Last week, members of the Sectigo leadership team sat down to talk about the future of web security in 2019. Their discussion touched upon the evolution of the digital certificate field, new developments in email security standards, and the ways in which the threat landscape is expected to evolve.
But in the fast-paced world of cybersecurity, there is always more to discuss. Today, a group of Sectigo leaders gathered to talk about what might be in store for the Internet of Things (IoT) in the coming year. Vice President of IoT Damon Kachur, Chief Technology Officer of IoT Jason Soroko, and Head of EMEA Jeremy Boorer discuss the new security concerns facing the IoT, the need for stronger security protocols, and the global nature of IoT issues.
The Need for Strong IoT Security is Growing More Urgent
Jason Soroko, Chief Technology Officer of IoT, Sectigo: The pace of IoT innovation will continue to accelerate, and the pressure on vendors to get their products to market will only increase. Unfortunately, some developers and manufacturers of connected devices underestimate the necessity of properly securing these devices.
Damon Kachur, Vice President of IoT, Sectigo: That’s true — and from an end user perspective, the slow uptake of security in IoT devices has prompted governments to regulate. Nations (and more U.S. states) will follow California’s lead and enact legislation requiring security for IoT networks.
Jeremy Boorer, Head of EMEA, Sectigo: The UK has actually started to take on a leadership role in this area. In March, the Department for Digital, Culture, Media and Sport (DCMS) and the National Cyber Security Centre (NCSC) launched their Code of Practice for Consumer IoT Security for manufacturers. This is a strong sign of a renewed consciousness of safe IoT practices and could be a way for the UK to safeguard its users and businesses in preparation for the post-Brexit state of online affairs.
Kachur: It’s particularly important for healthcare, aviation, energy, and manufacturing sectors across the globe, which face the highest risk. In the U.S., California’s legislation stops short of prescribing strong forms of authentication — but thankfully, consortium groups such as the Open Connectivity Foundation and AeroMACS have championed the use of strong certificate-based authentication in their best practice standards for IoT.
Soroko: That’s a great point. The Open Connectivity Foundation and AeroMACS are forward-thinking and are writing the need for PKI based device identities and strong mutual authentication into their standards. That’s where a purpose-built IoT device identity issuance platform will change the game and enable commercially viable adoption of strong security by IoT device vendors.
We’ve seen governments use legislative tools to regulate and guide IoT security, but the vendors must take measures to properly mitigate the risk. We can only hope that there is an uptake in the adoption of strong IoT security technologies and that it won’t require a major catastrophe to precipitate action.
The Threats Facing the IoT Will Continue to Evolve — But There Are Answers
Boorer: The importance of securing the IoT was a hard lesson learned from the Mirai botnet hack that infected thousands of smart devices in 2016, crashing systems across the globe. IoT devices are highly mobile by nature, and as they travel around the world with little or no way to track them, their security becomes critical. An entire IoT infrastructure can be compromised by a single infected element, so it’s crucial to extend use of smart technologies and applications across ‘all things connected.’
Soroko: It may even be time to take a fresh look at identity-based security. There is a commonality in IoT security weakness, and that is the lack of strong authentication. The Mirai botnet works because of how easy it is for attackers to guess a static username/password or steal a token credential. You may see the word ‘security’ on the tin of an IoT product, but check again. Is that device using weak authentication? There are much stronger forms of security offered by cryptographic based digital identities.
Kachur: It can be tempting to think that because the vulnerabilities are simple, so too are the solutions. But the attack vectors and threat actors to the IoT are constantly evolving, warranting best-practice device provisioning and the ability to quickly and proactively manage current cryptographic algorithms with those that will supersede them in the future. This will be vital within the lifespan of the devices being deployed to customers.
Boorer: There are many solutions designed to protect networks and endpoint devices against IoT attacks and businesses. Organizations and institutions should look to deploy an IoT management platform, which provides flexible and scalable identity issuance and management for strong authentication beyond static credentials. Being able to see and secure all IoT devices within one platform is the only way for organizations to take stock of their vulnerable points and adopt measures needed to safeguard them.
The Emergence of 5G Will Spur New Security Concerns
Soroko: Before we wrap up, I want to touch on one final point. 5G mobile networks are on the horizon, which is exciting. But it’s important to keep in mind that these new networks will bring with them a host of new security concerns. 5G will spur further growth of internet-connected devices—Ericsson already estimates that there could be 3.5 billion IoT-enabled devices by 2023—providing would-be intruders with new endpoints to attack.
Security for 5G is still evolving with the standard, and it is complex enough that security will require several layers. 5G networks can be split into uniquely purposed slices, each virtual network slice could demand unique security capabilities. Developers will need to consult IoT security professionals to help identify new ways to shore up the network.