Insights from the Symposium for Securing the IoT

We were fortunate to be able to participate and present at the inaugural Symposium for Securing the IoT, in San Francisco. The Symposium brought together some of the leading vendors in the IoT Security field, experts and representatives of industry giants such as Cisco, Intel, Symantec- all with a stake in the fast-evolving field of IoT security.

What have we learned?

General awareness of IoT related threats is still lacking

One theme that resurfaces throughout all the talks and all the conversations we’ve had throughout the event is the lack of awareness among the general public to the imminent risks resulting from lack of IoT security systems.

Sure, people have heard of the Mirai Botnet and are aware that their smart TV could be eavesdropping on them, but most disregard these as comical (“will my toaster attack me?”) or incidental (so my connected device participates in a botnet- so what?). Sadly, it seems another massive attack is required to really make it into the public’s awareness- similar to the manner the large ransomware attacks of 2017 made the public aware how lax were security means in specific sectors (such as the healthcare sector). Most of the participants agreed that we as an industry need to more to educate and share our knowledge- especially as we see these attacks on a daily basis are aware of the damaging impact they can have on security, privacy and safety.  

IoT security means different things to different people

Even between the subject matter experts gathered for the Symposium, there were several notions of what IoT was (i.e. should we regard smartphones as IoT devices? Should do the same for smart payment cards?), and what IoT security really is.

It seems generally accepted that basic security means should be adopted from more traditional IT security- use of robust passwords, authentication and encryption. The next layer of security is less trivial- should it include visibility of devices on the corporate networks, monitoring of IoT devices behavior or monitoring and mitigating processes running on the devices themselves? There are several notions, depending on the focus of the solution provider- weather it focuses on smart home market, Industrial IoT, Enterprise IoT or out of perimeter IoT.

What is clear is that there is room for various solutions according to the IoT deployment type and that no “one type of solution fits all” attitude will be applicable. Organizations adopting IoT security systems should verify that these actually fit their needs- an enterprise IoT solution isn’t adequate for security “outside the perimeter” IoT.    

Regulation and standardization

Several attempts have been made to offer industry-wide recommendation, most notably by US NIST. IoT security organizations try to promote best practices and guide customers looking to implement IoT security solutions. But, to date, there is no “Gold standard”, and costumers are left to relay on consultants for implementing security controls. This is not likely to change anytime soon, hence the importance of the next article on the list- showcasing how solutions operate in the real world, and sharing insights and best practices.

There are not enough real-life success stories being told

Decision makers and IT Security experts (people in charge of deploying and operating security solutions) lack example of IoT security solutions’ implementation- how to overcome deployment and operation challenges, and what are the tangible benefits of such solutions. This being the case, publishing real case studies where such solutions have been deployed would be extremely helpful for decision makers (people signing the cheques ) and IT security people (the ones that have to operate these solutions on a daily basis). We at SecuriThings have done our bit and presented one such case study, which we’ll make public very soon. The feedback we’ve received from the audience was positive which goes to show that even the professional community there isn’t enough and examples of such deployments and the subsequent insights resulting from it.  

There will be no “silver-bullet” solution for solving IoT security challenges

IoT is big, fragmented market. We identify at least 4 different solution types (home, Industrial, enterprise and out of perimeter IoT)- and it’s likely that the future will present additional use case requiring additional solution types. This resemble the process that occurred with cloud security- now an established security category with multiple sub categories (CASB, encryption, GRC and others). We hope that the adoption of IoT security will emulate that of cloud security solutions in terms of general understanding of the need and the rapid adoption that follows.

Summary

The thing that stood out most is the sense of urgency among all participants. We all realize that IoT security solutions are needed NOW and that the wider public needs to understand this and act quickly to prevent future attacks.

It was a terrific event, brining together industry experts and discussing the challenges we’re facing. This is an important first in educating the broader public and we are proud to have taken part in this effort, and we will continue to do so in the future.

I would like to thank Don Malloy and the team for pulling off such a successful event.