With Gartner and others predicting massive growth in the industrial, enterprise and consumer IoT withint the next few years, the security of such devices is at the forefront of many users minds and, at first sight, the challenges seem enormous.
The enormity of the growth in the IoT is clear when you consider that the growth in PC and mobile devices to 10 billion devices took 25 years with just a handful of operating systems. Within just 5 years, it's predicted that the IoT will consist of 30 billion devices using hundreds of operating systems.
A new approach to security
It's clear that a conventional approach of using client based agents is impossible even to consider so I asked Jan Hof of ForeScout Technologies how the security conundrum could be tackled.
"Networks of the past were characterised by well defined perimeters with remote users connected to the corporate network or data centre using a VPN. Now, the network has become more porous and dynamic; it isn't even owned by the enterprise," he told me.
Hof went on to say that in such an environment, visibility becomes more important than ever before and that this must be achieved without placing agent software on the endpoints
"First of all, you have to see the devices that are on the network, whether they are IoT or not, then you have to classify each device and control access to network resources based on the type of device it is and its behaviour. With ForeScout's ControlFabric platform, companies can also orchestrate the response to threats using the widespread integration of ForeScout products with other specialist security products" he explained.
Device classification is an important aspect of limiting risk. An example is a surveillance camera, which has a particular pattern of network behaviour and limited access to network resources. Knowing that the device is a camera, enables patterns of behaviour to be detected which may be malicious and for the its network access to be segmented to prevent it being connected to critical resources. Such dynamic network segmentation across the entire IoT limits the impact of security breaches, according to Hof.
However, according to a survey conducted by Quodirca, network visibility is far from certain for many organisations. In EMEA, around 35% of those surveyed had confidence in their knowledge of what IoT devices were connected to their networks with nearly a quarter saying they were not confident. This left a chunk of over 40% of organisations having "some" confidence that they knew what was attached. With the expected explosion of such devices, "some" confidence will clearly be hopelessly inadequate.
Nothing is benign
Some would say that maybe it isn't necessary to have complete visibility of every smart sensor, surveillance camera and connected machine tool so I asked Jan Hof if there is any such thing as a benign IoT device.
"Everything should be considered a potential threat. The chances of a device being used as a gateway to the network varies but you can't take the chance that a device manufacturer has built in adequate embedded security," he concluded.
Read more from ForeScout on "Embedded IoT Enterprise Risk"
Jonathan Newell is a broadcast and technical journalist specialising in security systems and transport safety. He contributes to a range of titles in the technical press. He shares his time between the UK and Kazakhstan