RSA Conference 2016, the world’s leading information security conferences and expositions, kicked off its annual show today at San Francisco’s Moscone Center. In its 25th year, the conference brings together the top information security professionals and business leaders to discuss emerging cybersecurity trends and formulate best strategies for tackling current and future threats.
According to Britta Glade of the RSA Conference, during the course of this year’s review process they collectively looked at the "forest" of the submissions together and found that the Internet of Things was the #1 trend that stood out.
Last year they saw a huge uptick in IoT submissions, but this year it moved front and center. She noted “While last year’s submissions tended to be "observational," this year we seem to have moved into the "solutioning" phase of the maturity curve, evidenced by a slew of new submitting companies—organizations that directly service end consumers and haven’t traditionally participated in our call-for-speaker process.”
Building on top of IoT, conference organizers also saw increased submissions on Industrial Control Systems and the Industrial Internet of Things. In the past, the sessions focused on this just didn’t gain attention. But one year makes a difference as many of the "things" coming alive and online, such as robots, sensors, building automation, are still based on old security protocols and approaches, and breaches here have the very real potential to trigger large-scale disasters.
Late last year when I posted 50 Predictions for the Internet of Things in 2016, security dominated. With the RSA Conference starting today, here’s a recap of some of those IoT security predictions.
“The maturation of the IoT will cause entirely new business models to emerge, just as the Internet did. We will see people turning to connected devices to sell things, including items that are currently "too small" to sell, thus creating a renewed interest in micropayments and alternate currencies. Street performers, for example, might find they are more successful if a passerby had the convenience of waving a key fob at their "donate here" sign. The IoT will complicate all aspects of security and privacy, causing even more organizations to outsource those functions to professional providers of security and privacy services.”
“Attacks on connected cars, connected medical devices, and connected critical infrastructure have all hit the headlines in the recent past; and this is just the tip of the iceberg. The Internet of Things is proving to be a treasure trove for hackers. When developing networked devices, manufacturers are still placing more value on features than on security. "Security by design" must become an integral factor in development so that innovations win over increasingly security-conscious users. Additionally, the relevance of Cyber Threat Intelligence (CTI), as a part of a proactive information security program, will become essential for information security. In response to increasingly dynamic threat situations, it is critical for organizations to be able to identify evolving methods and emerging technology trends used by the cybercriminal, and then to continually assess their capability in this regard. Because many organizations don´t have access to internal specialists, they will need to turn to external experts from the CTI sector. Effective cyber security will require knowledge and understanding of the capabilities and intent of threat actors. Who are they? What do they want? What can they do? Organizations will define threat more specifically (i.e. less reliance on vague terms like "vulnerabilities"). We will see an emphasis on threat actors with means, motive, and opportunity being tracked. Understanding motive will become crucial for prioritizing resources.
“Surge in connected devices will flood the network – the increasing volume of data and need for bandwidth for a growing number of IoT connected devices such as healthcare devices, security systems and appliances will drive traditional networks to the breaking point. Mesh topologies and Fabric-based technologies will quickly become adopted as cost-effective solutions that can accommodate the need for constant changes in network traffic.”
“Prediction: PKI becomes ubiquitous security technology within the Internet of Things (IoT) market. It's hard to think of a consumer device that isn't connected to the Internet these days - from our baby monitors to our refrigerators to our fitness devices. With the increase of connected devices of course comes risk of exposing privacy and consumer data. But, what happens when industrial devices and critical infrastructure connect to the Internet and get hacked? The results can be catastrophic. Security and safety are real concerns for the Internet of Things (IoT) and especially in the Industrial Internet of Things (IIoT). Regarding security, the industrial world has been a bit of a laggard, but now equipment manufacturers are looking to build security in right at the design and development stages. Unless the security challenges of IIoT can be managed, the exciting progress that has been made in this area of connected devices will slow down dramatically. PKI has been identified as a key security technology in the IIoT space by the analyst community and organizations supporting the IIoT security standards. In 2016, we expect that PKI will become ubiquitous security technology within the IoT market. There will be an increased interest in PKI, how it plays in the IoT market and how it needs to advance and scale to meet the demands of billions of devices managed in the field.”
