Untangling the IoT security mess
Top left to right: Benedict Tan, Group CIO, Singapore Health Services - Richard Moore, Managing Director & Head of Financial Crime and CISO, DBS Bank - Lee Wan Sie, Director
- Next Generation Infrastructure Group, Infocomm Development Authority of Singapore (iDA)(IMDA) - Zeck Lim, Director - Techonology Solutions, Infocomm Development
Authority of Singapore (iDA)(IMDA) - Yuen Ka Wei, Head of IT Security Governance, Asia Pacific, Deutsche Bank - John Mills, CIO Cybersecurity Division Chief, US Dept of Defence
- Neal Cross, Chief Innovation Officer, DBS Bank - Khoong Hock Yun, Assistant CEO and Chief Data Officer, Infocomm Development Authority of Singapore (iDA)(IMDA) - Gilbert
Chuah, Executive Director - Regional & Singapore Head, Internet Channels, UOB - Tom Heckroth, Director, Global Data Centers, Neptune Orient Lines - Joshua Tjandra Tjahjono,
Director, Information Technology, Singapore Health Services - Eddy Liem, Group CIO, Prima Limited - A/Prof Loo Chian Min, Chief Medical Informatics Officer, Singapore Health
Services - Chua Kim Chuan, Director, Identity and Security Services, Ministry of Health Holdings - Bill Taylor-Mountford, Vice President & General Manager APJ, LogRhythm James Carder, LogRhythm CISO & VP of LogRhythm Labs - Robert Lentz, Former CISO for the US Department of Defence
Internet of Things (IoT) promises an era of automation and
machine learning that will change the way we live and work.
While self-driving cars, robot-managed factories and
refrigerators that order groceries are often the first examples
quoted, the onset of IoT will have far more reaching
consequences. In some cases, these consequences are
already shaping our lives.
As an example, some insurance companies now offer plans
that require drivers to install a sensor in their cars, allowing
insurers to base premiums on actual driving behavior rather
than projections.
Physicians can also use the information collected from
wireless sensors in their patients’ homes to improve their
management of chronic diseases. Through this continuous
monitoring rather than periodic testing, physicians could
then also reduce their treatment costs by between 10 and 20
percent, according to McKinsey Global Institute research1.
Security needs a rethink
Security will have a similar impact in the way we approach IT
security.
For example, researchers have found critical vulnerabilities
in IoT-based baby monitors that can allow hackers to carry
out malicious activities, including authorizing others to view
and control the monitors. Researchers have also shown that
internet-connected cars can be compromised, meaning they
are susceptible to being unlocked or shut down while in
motion.
The main problem is that these issues will compound quickly
due to the explosive adoption and growth of IoT devices.
These key issues were discussed at an exclusive roundtable
luncheon hosted by FST Media and LogRhythm.
Featuring key observers, analysts and practitioners in
security, the insightful discussion highlighted the challenges
that the industry is facing with IoT.
Data analytics vital
“It is a very difficult subject and we were just talking about
the issue of ying and yang, between functionality and
security, and how you can balance it,” said former CISO for
the US Department of Defence, Robert Lentz.
One industry that is already facing mounting IoT security
challenges is healthcare. LogRhythm CISO & VP of
LogRhythm Labs, James Carder, said: “It is a matter of life
and death.” He added that the industry is already dealing
with devices daily, and with more devices coming online,
protecting patients and healthcare workers from malicious
attacks has become a major concern.
Carder admitted that it is going to be challenging, especially
as more companies use IoT to improve preventive care and
cash in on a lucrative sector of the market.
“It
is
not
them. According to them, IoT is often seen as a key sales
differentiator, while consumers see it as something “cool”.
Security is often not the first thing that anyone investigates or
highlights.
For example, Carder noted that he had to modify his
own infrastructure for identification and access control to
compensate the lack in security. “The ones that support
certificate based authentication sit inside my network, the
ones that don’t sit in a DMZ,” he said, adding that it is not an
approach that many consumers take.
just
the
IoT
James Carder, LogRhythm CISO & VP of LogRhythm Labs
“As they continue to leave
out security as a part of their
development process, the risk
will increase exponentially at the
pace of development”
aspect but how my data out there is being managed and
used,” said Carder, who drew analogies with the military as
another industry where IoT is already being deployed.
Neal Cross of DBS Bank added that even though he is
healthy, he is not comfortable with sharing details about his
health through devices. “To whom does the information go
to?” he said, highlighting a personal concern.
Meanwhile, Tom Heckroth from the Transport/Logistics
industry said that some of the information may end up in the
hands of their vendors, and may give them an advantage over
others.
