By Larry LeBlanc
Well, it has been quite a year, hasn’t it? On the cybersecurity front, everyone is worried about malicious actors tampering with election data – but it seems they were more focused (or at least successful) in conducting ransomware attacks on hospitals.
On the IoT front we saw the disclosure of significant vulnerabilities, such as Ripple20 in June and Amnesia-33 in December, that expose the TCP/IP stacks used in millions of IoT devices. With TCP/IP serving as the arterial system of the IoT, carrying the data which is its lifeblood, these vulnerabilities again demonstrate why all organizations need a plan to rapidly perform firmware updates on their IoT devices if they want to “stop the bleeding,” from these types of vulnerabilities.
So, what might the new year bring in terms of IoT security? I can’t say my crystal ball is crystal clear, but here are three predictions I am willing to make about IoT security developments in 2021.
Security as a Service Rapidly Expands into the IoT Market
Companies are increasingly seeking to outsource their on-premises, cloud, and other cybersecurity needs, as the recent success of FireEye and other Security as a Service (SECaaS) providers demonstrates. These SECaaS providers combine deep levels of cybersecurity expertise, easy to deploy SaaS security solutions and economies of scale to deliver companies robust security at a lower cost than in-house alternatives.
Now, SECaaS providers are expanding into the IoT market – and I expect this expansion to pick up steam in 2021. The millions of IoT devices that companies have deployed around the world represent a massive target for cybercriminals – and companies’ lack of IoT security expertise often make these devices easy for criminals to hack. Rather than become experts in IoT security themselves, I expect companies to increasingly partner with SECaaS providers who can help them protect their IoT data from malicious actors.
However, one question regarding this emerging IoT SECaaS market is, who will dominate it? Will it be established SECaaS providers extending their existing application to the IoT, providing companies with a comprehensive solution to their security needs? Or start-ups with SECaaS applications specifically designed to protect IoT data who be the leaders in this market? On this question, only time will tell.
Companies Will Demand That IoT Solution Providers Establish Their Security Bona Fides
While more companies outsource IoT security to SECaaS providers, they will also now start demanding (if they have not already) that their IoT device, connectivity, cloud and other providers not just talk about being committed to making their solutions secure, but prove it.
Specifically, they will only work with IoT solution providers that have a deep understanding of IoT security issues, have integrated robust security capabilities into products, and are working to constantly update these products’ security capabilities.
By only partnering with IoT solution providers committed to security, these companies will position themselves to deploy an IoT security plan that provides them with defense in depth, enabling them to avoid having a chink in their IoT security armor result in a data breach or loss.
Expect more companies to demand that IoT solution vendors back up their security commitment promises with clear answers to questions like:
- Can show how you are committed to transparency and responsiveness when dealing with security vulnerability reports?
- Have you taken responsibility for vulnerability disclosure by becoming a CVE Numbering Authority (CNA) for your products?
- What plans do you have to provide timely IoT device security updates, and how will you help me deploy these updates?
IoT hacks have taught companies that they must approach security as a critical requirement for their IoT deployments. After all, if they fail to partner with IoT solution providers who are not committed to security, they risk leaving not just their IoT applications, but their entire IT environment, open to attacks from sophisticated cybercriminals.
A Return to IoT Security Basics
Last year, many predicted that companies would deploy new AI-enabled threat intelligence and other leading-edge security technologies to protect themselves from attacks.
However, while these new technologies do hold promise, most of the IoT hacks that took place over the past year resulted from companies simply not following basic IoT security best practices. Back in 2018 the Open Web Application Security Project (OWASP) identified the top ten most impactful IoT security vulnerabilities, and the one that led the list was weak, guessable or hardcoded passwords. Following close behind in fourth was a lack of secure update mechanisms, which can lead to devices running on old, vulnerable firmware even when new, secure updates are available.
I wish I could say that things have changed over the past two years, but I expect when the OWASP next updates this list, you will see the same security vulnerabilities on it. When it comes to protecting your IoT data, you don’t need AI to create strong passwords, update your device firmware, or activate and use your IoT devices’ built-in firewalls – you just need to make sure you are following basic IoT security best practices.
Not only does implementing these basic best practices make IoT applications more secure, but they can reveal opportunities to reduce operational costs. For example, a company that ensures it is updating its devices’ firmware is likely to quickly discover that over-the-air firmware updates make it easy for them to protect their IoT devices from new attacks, allowing them to eliminate expensive trips by technicians to manually update IoT devices with security and other upgrades.
Perhaps I am being too optimistic, but I believe that, having seen over the past year that basic IoT security best practices can address high-profile vulnerabilities like Ripple20 and Amnesia-33, in 2021 companies will make sure they have fully implemented these best practices – and only then look for other technologies to address rarer, more sophisticated attacks.
Originally posted HERE.