IoT specialists are finding network security hard

• IoT and IIoT networks growing like wildfire
• But extant security methods often unable fully to protect them
• Device security lags a long way behind mass deployment in networks
• Rationalised standards regime needed

The Internet of Things (IoT) is useful, popular and proliferating with tens of billions of devices and sensors already online around the world and billions more yet to be sited and networked. The forecast is that at least 30 billion will be deployed by 2030. However, the runaway rate of adoption is not all unalloyed good news. The sheer speed of the uptake and deployment of IoT has left security lagging far behind leaving both devices and networks open to potential, and probably inevitable, hacking and compromise. A devastating major incident (or incidents) may be just a matter of time.

A new survey and report from Portland, Oregon-headquartered Tripwire, a company specialising in IT for security and compliance automation, reveals that 99 percent of the 312 respondents to the statistically significant survey, all of them professionals with direct responsibility for device and network security in their respective organisations, are having considerable difficulties securing both their IoT and IIoT (Industrial Internet of Things) networks because of design-level issues. Additionally, a further 75 per cent reported that IoT devices are highly problematical when it comes to fitting them into their current security systems and programs. Furthermore, 95 per cent of respondents said they are worried about their organisation's security stance, plans and system with 42 per cent being "very concerned." They represented companies and corporations across the US and Europe with between 100 to to over 5000 staff. 

The nub of the problem is that, for reasons including the pressure on sensor and device manufacturers to churn out millions of both new and established products as quickly and cheaply as possible, device security has been relegated to secondary status in the rush to keep the customer satisfied. Indeed, 78 per cent of respondents to the Tripwire survey said new devices required a "different approach" to that specified in their company' security plans and regimes. What's more (and more worrying) is that 88 per cent said they needed the help of agents and specialists outside the company to ensure security compliance. A mere 12 per cent claimed their in-house security team have the skills needed to ensure full IoT security is achieved. There is also a marked lack of awareness of the fact that while IoT sensors can be small and insignificant in comparison the the size and complexity of a big, long-established comms network, when compromised by inadequate security protection they can be a quick, easy and hard to detect way in to the guts of a network and the data it contains.

Commenting on the publication of the new report, Tim Erlin, vp of product management and strategy at Tripwire, said, "The industrial sector is facing a new set of challenges when it comes to securing a converged IT-OT environment. In the past, cybersecurity was focused on IT assets like servers and workstations, but the increased connectivity of systems requires that industrial security professionals expand their understanding of what’s in their environment. You can’t protect what you don’t know."

 The current mish-mash or security standards needs addressing and rationalising

The report also shows most organisations are cognisant of, and are applying, one version or other of a recognised security standard. There are several. One is the MITRE Attack Framework (for a welcome change, MITRE is a company, not an acronym), NST from the International Standardisation Organisation, PCI from the Security Standards Council and ICS which safeguards industrial control systems. Last but by no means least comes CIS, which provides global standards for Internet security and is a recognised global standard and set of best practices for securing IT systems and data against attacks. The majority of respondents to the Tripwire survey, which was conducted late last month, said they would like to see standards enhanced and expanded to better cover both industrial and corporate IoT systems and networks. They also want consumer device security to be improved. 

However, given the plethora of standards regimes there is growing movement in the US for the federal government to intervene and impose security levels that comply with the National Institute of Standards and Technology (NIST) as defined by the US Department of Commerce. The DoC has already set out its Cybersecurity Framework, a set of guidelines that private sector companies may apply follow "to be better prepared in identifying, detecting, and responding to cyber-attacks." Unfortunately, the Tripwire report shows that compliance reporting is a discipline more honoured in the breach than in the observance. In other words many companies don't or can't do them regularly or even at all.  No wonder corporate security units are worried.

There are also major concerns about the security of the IoT supply chain, with 87 per cent of responders to the Tripwire survey saying they are worried about it while 70 per cent opine that regulators and government agencies should provide, and constantly reinforce, consistent guidelines on the best way forward for connected devices. At the same time 61 per cent said they don't know when vendors make changes to the supply chain until it has actually happened and it's too late to do anything about it. To pop the sour cherry on top of this unpalatable sundae,  87 per cent profess themselves to be extremely worried about the supply chain security risks that have come about through existing but inconsistent and incomplete IoT and IIoT security guidelines. It's an accident waiting to happen.