Lentz added that it is one of the reasons that motivated
him to join the board of LogRhythm. “When I was in the
US Department of Defense (DOD), we looked at this whole
SIEM space evolving to this whole issue of how are we going
toward data analytics and machine learning to deal with
cybersecurity because as we move into this era of taking
the human out of the loop and move to machine-to-machine
decision making,” he explained.
Not built for security
Participants agreed that the major concern with IoT security
is that it was not designed to operate in a hostile environment.
“What they built for good can get turned around and used
for evil. Just like in the hospital where the same machine that
dispenses medicine to a patient to keep them alive can be
remotely hacked to dispense poison to that same patient and
kill them,” said Carder.
It was also noted that many do not think about the ill
effects of IoT on security and privacy before deploying
However, some participants agreed that IoT development and
its adoption is outpacing security concerns by a long way.
For example, Joshua Tjandra Tjahjojo of Singapore Health
Services noted that healthcare providers want to improve
patient monitoring via IoT, although are concerned about the
cost of supporting and managing all the IoT devices.
Meanwhile, Benedict Tan and Chian Min Loo of Singapore
Health Services noted that IoT will help to simplify healthcare
complexity as many healthcare providers have little or no
visibility to patient data for proper care.
“As they continue to leave out security as a part of their
development process, the risk will increase exponentially at
the pace of development,” said Carder.
Another risk lies in legacy infrastructure. Lentz noted that
major banking, logistics and healthcare companies still run
a lot of legacy software and hardware, and ensuring that
security policies and processes are all well aligned will be
difficult.
“This is a high-attack space with a lot of ransom and
espionage wares being used. The government is putting new
controls in place so that auditors can ensure the processes
are compliant,” he said.
“But there are not enough people in cyber security. So new
technology is needed to do the job and ensure the processes
are audit proof.”
Need to plug all loopholes, not just one
The participants said that with governments taking note, it is
a good thing for both the industry and the consumers.
For example, Carder noted that in the US several measures
are already being taken to plug the gap holes and prevent
security breaches at the device level after the Jeep Cherokee
hack.
IoT security, however, should not be just focused on devices.
Some participants noted that a holistic approach that looks at
all components involved in the IoT network should be used.
For example, gateways that connect IoT devices to
companies are equally vulnerable and need to be secure as
well. While human-controlled devices tend to have a one-time
authentication, IoT devices are always connected and always
on, requiring more security for all the components in an IoT
network.
In addition, there would need to be a concerted industry
effort to ensure that security updates of IoT devices could
be done in an efficient manner. With consumers and
businesses soon to be owners of many IoT devices, security
updates from the various manufacturers need to be better
coordinated. Also, proper safeguards need to be put in place
to prevent updating interfaces from becoming security holes
themselves.
Money can be a great motivator
One way IoT developers can be motivated to enforce security
is though enforcing contract agreements.
Participants noted that money is a very strong motivator and
if vendors are not selling because of security, they will make
sure to put security in.
Another way to reinforce IoT security is to test and evaluate
what you buy. “Ensure that you protect IoT just like you would
any sensitive computer system you have that has the risk to
expose sensitive data. If developers would follow some basic
best practices, then the world of IoT would be a much safer
place,” said Carder.
All agreed that this is challenging in a competitive world. In
an IoT world, competition will be much fiercer with seconds
and minutes separating the first movers from the second,
and with second movers having diminishing returns. In this
regard, security can be seen as something that is costly and
slows you down.
Some participants argued that businesses need to make
security a key differentiator for IoT. “Unfortunately, I think it
might take something substantial to shake our trust for that to
happen,” said Carder.
He added that no one has any answers to the current
challenges and admitted that it remains challenging.
Robert Lentz, former CISO for the US Department of Defence
“There are not enough people in
cyber security… New technology
is needed to do the job and
ensure the processes are audit
proof.”
More importantly IoT is not new, and the answers can be
found through industry effort and ensuring that businesses
make security as a key differentiator when buying IoT devices.
Carder noted while IoT has been around for long. we still have
not found a way to secure it. With the increasing adoption of
IoT, however, the need to find the right solutions will become
ever more urgent. Else, it may turn into IT’s Pandora’s Box.
LogRhythm, a leader in security intelligence and analytics, empowers organizations around the globe to rapidly detect, respond to
and neutralize damaging cyber threats. The company’s patented award-winning platform uniquely unifies next-generation SIEM, log
management, network and endpoint monitoring, and advanced security analytics. In addition to protecting customers from the risks
associated with cyber threats, LogRhythm provides unparalleled compliance automation and assurance, and enhanced IT intelligence.
www.logrhythm.com
FST Media produces innovative and engaging technology conferences, roundtables and specialist publications for the banking, insurance
and wealth management sectors across the Asia Pacific region.
www.fst.asia