If we split IoT devices into 3 tiers, the highest would consist of well-protected devices, like laptops, that are complex machines with plenty of security software. The middle tier would be made of occasional use, moderate-complexity devices like thermostats, TVs, and refrigerators. Then we have the lowest tier. These devices include HVAC, badges, implantables, and electronic locks. None of these tiers seem to be a problem by themselves. However, when you connect such disparate technologies to one network, there’s no way to provide a one-size-fits-all solution to security.
IoT Security Risks
Shodan is an IoT search engine that, among other things, lets users access vulnerable webcams. You can find feeds from ski slopes, baby cams, cash register security cameras, and marijuana plantations. Thinking about it is enough for me to put a post-it right over my laptop’s webcam. The biggest immediate IoT risk has to do with privacy.
For businesses the risks are a bit less personal. Each new IoT device is a potential conduit leading right into their networks. Hackers will look to exploit the access, potentially even taking control of physical systems, where they could do real, tangible damage. But these businesses aren’t currently allocating budget for IoT security. Security vendors are struggling to provide IoT security features with the limited resources they have.
Maybe the biggest issue is that, while vendors of laptops, tablets, and phones see those high-tier devices as having a life cycle, they don’t see low-tier devices the same way. These companies invest resources in creating and shipping updates for high-tier devices that add functionality and resolve security issues, but low-tier devices are sold and forgotten. This lack of consideration for the life cycle of low-tier devices means they’re shipped without the same security expectations. These low-tier, end devices need to be secured in the manufacturing stage, or by the consumer, if there’s any hope of rebuffing security attacks.
Even if end devices are a hot mess of no-security access points, SDN can help control the network itself. The segmentation it provides can mitigate invasive forays into the network. IoT security is taking a cloud-based approach, which means that SDN can also help route, optimize, and automate security services.
SDN Visibility, Adaptability, and Programmability
SDN can note devices as they’re added to the network. You can program the network to react differently depending on the nature of the device, its potential for maliciousness, and the resources it requires. It also allows you to provision and deprovision the network automatically. This means you can program the network to look out for suspicious activity and divert it to a honeynet until it’s cleared for access.
As artificial intelligence and machine learning improve how they handle massive loads of data, and the responses to such data, this strategy will be more viable. Right now our best bet is a kind of nesting-doll approach to IoT security. Instead of having one firewall at the edge of the network, we can use SDN to create a series of firewalls at different network distances. This allows us to respond to various attacks.
By virtualizing network components and services, you can program automatic, adaptive responses to network devices to reroute traffic and apply access rules. This should help secure data delivery, even from end devices. You can segregate network paths where a security breach is detected and investigate it from a centralized point. This seriously reduces the amount of time and effort needed to look at each potential security issue.
SDN is hardly an elixir for IoT security, but it is a helping hand. It won’t block access to the many under-secured end devices out there. It can prevent those access points from being highways into more potentially dangerous information. Again, there isn’t any one-stop cure-all for IoT security. However, we can take steps to mitigate the risks that come from the extreme proliferation of IoT devices. SDN is the key to managing IoT.