“Chip to cloud (or device to cloud) security protection will be the new normal As business technology advances, the security data chain continues to grow, presenting an increasing number of opportunities for hackers to break in. With most data chains now spanning the full spectrum of chip, device, network and cloud (plus all stages in between), many organizations are starting to realize a piecemeal approach to protection simply isn't effective. This realization is spurring the adoption of more 'chip to cloud' security strategies, starting at the silicon level and running right through to cloud security. In this model, all objects with online capabilities are secured the moment they come online, meaning their identity is authenticated immediately. In doing so, it eliminates any window hackers have to hijack the identity of unsecured objects, thus compromising the entire data chain via a single entry point.”
Thorsten Held, Co-Founder and Managing Partner, whiteCryption Corp.
“Ransomware, a means whereby a hacker takes over a device and demands a ransom to remove the restrictions, will creep into biomedical devices in 2016. To thwart life-threatening consequences, medical device manufacturers will be looking for diverse ways to address these types of security flaws using more stringent, agile security solutions against the malware threats.”
“Security regulation will make a meaningful impact for medical and other IoT devices: Regulatory requirements have generally been viewed as helping to drive organizations to meet minimum security standards. However, the overall security effectiveness or impact of regulatory requirements has been nominal. We can expect to see a much more meaningful advancement in the rigor of security requirements laid down by the regulators in 2016. This is partly due to accelerated advancements in public-private threat intel-sharing, and the regulators' acknowledgement of the need to seek out cutting-edge threat data and security best practices from the organizations that are on the front lines of defending against them. For example, in IoT, the FDA is making significant improvements in beefing up minimum security requirements for medical devices, which could otherwise pose grave safety risks to people, care providers, and medical device manufacturers that depend on their trusted operation. Since the vertical markets are so intimately interconnected, we will also see more teeth behind enforcement of security requirements.
“While facing the major transformation of our daily lives because of IoT, we are not completely ready to face related security issues. Since IoT networks will significantly grow in 2016, privacy and security issues related to web-enabled devices will mirror this change. For example, in August of 2015 hackers remotely seized control of over a million Chrysler automobiles, showing ability of having the full control of the cars – activating the windshield wipers, turning the radio and air conditioning on or disengaging the car’s transmission. To start tackling increasing online security threats, there are simple security measures that every Internet user should learn about, one of them being VPN (Virtual Private Network). VPNs will be increasingly popular in 2016 as security and privacy issues online will become more prominent, encouraging people to start encrypting their devices' online data, securing transfer of sensitive data, etc. NordVPN, one of the most advanced VPN service providers on the market, 256-bit AES encryption, is available on 6 devices on one account and has zero log policy.”
"The Blockchain has the ability to transform business similar to the Internet. With IoT, a major issue inhibiting its growth is how to manage the vast amount of data that will be stored around it. I think the answer to this is by leveraging distributed system technologies such as permissioned-server networks (Private Blockchains) or maybe even utilizing the Bitcoin Blockchain. A key aspect of this is inter-corporate collaboration between the networks of big data companies. This is crucial because the larger a single datacenter (one company) becomes, the harder it is to manage & secure. To do so efficiently it would involve (in some cases) competitors working together. This not only facilitates the management of this data, but secures it more effectively through distributed storage encryption. The companies willing to collaborate will succeed, while those overly competitive to control the space will inevitably fail long-term and short-term are impeding industry growth.”
"IoT device makers are realizing that they need to secure IoT devices to protect their reputations and customers. In 2016, IoT device manufacturers will pivot from asking 'why is security needed' to asking 'how do I implement security.' They will look to control data access and protect data at-rest, in-motion and in-process using a combination of software and hardware security measures."
More thoughts on IoT security can be found in our post here.