On April 12, CableLabs hosted an Inform[ED] conference in NYC focused on the emerging IoT security landscape. This open event brought together business leaders, key technologists, and security experts from multiple industry sectors, academia, and government. They shared in-depth views of IoT's evolution and the increasing security, privacy and policy challenges arising from the ongoing and rapidly accelerating deployment of connected devices.

Billions of new devices lead to an increased threatspace

Shawn Henry of Crowdstrike, a retired executive assistant director of the FBI, set the stage for our experts for the rest of the day. His focus and ideas were repeated and supported throughout the event by speakers and panelists. Security threats pose significant challenges to IoT, with real risk to individuals, businesses, and national security. The threats come from terrorist and organized crime groups along with other nation states. New extremist groups such as the Cyber Califate extend activities of terrorists into a cyber Jihad. Organized crime groups focus on theft of personal identifying information they can monetize, targeting capabilities critical to businesses as they evolve extortion.

Criminals target IoT, losing essential data or the ability to use critical devices unless asset owners pay financial compensation to retrieve. A major example is the rash of ransomware targeting hospitals. And, of course, there have been attacks by nation states, notably attributed to North Korea and Iran. All three types of adversaries steal data, change data, and destroy data to achieve their own ends. However, the IoT benefits are worth investment in effort and resources to protect, and IoT security needs to assess the risks posted by bad actors, mitigating vulnerabilities appropriately.

Collaborating on standards and public policy

IoT risk management is also a concern among policymakers, who take notice when insecure devices impact networks and services. Matt Tooley of NCTA discussed with Allan Friedman of the NTIA the agencies' efforts to galvanize all relevant parties toward solutions through a multi-stakeholder process. Gerald Faulhaber of the Wharton School, Chaz Lever of Georgia Tech, and Jason Livingood of Comcast agreed on the need for broadly shared responsibility for IoT security, and Professor Faulhaber noted some form of government oversight may be forthcoming, though the model is unclear. While certification of devices may provide some key elements we need, it's important we understand policy will likely be slow to evolve. This means businesses, including service providers, device manufacturers and others must evolve their security strategies as adversaries evolve their methods of attacking IoT. Industry-driven solutions will continue to provide the most agile responses to new threats.

Threat mitigation

The team of security experts that came together at CableLabs’ Inform[ed] event are working hard to manage risks and mitigate threats. We heard great insights from Dylan Davis of RiskSense, Terry Dunlap of Tactical Network Solutions, James Plouffe of MobileIron and technical consultant to the popular Mr. Robot series, Dan Massey of the DHS Security & Technology directorate, Tobin Richardson from the Zigbee Alliance, and Matt Perry from Microsoft also the OCF Board of Directors President. Service provider experts includes Brian Rexroad of AT&T, Clarke Stevens of Shaw Communications, and Rich Compton of Charter Communications. This fantastic body of experts provided substantive insight into the IoT security challenge and what needs to be done to protect our infrastructure, data, and user experiences. One of the common themes of the conference — how to secure IoT devices and the infrastructures that connect them – kept resonating throughout the day. We just need to do it. There aren’t that many surprises here — as Brian Scriber of CableLabs provocatively summed up in the final key.

• Encouraging manufacturers to implement well designed and securable code, and enabling the security capabilities and features we know to use in other technology areas.
• It is critical to protect people and devices during onboarding, the process of joining networks and configuring devices and services properly as they are first installed. We need strong device and personal identity methods, enabled through public key infrastructure solutions.
• Our communications and device operations need to ensure confidentiality and integrity while also ensuring appropriate levels of availability.
• Finally, devices must be fully supported throughout their life cycle, and this must include upgradable security and dynamic patching of vulnerabilities.

Our industry knows how to do these things — we've got over 30 years of experience securing our networks and IT systems. The lessons learned are still relevant and should be applied to the broader IoT ecosystem. But, we still see common errors like use of known insecure protocols and use of devices that don't require strong authentication, or even include default credentials so anybody knowledgeable of the device can log on. And people can find those devices through services such as Shodan — a very common theme through the day. There are opportunities for improvement such as better measurement and monitoring capabilities. Applying the benefits of data science and big data practices will help detect vulnerabilities and anomalies faster.    Further, highly automated strategies to patch and reconfigure devices and networks will enable us to address threats quickly. Security's goal is to make attacking IoT sufficiently expensive so adversaries lose interest. Make it too hard or too expensive for bad actors to exploit IoT for nefarious gains.

These business, technology and policy experts provided actionable guidance, making this a unique event – and the audience and panelists left positive and confident that IoT security can be meaningfully improved if all parties share responsibility. Working collaboratively, we can ensure our customers have great experiences that enrich their lives. And we know what needs to be done. We just need to get working together to make it happen.