designed for low-power operations, making it viable for small IoT devices that operate on minimal power. While neither option has been globally adopted, they do provide valid options that can be implemented now.

As you consider how to protect your IoT deployment, AT&T suggests focusing on these four areas:

  • Assess your risk. Understand what devices connect to what networks, and what is at stake.
  • Take actions to protect both information and connected devices. Determine what information is at risk and how devices may be vulnerable.
  • Align IoT strategy and security. Combine technology with business policies and protect them both.
  • Identify legal and regulatory issues. IoT is new ground in terms of the law and government regulations, and you should understand how that could affect your strategy.

While fully sanctioned and vetted IoT security systems are yet to become available, there are ways to help safeguard your deployments. Focus on existing security issues so that you are better prepared when new ones come to light.

For an in-depth examination of IoT security issues, download “The CEO’s Guide to Securing the Internet of Things,” the second edition of AT&T Cybersecurity Insights.

Scott Koegler is a technology journalist with a specialization on the intersection of business and technology. AT&T has sponsored this blog post. All opinions are his own.

Scott Koegler Writer Sponsored Post About Scott