RSA 2015: What Do We Do About Internet Of Things Security?

The one thing everyone seemed to agree on at the 2015 RSA Conference in San Francisco is that the Internet of Things is a looming security threat, but there wasn't a consensus as to what exactly the security industry should do about it.

The challenge, solution providers and security experts said, is that the technology is still so new that, while the technology threat is real, there isn't a clear place to start preventing attacks.

"It's so early in that life cycle. ... The problem with that is that everybody knows there's going to be a lot out there, but nobody quite knows what security implications [there are] going to be," said Erik Wilson, owner and IT architect of Palatine, Ill.-based Auryn Technology. "I don’t think companies really know what's going to happen. ... I think it's exciting, yet a little terrifying."

[Related: 25 Security Innovations Unveiled At RSA 2015]

Sponsored post

A security professionals panel Wednesday debating the future of IoT agreed that the lack of insight into where the technology is headed makes it difficult to protect.

"We don’t even know what the end target is. I think one of the benefits we see as the outcome is modulatory and composability -- I think this is a completely different challenge and it's bigger than how do we secure it. We don’t even know what it is going to be," Victoria Yan Pillitteri, advisor for information system security at the National Institute of Standards and Technology, said on the panel.

On the flip side, that breadth of possibilities is exactly what makes the market so exciting, the panel said.

"You have to crawl before you can walk, before you can run," Yan Pillitteri said. "What we see now is the proliferation of new sensors and new devices. ... It's going to be a slow progression, and I do see a revolutionary piece as we look at policy and privacy. Those are the things that are going to be revolutionary."

Compounding the challenge is the sheer enormity of the surface area for attack, as the devices connect to and create a larger network to protect, according to Gib Sorebo, chief of cybersecurity technologies at Reston, Va.-based solution provider Leidos, who discussed the issue in a breakout session.

"With the Internet of Things, it's not just simply an issue of 'I have this one device I need to control.' ... It's interacting with everything else," Sorebo said.

Espen Otterstad, IT manager at Larvik, Norway-based Abax, said his company helps build solutions for companies around GPS tracking devices, among other things. Because the solutions the company builds often focus around the Internet of Things, Otterstad said, the company has, within the past six months, started to ramp up security measures around the technology in advance of client demand and any security incidents.

The challenge, Otterstad said, is that it is difficult to figure out where to start and what to focus on because the threat landscape is still emerging for IoT.

"It's still kind of a learning process," Otterstad said. "On the Web part, we're doing what's industry standard. On the Internet of Things part, ... we're starting, and looking at where to start is really the most important thing right now."

Dom Glavach, principal IS security engineer at Johnstown, Pa.-based Concurrent Technologies Corp., said the threat landscape for IoT is threefold, affected by the human factor, embedded devices that are often left unpatched, and the information that the devices are collecting and potentially exposing.

Dave Frymier, CISO at Blue Bell, Pa.-based Unisys, said one challenge is that, while standards exist for other industries, there are no standards for the software industry. Frymier said the only entity in the position to implement product-quality standards would be the government.

"It's just a natural evolution of the way things are going," Frymier said. "The Internet of Things is here. It's been here. ... Until we have something like that, the Internet of Things, this notion of adding software-driven devices to a big global network is nothing but a nightmare."

In his presentation, Leido's Sorebo laid out a risk model for how companies should think about security and the Internet of Things. First, he said, security professionals should define use cases around IoT devices, being as specific as possible. Then, they should identify all relevant impacts and vulnerabilities that could come down the road. Finally, those answers will lead them to identify which security threats are possible with the devices.

To mitigate that risk, Sorebo said, the security industry has some options:

First, they can design devices that are fit for purpose, though Sorebo said this is likely to be unrealistic, as usage is likely to expand.

Second, Sorebo said, companies can clearly document the assumptions for use of the device and the possible liabilities that can come along with that. Third, he said, companies or regulatory bodies can provide close oversight into how the devices interact, such as vehicle-to-vehicle interactions.

Fourth, he said, there can be mandated and vetted protocols and software libraries for devices. Finally, there can be device certifications for different use cases.