And it’s no wonder. In the high-profile Dyn attack, the Internet infrastructure company was hit with a tsunami-sized distributed denial of service (DDoS) attack that washed over its customers ” including Twitter, Netflix, Amazon.com, Spotify and a host of others ” taking them temporarily offline. This massive attack, as noted by KrebsonSecurity, was accomplished by cyber criminals commandeering IoT digital video recorders and CCTV video cameras and adding them into a network of DDoS bots.
But Dyn is not been the only victim of IoT-related security concerns. Last year, the U.S. Food and Drug Administration (FDA) issued an alert that the Hospira Symbiq Infusion System could be remotely accessed through a hospital’s network, and the pump’s dosage changed without authorization. And on the consumer front, Chrysler issued a recall last year for 1.4 million of its Jeep Cherokees, after security researchers demonstrated they could take remote control of the vehicle, as reported by Wired.
“Since IoT goes across the entire ecosystem, all types of security careers have been in demand ” and that demand is only increasing,” Shankar Somasundaram, senior director of Internet of Things for Symantec, told IEEE-USA InSight. “People who have worked on embedded systems and security, in particular, have an edge. Over time, I believe that security specialists with vertical- or industry-specific knowledge will have an edge as well. We’re starting to see some of that in the industry, but we still have some ways to go.”
IoT security career paths
Security hiring managers and one tech recruiter weighed in on what an IoT security career path may look like and how to get there. All agreed it starts with a basic understanding of computer science and security.
Beyond that, their opinions varied on the type of path security professionals can take to leverage their existing skills sets to parlay that into an IoT security career, or morph into one from an unrelated IT career.
Across IoT, Raj Samani, CTO of Intel Security EMEA, told IEEE-USA InSight there is a huge demand for security researchers, as reports of hacks on connected cars to other IoT devices make the headlines in news reports. As a result, intrusion detection, secure software development and attack mitigation rank among the most desired skills, he added.
Secure software development and verticals also struck a chord with Tom Caldwell, senior director of software engineering at Webroot.
“Security needs to be by design in IoT, and it usually starts with the software developers. The greatest demand is for security consultants that understand the software, the network and the cloud, since most IoT devices connect to the cloud. I have also seen demand pick up for privacy related security jobs, as many IoT devices store or transmit sensitive and personal data,” Caldwell told IEEE-USA InSight.
He noted IoT falls into two buckets, either industrial IoT (IIoT) that serves such vertical industries as healthcare, oil and gas or manufacturing, and consumer IoT, such as automobiles, smart homes, appliances or toys.
Caldwell, an IEEE Cyber Security Ambassador, noted that whether a security professional is pursuing a career in industrial IoT security or consumer IoT security, a smart move would be to acquire machine learning and analytics skills, as well as gain some understanding of how wireless technology is transmitted.
“IoT usually has a large volume of devices and you cannot monitor one device, but need to monitor across a spectrum of devices. With machine learning, you learn what certain behaviors look like and learn to detect when that behavior changes to recognize an attack,” Caldwell said. He noted IoT data is then usually transmitted wirelessly, often to the cloud where the big data is housed and needs to be analyzed.
Based on the type of security flaws found in IoT devices, an IoT security career would fall into one of two categories, said Morey Haber, vice president of technology for BeyondTrust. One is design and manufacturing security engineers, similar to QA and reliability engineers, who would design, test and update IoT devices to mitigate risks, while the second category would be commercial security professionals.
This latter group is engineers who design IoT devices for corporate infrastructure by using segmentation, assessing for risks and ensuring the devices do not become a liability to the business, Haber told IEEE-USA InSight.
Leveraging security skills for an IoT career
Security professionals who are already assessing and mitigating risks to infrastructure devices like routers, switches, printers and alarm systems will have the easiest time levering their existing skills sets to an IoT security role, Haber said.
“These professionals are accustomed to managing purpose-built devices with complex update procedures, potentially broad security issues, and lack of expertise for best practices for hardening and security. For example, how many people do you know that can harden a multi-function printer? If you just set the IP address and begin using it, it is exposed to a myriad of vulnerabilities from SNMP, default passwords, exposed services, and potentially even email relay servers,” Haber explained. “Understanding how to secure a device like this is similar to an IoT device, and these team members will have the easiest transition.”
Symantec’s Somasundaram believes that security professionals with a strong, across-the-board, in-depth knowledge of endpoint, network and backend systems will have an easier time to an IoT security transition.
He noted, however, since security professionals are so few and the demand is so high, virtually anyone with a good security background would be welcomed at an organization and given the necessary training to handle IoT security.
John Reed, senior executive director or IT recruiting firm Robert Half Technology, said network security professionals will have a relatively easy transition to IoT security because they are used to navigating complex connectivity.
Moving closer to an IoT role
And for security professionals who don’t have the type of skills that would directly correlate with an IoT position, the jump would not be that great to get there, say hiring managers and recruiters.
“Focus. Establish an area of focus,” Samani said. “IT is such a broad topic and security across all markets is just one element to the industry. For example, critical national infrastructure systems will have a very different set of security challenges to say consumer IoT devices.”
Caldwell advised these security professionals to learn more about chipsets and embedded software environments for IoT devices. And this gleaning of knowledge may also depend on the class of IoT device, such as drones, cars or Fitbit monitoring wristbands.
In offering a more basic approach, Somasundaram said, outside of having a broader understanding of security, it would be helpful for the security professional to know the differences between IoT security and IT security. In addition, it would be beneficial to gain insight into the challenges and differences across industries as it relates to security.
IoT security salaries and future
“IoT is still growing, and in the future, we’re going to see a burst in demand. That will create a great career option for many security IT professionals who are willing to learn about IoT security,” Somasundaram said.
When it comes to salaries that IT security professionals earn, it can range from approximately $100,000 to $200,000 on average, depending of the job title, level of experience and location where an individual works, said Reed.
He added, however, that IoT security professionals will likely earn more than that average IT security salary.
“Since it may be more difficult to find professionals with IoT experience, some employers may be willing to pay more in order to help with the recruitment of these professionals,” Reed said.
But some IT professionals look for more than a six-figure salary. Samani provided this perspective on the role of an IoT security worker: “Do you want a career that is fast paced, exciting, at the cutting edge of technology, cool to your peers, pays well, and one where you don’t really have to wear a suit? Then this is the place for you.”