Internet of Things (IoT) is one of those terms that conjures up a wealth of opportunities, as well as some daunting challenges. Embedded sensors in devices such as cars, kitchen appliances, home security systems, heart monitors, fitness bands, and smart watches can definitely make life easier. But collecting, using, and sharing this kind of information over the Internet can make data security, and even personal safety, an enormous concern.
IDC’s global 2016 survey illustrates both the promise and the growing pains of IoT. For 56% of enterprises, IoT is part of their strategic plans for the next two or three years. But the state of adoption varies widely among industries, with manufacturing, retail, and financial services on the cutting edge, and government, healthcare, and utilities moving more slowly. For these latter industries, complying with regulations is an essential part of adoption.
- Securing sensitive data generated by IoT devices is already the top concern of most security professionals (36%).
- This is followed closely by privacy violations related to data generated by IoT devices (30%).
- Cyber attacks are also a growing threat as more connected devices join the IoT ecosystem.
Because IoT can provide an avenue for hackers to penetrate connected cars, critical infrastructure, and even people's homes, several tech companies are focusing on cyber security in order to secure the privacy and safety of IoT data.
What’s at Risk
Imagine your car suddenly being taken over and driven remotely. Or your home security system being hacked so that it spies on you and your family. These kinds of possibilities are enough to make consumers think twice about the promise of IoT. They are also opening the eyes of the vendor community to the dangers of connecting products when IoT security is not adequately understood and addressed.
Biggest Security Challenges
- Parts of the IoT landscape lack basic security standards.
- Smart devices generate much data and use multiple communication channels and remote computer resources.
- User data needs to be processed and encrypted to keep it safe.
- Locally, IoT devices are connected to one and the same network and, therefore, can be accessed over the Web.
- In order to prevent cyber attacks, each smart device would have to be segmented into its own network with restricted access.
Realizing the Potential of IoT through Security
If the great potential of IoT can only be realized when basic security safeguards are in place, what should those safeguards be?
At the most basic level, IoT security must encompass the complete system surrounding an IoT device or connected product. This includes mobile and web apps, servers, databases, and integrations with other systems:
- Securing data to avoid data compromise
- Preventing unauthorized access or control
- Protecting against device cloning
- Guarding against device hacking
At a macro level, it also includes:
· The ability to address potential security vulnerabilities in IoT devices or applications through patching and security upgrades throughout their lifecycle
· Common industry definitions so consumers know what they are getting as they add IoT to their everyday lives
Because these last two represent such widespread concerns, NTIA is planning to launch a new multi-stakeholder process to support better consumer understanding of IoT products that support security upgrades. The goal will be to promote transparency in how patches or upgrades to IoT devices and applications are deployed, and also a set of common, shared definitions and tools.
The Bottom Line
The advent of IoT comes with some scary predictions:
“Sometime during 2017 we should anticipate the release of an automatically propagating IoT worm that installs a small, persistent malicious payload that not only continues to infect and propagate amongst other vulnerable IoT devices, but automatically changes all the passwords necessary to remotely manage the device itself. The owners of the now locked-out devices will be forced to pay a ransom to the mastermind behind the worm in order to learn the new password, thereby taking the ransomware threat to the next level. To prevent this worm – and future versions – device owners will not only have to preemptively change default passwords of the devices, but also manage the patch level of the kernel software on the device to prevent exploitation of new vulnerabilities.”
The burden is on IoT companies to make their devices secure, even if vulnerabilities are not necessarily solely their industry's fault.
Jeannie Warner, security strategist at WhiteHat Security, feels that new guidelines will force more application security vendors to partner with device control testing labs. This will help the innovative organization manage risk by identifying vulnerabilities early in development, continue to monitor challenges during testing, and help release more secure products.
A Few IoT Best Practices
hese simple steps will go a long way toward making IoT devices and their users more secure:
- Educate yourself on potential vulnerabilities.
- Know who your partners are and what their security posture is.
- Look to experts who will help you navigate the often rough waters of security.
- Investigate security technologies including public key infrastructure (PKI) that can help fortify products against many of these vulnerabilities.
- And most importantly, ensure that security is purpose-built into every aspect of the ecosystem that is running your particular IoT product, service, or device.
As we realize the Internet of Things’ enormous potential, let’s give ourselves the best shot at an innovative and secure experience for everyone connected to the IoT world.