Story image

Interview: MuleSoft discusses the security risks in IoT

26 Jul 2018

The Internet of Things (IoT) is quickly making a name for itself as being one of the most promising technological advancements of this century.  Devices, sensors, people, and technology are all converging on the internet, all of which make up IoT.

But with this technology rapidly becoming ubiquitous in business and in the home, the security of those ‘things’ has been subject to intense scrutiny. Vulnerabilities, flaws, and poorly-designed systems are left exposed and subject to cyber attacks, breaches, and in some cases they can lead to death.

We talked to MuleSoft CTO Uri Sarid about how secure IoT really is.

What are some of the trends emerging in IoT and IoT security?

For those looking to take advantage of IoT, a trend that’s commonly emerging is that IoT is as much about integration as it is about the internet. The explosion of IoT devices promises to simplify our lives and protect us from otherwise imminent failures such as unforeseen mechanical errors or running out of stock during peak shopping periods.

However, the challenge many organisations face as they look to create a new generation of connected experiences is that they must integrate IoT technology with new and existing systems. Many enterprises are failing to join the dots in a quick and cost-effective manner.

As this trend continues, we’re seeing a rising interest in application networks as a way of mastering the "Integration of Things". With this approach, organisations use APIs to allow different IoT systems and data to talk to each other and to existing enterprise and SaaS systems, creating a seamless flow of information from one source to another.

Integration thereby takes place in an effective but also controlled manner, extracting the value from the physical “things” while simultaneously providing greater visibility, enabling device upgrades (e.g. security patches) and rationalising software and hardware versions.

What are some of the security risks of IoT?

Security and authentication are emerging as top concerns around IoT deployments and integrations. The same bridges between the physical and the software worlds on which IoT brings value can also bring new threat vectors: unauthorized virtual access can become unauthorized physical access, and software breach can result in massive physical damage. 

New exploits are turning up regularly, whether it’s demonstrations of hacking into connected cars or real, large-scale and successful attacks on broadly-adopted consumer technologies like smart TVs. However, by taking an API-led approach, which defines methods for connecting and exposing assets using APIs, it is possible to introduce fundamentally deeper security and visibility into the the flow of data and control signals.  

In IoT's current state is it for hackers to take advantage of it?

The proliferation of new endpoints has made organisations more vulnerable to hackers. External data sources, cloud platforms and mobile devices all provide valuable services, but they also create new potential avenues for intrusion. Each and every endpoint is a potential door into an organisation's IT systems and data, and hackers only need to open one to wreak havoc.

Many organisations take the approach of trying to lock down all potential entry points, believing an impervious perimeter will protect their IT infrastructure from harm. However this approach is no longer practical as businesses need to link systems with those of partners and suppliers, as well as opening some applications to customers. Entire lock down simply won’t work. This approach also makes it very difficult for an organisation to be agile and take advantage of new opportunities as they emerge.

A much better and more flexible approach is to make use of layers of well-managed APIs. Written and deployed correctly, APIs act like fortified, monitored gates by only allowing traffic through that meets strict criteria. They also ensure users can only gain access to the applications and data for which they have been pre-approved.

In your opinion, what's the best way to secure IoT?

The best way to secure the IoT is by taking an API-led approach. By connecting and exposing assets using APIs, it is possible to introduce fundamentally deeper security and visibility into the flow of data. With this approach, access to IoT devices or their controllers can be done through strategically designed and productised APIs, to provide a well-defined “surface area” for every component in the ecosystem of IoT devices.

What emerges is an application network, which allows for the concept of “security by design.” Every IoT asset is given a defined door through an API, where distinct security requirements can be set. And rather than creating a large and static monolithic application inside the IoT asset, the logic and integration to other systems is distributed outside the asset behind several APIs.

This enables experts to set automated controls and enforce best practices to manage who has access to IoT-enabled systems, what data they have access to and what authentication is required, among other options. By adding this segmentation for users, an enterprise can substantially limit the number of attack vectors and privileged escalations, and create a more secure IoT ecosystem, and ensure it has the trust of its customers, employees, and stakeholders.

You mentioned that 'exposing IoT offers the best protection' - could you go into further detail?

While it may seem counterintuitive, the visibility APIs provide is critical to minimising the vulnerabilities created by IoT devices. IoT devices add new entry points to organisational networks, increasing the ways in which bad actors can enter.

IoT connections must be made visible to security providers, who can help manage them and secure this network of connections. In the same way that motion-triggered searchlights that illuminate late night intruders can help make a property more secure, it’s much easier to protect an IoT ecosystem if security communities have clear visibility across every device, controller and sensor and can see any attempt to gain access.

Survey: IT pros nostalgic over on-prem data centre visibility
There are significant security and monitoring challenges faced by IT staff responsible for managing public and private cloud deployments.
61% of CIOs believe employees leak data maliciously
Egress conducted a survey to examine the root causes of employee-driven data breaches, their frequency, and impact.
Opinion: BYOD can be secure with the right measures
Companies that embrace BYOD are giving employees more freedom to work remotely, resulting in increased productivity, cost savings, and talent retention.
Sonatype and HackerOne partner on open source vulnerability reporting
Without a standard for responsible disclosure, even those who want to disclose vulnerabilities responsibly can get frustrated with the process.
OutSystems and Boncode team up for better code analysis
The Boncode and OutSystems alliance aims to help organisations to build fast and feel comfortable that the work they're delivering is at peak quality levels.
Nuance biometrics fight back against fraud
Nuance Communications has crunched the numbers and discovered that it has prevented more than US$1 billion worth of fraud from being passed on to users of its Nuance Security Suite.
SIS announces a partnership with Platform 4
“We are looking forward to a strong future in the New Zealand security industry with this global giant as our strategic partner."
Attacks targeting Cisco Webex extension explode in popularity - WatchGuard
WatchGuard's Internet Security Report for Q4 2018 also finds growing use of a new sextortion phishing malware customised to individual victims.