Most enterprise security organizations are unlikely to have a spamming refrigerator on top of their list of things to worry about. But news earlier this year that an Internet-connected fridge was co-opted into a botnet that sent spam to tens of thousands of Internet users is sure to have piqued the interest of at least a few.
If nothing, the incident showed how even a benign consumer appliance could pose a danger to enterprises if connected to the Internet without proper security protections.
Over the next few years, analysts expect tens of billions of devices to be connected to the Internet in similar fashion. The so-called Internet of Things (IoT) phenomenon promises, or threatens, depending on your point of view, to transform our understanding of the Internet and a networked world. A lot of what will transpire will be on consumer-oriented products. But as with everything in technology, what happens in the consumer world will inevitably affect the enterprise.
Here in no particular order are six ways the Internet of Things will affect enterprise security:
1. The IoT will create billions of new (insecure) end points
Analyst firms have differing takes on the number of devices or "things" that will connect to the Internet by 2020. Estimates range from Gartner's 26 billion devices to IDC's somewhat dystopian projection of 212 billion installed devices. Regardless of which is right, the one thing that is certain is that a lot of IP-enabled devices will one day find a home inside enterprises. Examples include smart heating and lighting systems, intelligent meters, equipment monitoring and maintenance sensors, industrial robots, asset tracking systems, smart retail shelves, plant control systems and personal devices such as smart watches, digital glasses and fitness monitoring products.
Many of the products will be single-purpose devices that originate in the consumer market. Others will have Internet connectivity added, almost as an afterthought, via cheap sensors. A vast majority will have little to no protection against common online attacks. The operating system, firmware and patch support that IT organizations have long been accustomed to, will not always be available with these devices.
The IoT inherently creates billions of insecure new endpoints, said Eric Chiu, president of cloud security vendor Hytrust. These IP-addressable devices will create new vectors of attack designed to either compromise the device or gain access to the enterprise network.
IoT devices will typically not be protected with whatever anti-spam, anti-virus and anti-malware infrastructures are available, nor will they be routinely monitored by IT teams or receive patches to address new security issues as they arise, Chiu said.
The idea that enterprises can somehow control whom to let in is going to go out the window, Chiu said. "Companies will have to just assume the bad guy is already there," and respond accordingly. This does not mean abandoning perimeter defenses. Rather it means adopting a strategy that starts with presuming the attackers are already in the network, he said.
2. The IoT will inevitably intersect with the enterprise network
Just as there are no truly standalone industrial control networks and air traffic control networks anymore, there won't be a truly standalone enterprise network in an IoT world, says Amit Yoran, general manager at RSA and former director of the National Cyber Security Division at the U.S. Department of Homeland Security.
Regardless of whatever network segmentation techniques and air gaps that an enterprise might employ, there will be points where the IoT will intersect with the enterprise network. Those touch points will be highly vulnerable to attack.
The IoT will pervasively connect to everything, including enterprise networks, Yoran said. "Today we have the enterprise network and the cloud. We know we have enterprise users coming in via BYOD directly to cloud-based resources without ever traversing the enterprise network," he said.
The IoT will exacerbate the issue to a point where it's going to be incredibly messy trying to control the various internal and external devices that gain access to enterprise data stored on premise or in the cloud.
"The IoT and the enterprise network will intersect. If you can hack into a web-enabled device which also happens to have connectivity to the corporate network or infrastructure, you can create a bridge to pass traffic back and forth," from the enterprise, Yoran said.
"There are ways we can try and mitigate the risk," he said. But in the end, everything will be interconnected. "You don't have to look far into the annals of computer history to know that it is going to happen. We as a society are running headlong into it."
3. The IoT will be a world of heterogeneous, embedded devices
Most "things" in an IoT world will be appliances or devices with applications embedded in the operating system and wrapped tightly around the hardware, said John Pescatore, director of research at the SANS Institute in Bethesda, Md.
In that sense, the IoT universe will be very different from the layered software model to which IT and IT security groups are so accustomed.
For one thing, the devices themselves will be highly heterogeneous and IT will have a hard time getting everyone to use the same technology, Pescatore said.
