Applying tactics commonly used to secure laptops and servers is not enough for Internet of Things devices and apps.
By Bill Siwicki July 27, 2017
Security pros, take note: Don’t be lulled into thinking the same security practices you use on laptops, PCs and servers will work just as well on Internet of Things devices. They won’t.
The wild world of IoT, rather, is filled with heterogeneous devices consisting of diversified and fragmented platforms, operating systems and security protocols.
That means the base of traditional cybersecurity technologies that work for Windows machines, iOS and Android devices — antivirus, endpoint agents, event management and firewalls — are simply not geared for IoT systems.
What IoT security takes
The first and most important best practice is taking inventory of and achieving real-time visibility into every IoT device in your domain, said Xu Zou, co-founder and CEO of ZingBox, a security specialist.
“While some organizations rely on a manual inventory process – personnel physically cataloguing devices from room to room – the IoT security solution should offer a level of automation to gain this visibility,” Zou said.
Another best practice to follow is proactive assessment of vulnerabilities and risks, Zou advised.
“If you’re simply reacting to attacks, you’re already behind,” Zou said. “At any given time, you should have access to a snapshot and gauge of vulnerabilities and risk for all IoT devices, not just in response to a threat.”
Inventorying devices and understanding inherent vulnerabilities are a strong start. Hospital security teams also need to test IoT systems regularly, craft an onboarding process to ensure new devices meet your criteria, whitelisting, lay out strong password requirements, understand legal and compliance issues including HIPAA, and work with vendors to keep pace with security enhancements and patches.
Mayo Clinic director of clinical information security Kevin McDonald testified in a May FDA hearing that security basics can take about 60-70 percent of the security risk out of medical devices, IoT and otherwise, and that there is no killer app to perfect information security.
Indeed, the type of security needed to protect IoT devices needs to be architected from the onset to avoid the pitfalls of traditional approaches, Zou said.
“IoT security must be out-of-band and be able to provide the security capabilities based on analysis of the traffic traversing the IoT network,” Zou added. “Deep machine learning and device behavior analytics are some of the security technologies critical for IoT.”
What won’t work
Health IT and security decision makers appear to be off-base in their thinking when it comes to securing the Internet of Things, a new survey found.
“IoT devices use different hardware, operating systems and applications,” Zou said. “It becomes very difficult, if not impossible, to install any third-party agent on IoT devices. Hence, the endpoint security protection does not apply for IoT. Most IoT devices don’t use IT standards to send syslog to the security orchestration products, either.”
As a result, security information and event management products are blind to IoT devices. The only line of defense available is network security, Zou said. Unfortunately, existing network security products such as firewalls, IPS and NAC, all are designed to stop well-known IT malware – not new and targeted IoT attacks.
“Most existing networking security products use the so-called signature-based approach to build a malware database and rely on that database for detection,” Zou added. “Such a database of signatures cannot secure IoT devices due to their heterogeneous nature. IoT attacks, such as Mirai, are usually targeted zero-day attacks and can vary across different IoT devices. The signature based approach that performs well in the standardized IT environment is not effective in the fragmented IoT world. That’s exactly what we see in healthcare.”
The future of IoT security: AI, machine learning and cloud
While Zou pointed out that machine learning will become increasingly important, technology consultant Gartner projected that Artificial Intelligence, machine learning and cloud computing will drive considerable disruption in the market.
By 2020, Gartner predicted that at least 75 percent of security tools will comprise AI capabilities, machine learning algorithms as well as predictive and prescriptive analytics based on heuristics — all designed to augment hospital security teams.
Gartner also found that hospitals are increasingly opting for security and risk management services in the cloud as they transition to digital business.
Many of those cloud options will be focused on securing IoT apps and devices.