Securing networks in the Internet of Things era
We all know that the Internet of Things (IoT) is coming, and it’s going to change everything. Its sheer scale alone is almost mind-boggling: Gartner reckons that the number of connected devices will hit 26 billion by 2020, almost 30 times the number of devices connected to the IoT in 2009. This estimate doesn’t even include connected PCs, tablets and smartphones.
In light of those figures, it’s not an exaggeration to talk about an impending explosion in the number of connected devices, and industry experts and consumers alike are eagerly awaiting fridges which alert us when we’re out of milk, central heating we can control remotely with smartphones, and cars which will be as much tools for streaming entertainment and communication as they are a means of getting from A to B.
The IoT will probably represent the biggest change to our relationship with the Internet since its inception. But first, we need to work out how it’s going to become reality on such a vast scale. Clearly, adding these billions of devices to networks is going to have a knock-on effect, yet there’s been relatively little commentary dedicated to the question of how the IoT is going to be delivered in practical terms. This means asking what the IoT means for networks and IT departments, and how we’re going to ensure that it’s sufficiently secure.
To investigate what this exponential growth in connected devices will mean for enterprise networks and the people who manage them, Infoblox commissioned an independent survey of 400 network professionals in the UK and US. The results revealed that the majority of businesses have the beginnings of an IoT infrastructure in place, with 78 percent of respondents reporting that they have “things” such as networked badge readers, cash registers and vending machines on their networks. 73 percent reported the existence of connected devices security such as CCTV and other surveillance systems on their networks.
The security challenge
So far, so good. But the survey also revealed that almost two thirds of respondents (63 percent) believe the IoT to be a threat to network security. With so many new objects and IP addresses, it’s imperative that network teams are able to identify and audit what’s on their network at any given point. Managers must also consider that all these devices and IP addresses are potential weak points in an organisation’s IT infrastructure.
We also found that very few IT organisations have deployed IoT-specific infrastructure, such as dedicated networks or management systems – only 35 percent of respondents said they have done so. In many cases, no dedicated network infrastructure exists for IoT devices, so 46 percent of respondents reported attaching them to their corporate networks. This has clear security implications in light of the fact that every connected device is a potential entry point for malware.
30 percent of the organisations surveyed have taken a different route, choosing instead to create a separate logical or physical network for “things.” Other businesses simply dump IoT devices on existing guest wireless networks, which provide the Internet access required by many connected devices. However, guest wireless networks usually don’t allow access to internal resources (Domain Controllers, database and file servers and the like), which other IoT devices need. In addition, they provide little or no authentication, unpredictable performance, and no prioritisation of traffic, all of which are required by some categories of devices. These facts make guest networks impractical for some IoT deployments.
Insecure devices
Many IoT devices themselves suffer from security limitations as a result of their minimal computing capabilities. For instance, the majority don’t support sufficiently robust mechanisms for authentication, leaving network admins with only weak alternatives or sometimes no alternatives at all. As a result, it can be difficult for organizations to provide secure network access for certain IoT devices. Yet IT teams need to set network access policies for all connected devices in order to preserve network security and make the most efficient use of available network resources.
This problem is exacerbated by the fact that many IT organizations describe having “things” thrown over the wall” for deployment, well after the purchasing decision has been made by another business unit. The survey shows some 60 percent of organizations say they’ve been brought in to support IoT devices after another department acquired them, and 63 percent reported that the subsequent deployment was more challenging than the acquirer believed it would be.
Dumb devices
In many ways these implementation difficulties are not surprising. Our customers tell us that many IoT devices simply aren’t that smart. Many lack a user interface, making configuration a challenge. And configuration is often the responsibility of a network administrator, adding insult to injury for admins tasked with setting up DHCP options for kit they didn’t buy and weren’t consulted about before purchase. Many devices are not easily upgradeable. Others are designed for home use by consumers rather than large-scale enterprise deployments and therefore lack some or all of the requisite tools and features for enterprise use.
A network administrator for a hospital chain described an MRI system that used the same set of hardcoded IP addresses for every machine, meaning that the network administrator had to set up NAT for each MRI machine to ensure it was accessible across the network.
This same lack of capability extends to security features. Most connected devices don’t support strong authentication mechanisms such as 802.1X, leaving network administrators to use their MAC addresses—or nothing—as a weak form of authentication. Consequently, securing IoT devices’ access to the network is difficult. Some organisations I spoke with used VLANs to isolate certain categories of “things,” but dedicating one VLAN to each type of device certainly doesn’t scale.
Solutions
In the face of these challenges, the only surprise is that the number of IT pros concerned about IoT security isn’t higher. But there are tactics which can help network administrators facing an IoT deployment. First, work to get yourself a seat at the table early in the IoT deployment planning stages. You should have input into the minimum network requirements of devices that you’ll have to deploy and support. Those requirements should include support for 802.1X, DHCP, SNMP management, remote upgradeability, and IPv6.
On that note, consider deployment of IPv6. As you probably know, IPv4 addresses have become much more difficult to get in Europe, the US, Canada, and Asia. Some of your “things” may require access from the Internet or from third parties’ networks. Don’t let a lack of routable IP address space hamper your IoT implementation.
The Internet of Things represents myriad new and exciting opportunities, many of which are yet to be considered. But the IoT relies on networks, using secure underlying networking technologies deployed and managed by network managers and administrators. And although one third of respondents (37 percent) believe concerns over IoT security to be nothing more than hype, security threats are the most potent threat to the IoT reaching its full potential.