In October 2016, a worldwide denial-of-service (DDoS) attack crippled the internet, infecting thousands of devices with malware that spread through home cameras, DVRs, and other connected devices. The malware doing the damage was not extremely sophisticated -- but neither were the malware protections or user IDs and passwords that were easily detected and spoofed to break into home devices. In a nutshell, the Internet of Things (IoT), which consists of sensors, cameras, DVRs, mobile phones, and so on, that communicate over public internet, is extremely vulnerable.
Meanwhile, corporate auditors are only now beginning to get their arms around how they vet companies for IoT security protection. Their client companies are ill-prepared for IoT security because:
The IoT devices they have under management use a diversity of internet communications protocols -- and most of these IoT devices only have low-end processing power and storage capacity -- so they can't be extended with security solutions.
It's hard to keep track of this plethora of IoT devices and keep them updated.
"Modern businesses are digital hives of connected objects that all too often lack adequate security, providing attractive gateways for cyber attackers," said IoT security expert Dave Palmer, director of technology for Darktrace. That could be anything from a printer or a thermostat connected to the corporate network, through to a connected coffee machine or iWatch."
One promising technology for IoT security monitoring and breach prevention is machine learning and behavioral analysis -- a branch of artificial intelligence (AI).
The AI technology being commercialized, which is still in early deployment stages, uses the cloud to gather all the data from the various IoT endpoints in a company. In the cloud, mathematical algorithms perform analytics to 'learn' about what 'normal' behavior is with respect to how your corporate endpoints are communicating with each other and through the internet. The input from these devices is analyzed to determine usual patterns of communication so that malicious behavior can be spotted at very early stages -- time enough to intervene and stop the problem in its tracks.
The problem with this method is the same type of problem that financial institutions encounter when they look for potential incidents of fraud occurring on credit cards: You can get a lot of false positives. (What happens if your cardholder really is in Nigeria and just made a purchase?) To combat the possibility of over-sensitivity in cloud-based security usage pattern checks that use AI and machine learning, some industry experts propose augmenting the machine learning and algorithm process with human checks and verifications.
Regardless of the approach, though, no-one disagrees with the need to be aggressive in deploying IoT security technology that's fit to the task -- or of the role that AI and machine learning are likely to play in the process.
In August 2016, DARPA (Defense Advanced Research Projects Agency) held its first All Machine Hacking Tournament at the Paris Casino in Las Vegas. More than 100 teams consisting of some of the top security researchers and hackers in the world competed against each other's AI and machine learning based Cyber Reasoning Systems (CRSs) to see how capably their systems protected hosts, scanned the network for vulnerabilities, and maintained the correct function of software.
Tech vendors, such as Darktrace use AI and machine learning solutions that can assist companies with the security monitoring of IoT devices.
Earlier this year, AI researchers used cloud-based AI to uncover security vulnerabilities in LinkedIn, the world's largest online professional network. This was good news -- but there is more to be done.
"We need to improve the speed and accuracy of big data analysis in order for IoT to live up to its promise," said Mark Jaffe, president of Prelert, which provides a behavioral analytics platform. "If we don't, the consequences could be disastrous and could range from the annoying -- like home appliances that don't work together as advertised -- to the life-threatening, such as pacemakers malfunctioning or hundred-car pileups."
"The only way to keep up with this IoT-generated data and gain the hidden insight it holds is with machine learning," Jaffe added.
Here are five steps CIOs should take now.
1: Take control of your IoT deployments
In many cases, mobile phones, sensors, and other devices are being put in place by end users without anyone else knowing. A case in point is logistics, where it's easy to just snap a sensor onto a box or a pallet -- but no-one who is supposed to be centrally controlling these device necessarily knows. If you're ever going to monitor all edge entry points for malware, you first need to gain control of the edge.
2: Include cloud-based AI and machine learning in your strategy
IoT is a technology where an outside vendor is more likely to have experience in IoT security monitoring than your staff. Cloud-based AI and machine learning have the potential to offer security protection for your IoT devices that you can't provide internally.
3: Secure your physical facilities
Employee carelessness, or even sabotage, continue to be risk areas for enterprises. Most IoT in enterprises is going to be located outside corporate data centers in factories, warehouses, field operations, and so on. It's important that physical access to these machines and devices be limited to authorized personnel.
4: Do what you have always done
This includes tracking and tracing devices, shutting devices down when they are lost, collecting them from employees who leave the company, and ensuring a centralized process where the latest security updates for the operating systems that users are running on mobile phones, laptops, and other devices are installed.
5: Explain IoT security and concepts like artificial intelligence and machine learning in plain English
At some point, you have to communicate with your CEO and the board about the importance of IoT security and why technologies like artificial intelligence and machine learning are needed to do this. In many cases, boards are not going to understand what AI and machine leaning are, or what they can do for IoT security, unless you explain it to them clearly. This is a necessary communication step that all CIOs should take.