Most enterprise security organizations are unlikely to have a spamming refrigerator on top of their list of things to worry about. But news earlier this year that an Internet-connected fridge was co-opted into a botnet that sent spam to tens of thousands of Internet users is sure to have piqued the interest of at least a few.
If nothing, the incident showed how even a benign consumer appliance could pose a danger to enterprises if connected to the Internet without proper security protections.
Over the next few years, analysts expect tens of billions of devices to be connected to the Internet in similar fashion. The so-called Internet of Things (IoT) phenomenon promises, or threatens, depending on your point of view, to transform our understanding of the Internet and a networked world. A lot of what will transpire will be on consumer-oriented products. But as with everything in technology, what happens in the consumer world will inevitably affect the enterprise.
Here in no particular order are six ways the Internet of Things will affect enterprise security:
1. The IoT will create billions of new (insecure) end points
Analyst firms have differing takes on the number of devices or "things" that will connect to the Internet by 2020. Estimates range from Gartner's 26 billion devices to IDC's somewhat dystopian projection of 212 billion installed devices. Regardless of which is right, the one thing that is certain is that a lot of IP-enabled devices will one day find a home inside enterprises. Examples include smart heating and lighting systems, intelligent meters, equipment monitoring and maintenance sensors, industrial robots, asset tracking systems, smart retail shelves, plant control systems and personal devices such as smart watches, digital glasses and fitness monitoring products.
Many of the products will be single-purpose devices that originate in the consumer market. Others will have Internet connectivity added, almost as an afterthought, via cheap sensors. A vast majority will have little to no protection against common online attacks. The operating system, firmware and patch support that IT organizations have long been accustomed to, will not always be available with these devices.
The IoT inherently creates billions of insecure new endpoints, said Eric Chiu, president of cloud security vendor Hytrust. These IP-addressable devices will create new vectors of attack designed to either compromise the device or gain access to the enterprise network.
IoT devices will typically not be protected with whatever anti-spam, anti-virus and anti-malware infrastructures are available, nor will they be routinely monitored by IT teams or receive patches to address new security issues as they arise, Chiu said.
The idea that enterprises can somehow control whom to let in is going to go out the window, Chiu said. "Companies will have to just assume the bad guy is already there," and respond accordingly. This does not mean abandoning perimeter defenses. Rather it means adopting a strategy that starts with presuming the attackers are already in the network, he said.
2. The IoT will inevitably intersect with the enterprise network
Just as there are no truly standalone industrial control networks and air traffic control networks anymore, there won't be a truly standalone enterprise network in an IoT world, says Amit Yoran, general manager at RSA and former director of the National Cyber Security Division at the U.S. Department of Homeland Security.
Regardless of whatever network segmentation techniques and air gaps that an enterprise might employ, there will be points where the IoT will intersect with the enterprise network. Those touch points will be highly vulnerable to attack.
The IoT will pervasively connect to everything, including enterprise networks, Yoran said. "Today we have the enterprise network and the cloud. We know we have enterprise users coming in via BYOD directly to cloud-based resources without ever traversing the enterprise network," he said.
The IoT will exacerbate the issue to a point where it's going to be incredibly messy trying to control the various internal and external devices that gain access to enterprise data stored on premise or in the cloud.
"The IoT and the enterprise network will intersect. If you can hack into a web-enabled device which also happens to have connectivity to the corporate network or infrastructure, you can create a bridge to pass traffic back and forth," from the enterprise, Yoran said.
"There are ways we can try and mitigate the risk," he said. But in the end, everything will be interconnected. "You don't have to look far into the annals of computer history to know that it is going to happen. We as a society are running headlong into it."
3. The IoT will be a world of heterogeneous, embedded devices
Most "things" in an IoT world will be appliances or devices with applications embedded in the operating system and wrapped tightly around the hardware, said John Pescatore, director of research at the SANS Institute in Bethesda, Md.
In that sense, the IoT universe will be very different from the layered software model to which IT and IT security groups are so accustomed.
For one thing, the devices themselves will be highly heterogeneous and IT will have a hard time getting everyone to use the same technology, Pescatore said.
Many of the communications protocols in an IoT world will be different as well. Instead of TCP/IP, 802.11 and HTML5, IT organizations will have to deal with newer protocols like Zigbee, WebHooks and IoT6. And instead of the typical two to three year IT lifecycles, IT will need to get accustomed to lifecycles ranging from just a few months to more than 20 years in the case of some devices, he said.