Thanks to John Yun, Head of Marketing, for ZingBox, for sharing his thoughts with me about the current and future state of IoT security. ZingBox secures IoT devices from the ground up rather than after the fact.
Q: What are the keys to a successful IoT security strategy?
A: Start with a blank sheet of paper and write down all of the requirements of your IoT device – even the most basic. Think broadly so you do not try to shoehorn an existing solution to fit your needs. What are the key requirements of the IoT devices and what are the restrictions (i.e., inability to install agents)? Identify the solution that’s right for you without any preconceived notions. A fresh approach will lead to a more focused evaluation of what works and what doesn’t in weeks versus months.
We just partnered with VMware which manages and secures devices by leveraging common device operating systems or containers. A lot of devices are not designed to support other applications. The organization needs security for all of its applications regardless of if they are IoT. VMware partnered with us because we do not require any agents and we provide a common management dashboard to make it easy to keep up with all of your devices.
Q: How has IoT security changed in the past year?
A: IoT security is like the cloud 10 years ago. Its impacts are seen day-to-day in healthcare, finance, and every other industry with attacks like Mirai and WannaCry, hackers have changed the way they look at industry. They’ve gone from focusing on PII and patient data to realizing the value of the service itself. There are huge costs on the operational side and ransomware and wiperware render devices inoperable.
Q: What are some real-world problems you are helping your clients solve?
A: Every organization has HVAC systems, door locks, and other connected devices, many of which are managed by third parties. This opens a huge door for potential attacks. In healthcare, clients have lack of visibility into their devices. They underestimate the number of devices (e.g., x-ray machines, heart rate monitors, blood pressure monitors) on their network often by as much as 50 percent. We can analyze their network and tell them exactly how many devices they have, if they’ve been infected, and advise them on the next steps to take since many time the device has been wiped clean of any previously existing data.
Q: What is the most common issue you see with regards to IoT security?
A: Lack of visibility and the lack of ability to determine if a device has been compromised and is not performing the way it is supposed to (i.e., an x-ray machine providing inaccurate results). One door lock may be compromised while another is not. We are able to look at the device personality and deployment to determine how often it has been used, when, and by whom to provide insight to the organization and articulate what an infection looks like.
Q: Where do you see the greatest opportunities to improve IoT security?
A: Bake in security processes from the beginning so you are able to detect any compromises. There are millions of devices already in the field without any security. They provide a huge challenge and opportunity. The opportunity is to secure the environment and provide another layer of security that does not impact the device operation. We work closely with the FDA, the Department of Homeland Security, and device manufacturers to build security for IoT devices, and their perimeters, and react quickly if they are infiltrated.
Q: What skills do developers need to ensure the IoT devices they are working on are secure?
A: Learn from security professionals and the security industry. Look at how iPhone and Android are innovating and look at the security of your device from that perspective. Know the security landscape will change quickly – so be flexible. Be able to hook your device into new security detection methods. Work with vendors to plan for the unknown.
Q: What the key takeaway for the people who read this?
A: IoT security is constantly shifting. Six months from now service disruption and wiperware will be more common than ransomware as companies realize paying a ransom is a waste of money since their data has already been wiped away and cannot be recovered.