We’ve written before on the cybersecurity concerns on the Internet of Things (IoT) as a new dimension of endpoint security. This is no accident or oversight. The Internet of Things has proven a recurring security challenge in the modern workplace, as the devices typically lack any sort of security platform.
With that in mind, we were lucky to speak with Mark Cooper, Founder and President of PKI Solutions: a security firm specializing in public key infrastructure, Internet of Things, and mobile device security.
Here’s part of our conversation, edited slightly for readability. We also talked about access management and bring-your-own-devices culture, which you can find here.
Solutions Review: On the Internet of Things (IoT), what should enterprises be most aware of from a security perspective?
Mark Cooper: Enterprises are faced with an entirely new set of security issues with IoT. In a perfect world, all of the devices you buy are properly secured, have strong identities, and provide sufficient encryption and data protection. But to be perfectly honest, most of the IoT manufacturers are struggling with identities and data protection just like any other organization. So, you should be aware that very few products are shipping with any security implementation that would meet enterprise standards. We just aren’t in that world yet.
Enterprises are presented with two unique challenges. One, identify what devices in your organization are “IoT.” You might be surprised that many products are enabled with [the] technology you simply aren’t aware of.
For example, I have a customer that makes water pumps. When was the last time anyone from InfoSec went to the building’s basement to see if some [of that] machinery was IoT-enabled? If it is, how secure is its information? Starting with an understanding of what IoT-enabled devices and products you have is the first step—and often is difficult for many organizations to assess. Are your light switches IoT? How about the electrical power strips? Smoke detectors? See where I am going? It’s not just only Intelligent Speakers and coffee makers sitting out in the open.
Once you have the sense of scale, you need to determine what is acceptable security for these devices. Are they like many devices using a statically-set password and credentials for every device the manufacturer makes? What encryption are they using to transfer data? How will you find and discover these for each device? That is the million-dollar IoT question.
SR: Are there particular IoT devices most at risk?
MC: Honestly, all IoT devices could present a risk, but that is a relative term.
The risks could be allowing someone to misuse a device to participate in a large scale DDOS attack. But it could also pose a risk in the form of allowing someone to inadvertently trigger an alarm, turn on fire sprinklers, rapidly flash lights on and off, divert water from a storage tank, etc. These could lead to mass evacuations of a building (and enable an intruder easier access to your facility) or outright damage if a pump was reversed and a key piece of equipment overheated or exploded. In short, any smart, IoT device in the environment should be reviewed for potential misuse and attack on an enterprise.
SR: What security advice do you have for IoT usage?
MC: Understanding the information in and used by an IoT device will make it easier to understand the appropriate security and use of the device.
This is obviously a new area for many enterprises, and the proper vetting and screening of these devices is also new to most people. Having clear and concise conversations with manufacturers on security and controls that are in place for the devices is critical. “Trust, but verify” is my motto. I wouldn’t take the word of a quick response regarding security as the definitive answer. If there is a potential to affect your organization, using a packet sniffer or SSL inspection appliance to vet the IoT device during testing would be wise.
It is also important to ask the question, “What happens to the data once transferred to the cloud?” Most IoT devices are managed through a cloud interface. Does the manufacturer have access to that data? Are they aggregating that data and reselling it? What guarantees do you have that your information privacy will be protected? We have all seen the recent issues with Facebook and its privacy rules being brought to light with the Cambridge Analytica controversy.
Thanks again to Mark Cooper of PKI Solutions for his time and expertise! Mark is the president and founder of PKI Solutions, and has deep knowledge and experience in all things Public Key Infrastructure (PKI), known as “The PKI Guy” since his early days at Microsoft. PKI Solutions Inc. provides consulting, training and software solutions for Microsoft PKI and related technologies for enterprises around the world. Prior to founding PKI Solutions, Cooper was a senior engineer at Microsoft, where he was a PKI and identity management subject matter expert who designed, implemented, and supported Active Directory Certificate Services (ADCS) environments for Microsoft’s largest customers.
Mark Cooper also shared his expertise on the Internet of Things (IoT). You can read that part of our interview here.
Latest posts by Ben Canner (see all)
- Cyber Resilience: How to Respond to a Data Breach - April 22, 2019
- Endpoint Protection Capabilities You Need for the Cloud - April 18, 2019
- Endpoint Monitoring, EDR, and Endpoint Security: What Do You Need? - April 17, 2019