Defining and Securing IoT
Phil Quade, CISO at Fortinet, breaks down the many challenges surrounding the Internet-of-Things
The Internet-of-Things represents a new genus of the Internet, and enterprises and government agencies are searching for ways to better serve customers and spawn new growth. Experts predict that by 2020 there will be 4.3 Internet-connected devices for every man, woman, and child on the planet. North America is currently the most saturated market, already boasting an average of 13 connected IoT devices per household.
Each of these connected devices generates data that is pushed, pulled, collected, sorted, analysed, stored, and examined. This data, and the information being extracted from it, has become the foundation for what is being called the new Digital Economy. Revenue resulting from IoT is estimated to exceed $300bn in 2020, with a global economic impact of $1.9tn.
Sometimes it’s helpful to characterise the IoT with some more precision; I like to place them in three categories. The first, Consumer IoT, which includes the connected devices we are most familiar with, such as smart phones, watches, and connected appliances and entertainment systems.
The other two, Commercial IoT and Industrial IoT, are made up of things many of us never see. Commercial IoT includes things like inventory controls, device trackers, and connected medical devices, and the Industrial IoT covers such things as connected electric meters, water flow gauges, pipeline monitors, manufacturing robots, and other types of connected industrial controls.
Increasingly, Commercial and Industrial IoT are co-habiting within local, national, and global infrastructures, creating hyper connected environments of transportation systems, water, energy, emergency systems, and communications. Medical devices, refineries, agriculture, manufacturing floors, government agencies, and smart cities all use Commercial and Industrial IoT devices to automatically track, monitor, coordinate, and respond to events.
In addition, architects and operators often link IT (Information Technology) and OT (Operations Technology) networks together. Data collected from IoT devices that is processed and analysed in IT data centres, for example, might be used to influence real-time changes on a manufacturing floor, or deliver critical services, such as clearing traffic in a congested city in order to respond to a civil emergency.
Because of the hyper connected nature of many systems, untrustworthy IoT behaviour could be potentially catastrophic. OT, ICS, and SCADA systems control physical systems, not just bits and bytes, where even the slightest tampering can sometimes have far-reaching - and potentially devastating - effects. While compromising things such as transportation systems, water treatment facilities, or medical infusion pumps and monitors could even lead to injury or death. The security challenges of IoT are ones of both depth and breadth.
Many IoT devices were never designed with security in mind. Their challenges include weak authentication and authorisation protocols, insecure software and firmware, poorly designed connectivity and communications, and little to no security configurability. Many are “headless,” which means that they cannot have security clients installed on them, or even be easily patched or updated.
And because IoT devices are being deployed everywhere, securing them requires visibility and control across highly distributed ecosystems. This requires organisations to tie together what is happening across IT, OT, and IoT networks, on remote devices, and across their public and private cloud networks. Integrating distinct security tools into a coherent system enables organisations to collect and correlate threat intelligence in real time, identify abnormal behaviour, and automatically orchestrate a response anywhere along an attack path.
To accomplish this, enterprises need to implement three strategic network security capabilities:
Learn – Enterprise security solutions require complete network visibility to securely authenticate and classify IoT devices. Real time discovery and classification of devices allows the network to build risk profiles and automatically assign them to IoT device groups along with appropriate policies.
Segment – Once armed with complete visibility and management, it is necessary to understand and control the potential IoT attack surface. Segmenting IoT devices and communications into policy-driven groups and secured network zones allows the network to automatically grant and enforce baseline privileges suitable for a specific IoT device risk profile.
Protect – Policy-driven IoT groups combined with internal network segmentation enables multi-layered monitoring, inspection, and enforcement of device policies based on activity anywhere across the distributed enterprise infrastructure. An integrated and automated security framework enables the correlation of intelligence between different network and security devices, as well as the automatic application of advanced security functions to I-IoT devices and traffic anywhere across the network, especially at access points, cross-segment network traffic locations, and in the cloud.
Finally, IoT cannot be treated as an isolated or independent component of your business. IoT devices and data interact across and with your extended network, including endpoint devices, cloud, traditional and virtual IT, and OT. Isolated IoT security strategies increase overhead and reduce broad visibility. To adequately protect IoT, organisations require an integrated and automated security architecture.
The Fortinet Security Fabric is designed to do just that. It spans the entire networked ecosystem, expands and ensures resilience, and secures distributed compute resources - including routing and WAN optimisation. This ensures that you are securely connecting known IoT devices with associated risk profiles to appropriate network segments or cloud environments, and then enables the effective monitoring of legitimate traffic, the checking of authentication and credentials, and imposes access management across the distributed environment.
Fortinet is also actively driving the development of IoT security. We already hold dozens of issued and pending IoT security patents to complement our industry-leading patent portfolio. Our commitment to innovation helps ensure that we will continually deliver the most advanced security solutions to defend against the evolving threat landscape threatening the success of our emerging digital economy.