Right now, your vacuum could be checking out your home or office for would-be thieves. Many robot vacuums are IoT devices that can be easily hacked, allowing a burglar to use the camera to case the joint.
“We’re at a vulnerable crossroads with the Internet of Things (IoT),” said Robert Falzon, Check Point Software Technologies Head of Engineering, at a recent ITWC webinar. He noted that there will be 85 billion devices globally by 2025. “We’re now seeing over 127 IoT devices added every second. It gives you pause to think about managing it,” he said.
IoT devices are an easy target for hackers. They come with out-of-the-box security flaws, like default passwords, and they’re often misconfigured. The devices are widely used in industries from manufacturing to health care and, increasingly, they’re connected to the Internet. “This was done for cost savings, but it comes at great risk,” said Falzon.
Why IoT security is a challenge:
The biggest challenge to managing the security of IoT devices is the scope, Falzon said. There could be as many as 25,000 devices in a hospital, for example.
Platform diversity is another common issue. “There are many types of products that you might not realize are IoT,” said Falzon. These can range from thermostats to light bulbs. A complicating factor is that many of the devices, such as those in hospitals, are critical to operations.
Traditional tools haven’t worked because there is very little visibility into the vulnerabilities. “Many devices are made very quickly and, as a result, we don’t even know the embedded risks,” Falzon explained. What’s more, new vulnerabilities are being developed all of the time, making it very difficult for legacy solutions to detect them. “These things are hitting so fast that nobody has the ability to identify what they are,” said Falzon .
Finally, organizations struggle to employ the talented professionals needed to bridge the gap between IoT devices and cyber security.
An automated solution
To solve these challenges, a solution must be designed with IoT in mind from the start because it’s a unique environment, said Falzon. Given the scope of the problem, it’s essential to have an automated solution. “Without an automated system that’s consolidated, you’re dead before you begin. There’s no way you can manage it.”
The first step is to do a risk assessment to automatically discover all the IoT devices in an environment and the associated risks. “Knowledge is power,” Falzon said.
Secondly, security policies can be automatically applied based on risk categories of devices, such as critical versus non-critical. “We apply the same approach we use for desktops,” said Falzon. “We have a lot of vulnerability protection we can bring to bear. A well-enforced policy is the best weapon.”
Falzon described a scenario in a hospital where, during the night, a maintenance crew might install intelligent light bulbs with Wi-Fi access points. “It creates a significant risk,” he said. “The idea is that the devices don’t sit unprotected while waiting to be addressed. Instead, Check Point has a solution where the light bulb is automatically detected and the security policy applied.”
Finally, Check Point embeds nanobots into the device itself to protect against attacks. It detects when a device is vulnerable and applies a virtual patch before a problem occurs, he said.
“This is a significant change in IoT security,” said Falzon. “It adds policy and protection in real time for all devices. It makes a huge difference.”