Most businesses are rushing to embrace the Internet of Things without a clear plan for securing that effort, leading to increased vulnerability that needs to be addressed, AT&T is warning.
In the latest of its Cybersecurity Insights Reports,
AT&T Inc. (NYSE: T) is tackling IoT, pointing to a 458% increase in attacker scans of IoT devices within the last two years. Its own research shows that while 85% of businesses are considering, exploring or implementing IoT, only 14% have a formal audit process for tracking the security of those devices.
IoT also transforms the threat landscape. Instead of just worrying about protecting its data or intellectual property, companies need to be concerned about things such as interfering with the controls on a connected car or causing a manufacturing floor robot to shut down an entire plant or release a dangerous substance.
So AT&T is also laying out a strategy for enterprises to follow in securing their IoT rollouts, along with a partnership with Bayshore Networks, which makes IoT security software. Key to the IoT security strategy is engagement of business leaders and security experts in the effort, something AT&T stressed in its first Cybersecurity Insights Report, which came out last fall. (See Cyber Security: A Shared Responsibility.)
That first report found a definite disconnect between the security team and company management, and the lack of communication between the two left the former feeling unsupported and the latter insecure. By engaging company leadership in the security discussion, up to the board level, AT&T believes a sounder company-wide security agenda can be set. (Listen to Cyber Security: What CEOs Need to Know Now.)
That same attitude needs to be foundational to IoT security, says Jason Porter, VP of Security Solutions at AT&T, as one part of a multi-layer approach.
"We found that only 17% of boards [of directors] are engaged on IoT security aspect, which means they hear it regularly and are involved in the security of IoT," Porter says. "Yet 90% of the companies we surveyed were really lacking full confidence in their IoT security. What we found is if they take the right approach -- and we offer a framework for them to understand it and be able to take action -- they can be much more confident in their move and transition to IoT."
That, in turn, lets enterprises move more quickly and strategically.
The four layers are pretty straightforward: assess your risk, secure both information and devices, align your organization and governance for IoT and define legal and regulatory issues.
Some of what AT&T is recommending seems to be common sense but many other security experts say that's not always the case. As noted above, risks in the IoT world are different from those associated with telecom services or cloud services, so one of the first keys is to know what you have to protect -- what Porter calls "the crown jewels." That can require an audit or general assessment, but that knowledge needs to be top down as well.
The security strategy, when drafted, needs to be holistic. "You have to secure both information and devices -- it goes beyond just one or the other -- and you have to secure the information in transit and at rest, while it is on the device, while it's in the network and while it's in a cloud," Porter says. Too many IoT plans focus on one aspect or another.
"In general, [companies need to] align their IoT strategy and security," he adds. "Security can't be launched in a silo."
In other words, as the network, operations and even marketing departments are developing a security strategy, the Chief Security Officer and his team need to be there, from the beginning.
It is also critical to identify legal and regulatory issues at the beginning because IoT can tip a few scales there, Porter notes. It also creates new scale challenges for the virtualization of networks and how companies are dealing with data and updating their software.
In working to creating this holistic approach to IoT, AT&T realized it had a gap: While perfectly able to secure the communications part of the IoT network with all of its traditional tools, and monitor end points, look for malicious software and deploy firewalls and intrusion detection systems, AT&T wasn't able to actually inspect the command going to the IoT device itself.
That's where the Bayshore partnership comes in. Working with Bayshore in its AT&T Foundry, and now putting their capability into the AT&T cloud, the network operator is able to add the ability to inspect that message and apply policy controls to make sure there is nothing at risk in that aspect of the IoT ecosystem as well.
That's unique to AT&T, Porter says, and he sees it as a fundamental aspect of IoT security whether it involves industrial IoT and the manufacturing floor or controlling cars and airplanes.
— Carol Wilson, Editor-at-Large, Light Reading