Businesses shouldn't let security scares put them off IoT

The recent massive DDoS attacks should act as no deterrent to rolling out Internet of Things projects

It cannot have escaped the attention of many that a distributed denial of service (DDoS) attack managed to seriously impact the availability of many sites on the internet at the end of last week, causing difficulties for a great many users trying to access sites such as Twitter, Netflix and GitHub.

The finger of blame is being levelled squarely at the Internet of Things (IoT), but is this really the case, and if so, where does that leave IT chiefs in organisations that may have been considering their own strategy for digital transformation of their business processes? Should these projects be reconsidered or even abandoned?

It could represent a missed opportunity if organisations shelve plans to implement an IoT strategy because of incidents like this. One opportunity that IoT offers is the ability to collect data from connected devices and analyse it to gain some information on processes might be improved. Intel often cites the ability to monitor machinery for signs that a fault may be developing, which would enable pre-emptive maintenance to prevent a failure.

Last week’s incident involved a so-called “botnet”, an army of compromised internet-connected devices that have been infected by malware, enabling an attacker to take control of them. Such a botnet can be used to deliver a coordinated attack on specific sites by flooding them with more traffic than they are able to cope with, which is why it is called a denial of service attack.

But this kind of incident is nothing new, nor are the vulnerabilities exploited in order to infect the devices concerned. It is worth remembering that the Internet of Things is, in reality, the same old internet that organisations have been using for years.

What has changed with the Internet of Things is that the type and range of devices that are now being connected to the internet includes many bits of hardware that are unlikely to have been connected in the past. This includes such things domestic thermostats, security sensors, and IP video cameras, but also industrial machinery and even traffic lights.


Cowboy country

IT departments are well aware that the internet is like the Wild West, and connecting anything up to it means exposing it to the entire world. Many corporate IT professionals will have learnt through years of bitter experience that security is one of the things that you neglect at your peril, and that it needs to run through all aspects of your IT infrastructure like the letters in Blackpool rock.

Alas, many consumers as well as the makers of consumer goods have not had this experience, and so they do not understand the need to change default admin passwords, or that having a remote backdoor into a product is like leaving a window open to your house.

The takeaway for CIOs and other IT chiefs is not to pay too much attention to the opprobrium being heaped on the Internet of Things. While consumers may just plug some cheap and cheerful piece of kit into their network and forget about it, an enterprise IoT deployment is likely to be carefully planned, and also likely to be executed in partnership with systems integrators that have long experience in such matters.

Often, the hardware involved has more in common with a PC than with a cheap and cheerful consumer device, such as Dell’s Edge Gateway products, for example. The upshot of this is that they can be managed by the IT department using similar admin tools to the rest of the IT infrastructure, and also support many of the same security and monitoring tools.

This is not to say that enterprises should be complacent about security, but that there other things that should be of greater concern than worries about an IoT deployment introducing new security vulnerabilities to the corporate network.

If anything, last week’s attack should have been a wake-up call to how exposed businesses might become if they rely heavily on internet-based services such as those delivered from public clouds.

We are often told that we are near the beginning of a major shift in the way IT services are delivered, from organisations operating and managing their IT infrastructure themselves internally, to a future where IT is treated like a utility and delivered on-demand over the internet from a service provider.

While there is now a burgeoning uptake of cloud-based services, IT chiefs still need to consider carefully what they would do if they migrated any mission-critical functions out to a cloud provider, and these were then to become unavailable for any great length of time.

Even the largest and most reliable cloud providers, AWS and Azure included, have been known to suffer service outages, and last week’s incident has shown that an attack on something like a DNS service provider can cause widespread havoc across the internet without the attackers having to directly interfere with a specific cloud provider or the users of that cloud.

In other words, you do not have to be the target of an internet attack in order to feel the effects of it, which points up the vital importance of having some form of contingency plan. This means not only having a failover in place so that key services will still be available even if internet access is lost, but also by having more than one DNS service provider and by organisations making arrangements with their communications provider to mitigate the effects of any denial of service at their infrastructure level.

The Internet of Things is a convenient scapegoat for last week’s incident, but the reality is that anything connected to the internet, including routers and servers forming part of the infrastructure itself, can be compromised if security is not taken seriously enough.