Cybersecurity experts scramble to stay a step ahead of hackers looking to exploit weaknesses in millions of internet of things devices worldwide. But maybe they’re focusing on the wrong problem.
IoT devices permeate virtually every aspect of business today, and are making rapid inroads into the consumer sector as well. Each sensor that links to the internet creates another potential vulnerability for its user. So it’s no surprise that the current state of IoT security “is probably not very good,” as Gary Kinghorn, managing director with Tempered Networks, describes it.
When a casino’s database of high rollers is hacked through a “smart” fish tank thermometer, it’s clear that the burgeoning IoT universe has a serious problem. The technology’s state of vulnerability “is almost to the point of absurdity,” says Kinghorn.
Companies seeking to shore up their information systems have focused on the devices themselves, in particular the need for strong passwords that are supposed to protect them from cyber thieves. Government, too, has sought to reinforce IoT devices through measures such as the recently passed Cybersecurity Improvement Act. But Kinghorn believes that’s not the entire answer — or even the right question.
Every IoT-connected device has an IP address that makes it a tempting target for hackers. Yet transmitters simply aren’t as “smart” as that trendy adjective might suggest. “They’re very simple devices,” says Kinghorn. “They’re never going to be sophisticated enough to analyze a legitimate network connection or data request.”
Instead, users should be focusing on what Kinghorn calls “the real hole” in security: the network itself. The key is to make sure that attack vectors aren’t available to hackers. And to do that, systems need to adopt a “zero-trust” model for authorizing entry.
The term means that “you don’t trust anything that’s trying to attach to your network, even apps or devices of your own internal users, unless they’re specifically authorized,” Kinghorn explains. Think of a “white list” that protects a phone line from scammers, telemarketers and robocalls by blocking all but previously designated numbers.
A zero-trust environment ensures that “all traffic moves through the network encrypted, so there are no interceptions or man-in-the-middle attacks,” Kinghorn says. The organization’s security policy is managed around the up-front identification of devices and users, rather than counting on the reliability of IoT sensors.
Such a system restricts access to the network by even the most trusted devices. In the case of the hacked casino, Kinghorn asks, why was that fish tank thermometer tied to the customer database in the first place? “It should only be allowed to access one system — the one that talks about the temperature of the tank.”
Zero trust makes it possible for systems to wall off individual sensors from the larger network. So why haven’t more private and public users embraced the concept, even as security breaches continue to mount?
Kinghorn finds some answers in the Zero Trust Adoption Report by Cybersecurity Insiders. It finds a high level of enthusiasm over the zero-trust model, with 78% of surveyed I.T. security teams expressing interest in implementing zero-trust network access in the future. They’re responding to a need to tighten system security at a time when companies are turning to the public cloud and attempting to securely manage mobile workforces.
At the same time, 47% of the sample said they lack confidence in their current security technology’s ability to implement zero trust. Only 15% already have such a system in place, and around 20% haven’t given much through to the technology at all.
Cost is a limiting factor, Kinghorn says. Zero trust can be expensive to achieve, with the need to “rip and replace” some I.T. systems, and in its current form it doesn’t always extend to applications outside the data center.
“That’s our focus,” says Kinghorn, “to be able to apply zero trust to any network or device, through a combination of a typical software agent and hardwired gateway devices.”
When it comes to technology upgrades, change is seldom easy. I.T. security teams might deem themselves comfortable with traditional firewalls and virtual private networks (VPNs), or worry about the hassle of requiring multi-factor authentication. But zero trust can be set up with a single sign-on, and agents can be installed in a matter of minutes, Kinghorn claims. “It’s not onerously costly,” he says, “although some organizations might make it so.”
He sees interest in zero trust rising rapidly, especially in response to the COVID-19 pandemic and the additional security issues it has brought to bear on I.T. departments. And while full acceptance of the technology may take some time, failure to move forward will expose companies to increasingly damaging attacks by creative hackers.
Yesterday’s legacy systems aren’t equipped to address modern-day cyber threats, Kinghorn says. “The IP protocol stack is 50 years old. It was never designed to do what I.T. organizations are being asked to do today. That’s why we need a completely new model.”