On the sunnier side, cross-vendor collaborative efforts on IoT security are making progress, and Intel Security’s own IoT research will continue notwithstanding the separation of McAfee from Intel in 2017.
LAS VEGAS – At the Intel Security Focus Security Conference here, the company warned that the recent distributed denial of service [DDOS] attack – the largest in history – may well be a harbinger of things to come. While a window exists to remedy the problems with Internet of Things [IoT] security, it is rapidly closing.
“It was probably a good thing that the DDOS attack happened now, because it was a wakeup call,” said Lorie Wigle, VP & GM, IOT Security Solutions, Intel. “Time is expiring on IoT security. The current state of things is not what it needs to be, and we saw this in the DDOS attack last week. We have a window to address this, but it is rapidly closing, because the number of devices will only keep ramping up.”
While the Internet of Things is identified with cheap sensors, many of its items are rather more expensive, long lasting items.
“Many of these things like fridges, we will have for 20 years,” Wigle said. “We need to get the security built in. We need to operationalize them. We have to be able to patch and upgrade them during their lives.”
Wigle said that in the DDOS attack, attackers found devices unguarded because users never entered a password. This isn’t uncommon in the consumer space, because many consumers are afraid they will forget the password.
“The problem here is that the consumers who owned the devices that were breached weren’t really negatively impacted,” she indicated. “The real victim was usually somebody else. But in the next phase of attacks, the attack could bring ransomware, which would have direct impacts.”
Wigle said that Intel Security is responding to this by protecting across the threat defense lifecycle, which with the IoT, is manifested in a couple different ways.
“First, it means taking full advantage of what we can build into processors and SoCs and putting the right software on top of it,” she said. “Being able to determine actual device identity will be fundamentally important for the IoT.
“The other thing different about the IoT that needs to be comprehended is that they interact with the physical world – like oil pipelines,” Wigle stated. “This means that you also need to consider the safest way for them to fail.”
Wigle noted that Intel Security has been using McAfee ePolicy Orchestrator [ePO], targeted at the energy industry, for IoT management.
“We harden the device, secure the communication and manage and monitor it using ePO and possibly a SIEM,” she said. “This recently won us a Department of Energy Award.”
Wigle also noted the growing industry-wide collaborative effort around IoT security.
“No one company can solve it, so we have to co-operate,” she said.
She identified three organizations in particular. The Industrial Internet Consortium, which now has about 350 members, has put together a 75 page prescription on how to secure an industrial internet. The Open Connectivity Foundation, which operates more in the consumer space, achieved a signal achievement by bringing two competing groups together. They do open source implementations as well as standards. Finally, she noted that the GSMA, the people behind the Mobile World Congress, who are most significant in Europe, have published guidance for IoT security and developed a self-certification checklist.
“We think this is a really promising effort,” she said. “Lots of governments now want to do something around IoT security. This provides them with a thoughtful approach regulators can build on.” Regulatory growth around the IoT is inevitable in any event she said, including some type of regulatory security rating coming through the EEC.
Finally, Wigle, a long-time Intel employee who was sent on assignment to Intel Security three years ago, noted that the upcoming separation next year of McAfee from Intel will not jeopardize the continuing research efforts.
“We absolutely envision that collaboration continuing in the new setup,” she said. “It’s something I am personally committed to.”