Story image

Interview: MuleSoft discusses the security risks in IoT

26 Jul 18

The Internet of Things (IoT) is quickly making a name for itself as being one of the most promising technological advancements of this century.  Devices, sensors, people, and technology are all converging on the internet, all of which make up IoT.

But with this technology rapidly becoming ubiquitous in business and in the home, the security of those ‘things’ has been subject to intense scrutiny. Vulnerabilities, flaws, and poorly-designed systems are left exposed and subject to cyber attacks, breaches, and in some cases they can lead to death.

We talked to MuleSoft CTO Uri Sarid about how secure IoT really is.

What are some of the trends emerging in IoT and IoT security?

For those looking to take advantage of IoT, a trend that’s commonly emerging is that IoT is as much about integration as it is about the internet. The explosion of IoT devices promises to simplify our lives and protect us from otherwise imminent failures such as unforeseen mechanical errors or running out of stock during peak shopping periods.

However, the challenge many organisations face as they look to create a new generation of connected experiences is that they must integrate IoT technology with new and existing systems. Many enterprises are failing to join the dots in a quick and cost-effective manner.

As this trend continues, we’re seeing a rising interest in application networks as a way of mastering the "Integration of Things". With this approach, organisations use APIs to allow different IoT systems and data to talk to each other and to existing enterprise and SaaS systems, creating a seamless flow of information from one source to another.

Integration thereby takes place in an effective but also controlled manner, extracting the value from the physical “things” while simultaneously providing greater visibility, enabling device upgrades (e.g. security patches) and rationalising software and hardware versions.

What are some of the security risks of IoT?

Security and authentication are emerging as top concerns around IoT deployments and integrations. The same bridges between the physical and the software worlds on which IoT brings value can also bring new threat vectors: unauthorized virtual access can become unauthorized physical access, and software breach can result in massive physical damage. 

New exploits are turning up regularly, whether it’s demonstrations of hacking into connected cars or real, large-scale and successful attacks on broadly-adopted consumer technologies like smart TVs. However, by taking an API-led approach, which defines methods for connecting and exposing assets using APIs, it is possible to introduce fundamentally deeper security and visibility into the the flow of data and control signals.  

In IoT's current state is it for hackers to take advantage of it?

The proliferation of new endpoints has made organisations more vulnerable to hackers. External data sources, cloud platforms and mobile devices all provide valuable services, but they also create new potential avenues for intrusion. Each and every endpoint is a potential door into an organisation's IT systems and data, and hackers only need to open one to wreak havoc.

Many organisations take the approach of trying to lock down all potential entry points, believing an impervious perimeter will protect their IT infrastructure from harm. However this approach is no longer practical as businesses need to link systems with those of partners and suppliers, as well as opening some applications to customers. Entire lock down simply won’t work. This approach also makes it very difficult for an organisation to be agile and take advantage of new opportunities as they emerge.

A much better and more flexible approach is to make use of layers of well-managed APIs. Written and deployed correctly, APIs act like fortified, monitored gates by only allowing traffic through that meets strict criteria. They also ensure users can only gain access to the applications and data for which they have been pre-approved.

In your opinion, what's the best way to secure IoT?

The best way to secure the IoT is by taking an API-led approach. By connecting and exposing assets using APIs, it is possible to introduce fundamentally deeper security and visibility into the flow of data. With this approach, access to IoT devices or their controllers can be done through strategically designed and productised APIs, to provide a well-defined “surface area” for every component in the ecosystem of IoT devices.

What emerges is an application network, which allows for the concept of “security by design.” Every IoT asset is given a defined door through an API, where distinct security requirements can be set. And rather than creating a large and static monolithic application inside the IoT asset, the logic and integration to other systems is distributed outside the asset behind several APIs.

This enables experts to set automated controls and enforce best practices to manage who has access to IoT-enabled systems, what data they have access to and what authentication is required, among other options. By adding this segmentation for users, an enterprise can substantially limit the number of attack vectors and privileged escalations, and create a more secure IoT ecosystem, and ensure it has the trust of its customers, employees, and stakeholders.

You mentioned that 'exposing IoT offers the best protection' - could you go into further detail?

While it may seem counterintuitive, the visibility APIs provide is critical to minimising the vulnerabilities created by IoT devices. IoT devices add new entry points to organisational networks, increasing the ways in which bad actors can enter.

IoT connections must be made visible to security providers, who can help manage them and secure this network of connections. In the same way that motion-triggered searchlights that illuminate late night intruders can help make a property more secure, it’s much easier to protect an IoT ecosystem if security communities have clear visibility across every device, controller and sensor and can see any attempt to gain access.

Disruption in the supply chain: Why IT resilience is a collective responsibility
"A truly resilient organisation will invest in building strong relationships while the sun shines so they can draw on goodwill when it rains."
Verifi takes spot in Deloitte Asia Pacific Fast 500
"An increasing amount of companies captured by New Zealand’s Anti-Money laundering legislation are realising that an electronic identity verification solution can streamline their customer onboarding."
Businesses too slow on attack detection – CrowdStrike
The 2018 CrowdStrike Services Cyber Intrusion Casebook reveals IR strategies, lessons learned, and trends derived from more than 200 cases.
What disaster recovery will look like in 2019
“With nearly half of all businesses experiencing an unrecoverable data event in the last three years, current backup solutions are no longer fit for purpose."
Proofpoint launches feature to identify most targeted users
“One of the largest security industry misconceptions is that most cyberattacks target top executives and management.”
McAfee named Leader in Magic Quadrant an eighth time
The company has been once again named as a Leader in the Gartner Magic Quadrant for Security Information and Event Management.
Symantec and Fortinet partner for integration
The partnership will deliver essential security controls across endpoint, network, and cloud environments.
Is Supermicro innocent? 3rd party test finds no malicious hardware
One of the larger scandals within IT circles took place this year with Bloomberg firing shots at Supermicro - now Supermicro is firing back.