Many of the communications protocols in an IoT world will be different as well. Instead of TCP/IP, 802.11 and HTML5, IT organizations will have to deal with newer protocols like Zigbee, WebHooks and IoT6. And instead of the typical two to three year IT lifecycles, IT will need to get accustomed to lifecycles ranging from just a few months to more than 20 years in the case of some devices, he said.
In a survey conducted by SANS, IT managers said their biggest concerns with Internet-connected devices related to smart buildings, industrial control systems, medical devices and consumer devices.
"The use of embedded computing in those devices, versus layered operating systems and applications in PCs and servers that IT is accustomed to managing and securing, will cause major breakage in existing IT management and IT security visibility," Pescatore said.
4. The IoT will enable physical and physiological damage
While online threats mainly affect data, in an IoT world there will be physical and physiological risks as well, said Michael Sutton, vice president of security research at Zscaler.
Hackers have already shown how IP-enabled insulin pumps, glucose monitors and pacemakers can be compromised to cause physiological damage to the wearer of such devices. Attacks like those enabled by Stuxnet show how physical equipment can be damaged via cyberattacks.
With the IoT, such attacks will also be possible against such products as cars, smart heating, ventilation and air conditioning systems, Web-enabled photocopiers, printers and scanners and virtually every other device with an IP address. The only reason that attackers haven't gone after such devices already in a major way is because there is so much other low-hanging fruit to attack, Sutton said.
In many cases, the bad guys won't even need software or hardware flaws to compromise a device. One of the biggest dangers companies will face in a world where everything has an IP address is configuration errors, Sutton said. Many of the devices that companies allow on their networks, like IP-enabled printers, photocopiers and webcams, will be put online with default settings that allow almost anyone with web access to take control.
5. The IoT will create a new supply chain
In a majority of cases, enterprises will have to either rely on device manufacturers for patching, firmware and operating system support or find a way to support the technologies on their own. Many of the devices that connect to the enterprise network in the not-too-distant future will be from companies that traditional IT security organizations are not familiar with.
"Like BYOD, traditional enterprises will need to adapt to developing policy and systems that integrate with and potentially manage many more devices than IT has ever worked with before," said Jason Hart, CEO of Identiv, a vendor of device authentication and identity management technologies.
"In addition to employees bringing new enabled devices into the physical and virtual work places, traditional non-connected devices, from a coffee machine to new ergonomic chairs, will place new workloads on IT support and information security," Hart said.
The vendors that will succeed in an IoT environment are those that can help enterprises manage the complex interdependencies there will be between new IP-enabled devices and the enterprise network, said Chris Yapp, a fellow of the British Computer Society and an independent security consultant.
Companies that have experience managing complex technology integrations will be the ones most likely to succeed in an IoT environment, he said. More often than not, traditional IT and security vendors are well behind the curve in understanding how the IoT trend will affect corporate IT, he said.
"The challenge for existing suppliers is that they tend to have a narrower focus and will take time to build the partnerships and in-house skills or acquisitions to compete," with the systems integrators, Yapp predicted.
6. The IoT will exacerbate the volume, stealth and persistence of online attacks
In theory at least, the threats posed by a completely interconnected world are not very different from the threats faced by most IT organizations today. Many companies are already intimately familiar with the challenges posed by smartphones, tablets and other wireless-enabled devices. What is different with the IoT is the sheer scale and scope of the challenge.
"The IoT includes every device that is connected to the Internet," said Kevin Epstein, vice president of advanced security and Proofpoint, a security-as-a-service vendor in Sunnyvale, Calif.
That includes everything from home automation products including smart thermostats, security cameras, refrigerators, microwaves, home entertainment devices like TVs, gaming consoles to industrial control machinery and smart retail shelves that know when they need replenishing.
Dealing with the sheer scale of the problem could be a huge challenge for IT organizations.
"The challenges are around volume, stealth and persistence of attacks," Epstein said. Even with current campaigns, attackers are able to relatively easily penetrate enterprise defenses, Epstein said. "Now imagine the volume of attacks increased by [ten-fold]... and no one could turn off the sending devices."