A few weeks back I wrote about PTC and HPE’s IoT partnership announcement, which I saw as a missed opportunity to talk security, especially coming right on the heels of the October 21st Dyn DDoS attack. You can read more about the about the IoT collaboration announcement and the Dyn DDoS attack here.
IoT companies seemed to agree. On November 1, Rapid7, a provider of security data and analytics solutions and services, announced expansion of its consulting and assessment services to include securing the Internet of Things (IoT).
Says Rapid7, “compromised IoT devices can be used to launch crippling denial of service (DDoS) attacks… Recent cyber-attacks have taken advantage of IoT device weaknesses.” Rapid7 researchers have in the past identified security vulnerabilities with internet connected consumer products such as insulin pumps, baby monitors, light bulbs, and cars. With the Dyn DDoS on October 21st, we saw that the backdoor of consumer IoT products can be exploited, making these devices vulnerable to attack. Though the Dyn DDoS attack in particular was directed at consumer products, it has staggering implications for enterprise IoT security as well. Mentioning its relevance in the context of a larger enterprise IoT security play is strategic for Rapid7, and something that Blue Hill felt was missing from PTC and HPE’s recent IoT announcement.
Rapid7 plans to support organizations in building security into the development and deployment of IoT products by testing for security vulnerabilities in hardware and software throughout the product development stages.
For consumer, enterprise, industrial, medical, and transportation devices, Rapid7 will offer the following services as part of its IoT solution: strategic guidance, threat modeling, device design consulting, incident response, and security testing and vulnerability analysis, which includes IoT penetration testing, hardware testing, protocol testing, and firmware analysis.
Blue Hill believes that Rapid7’s approach of incorporating security within the design phase of IoT products offers the potential to entwine security with product architecture, creating a security solution that targets greater touchpoints throughout the entire IoT stack. Once the product design and security stage is complete, Rapid7 works with the enterprise to perform security testing across the entire IoT ecosystem: from mobile app, to cloud APIs, communication protocols, and hardware and firmware. Rapid7’s aim is to create standards and best practices for IoT security that can be applied across enterprises and products.
Blue Hill notes that by moving toward creating a secure IoT platform that bridges network, software, and hardware layers, Rapid7 recognizes the challenges of managing multi-entrant systems characteristic of IoT. Enterprises taking a single solution approach to IoT security are potentially neglecting vulnerabilities that may arise throughout the IoT technology stack. Blue Hill advises that a comprehensive approach to IoT security is essential in securing the multiple entry points through which attacks can be launched.