The world is becoming increasingly digital, driven by near ubiquitous wireless connectivity, inexpensive processing, ever-more sophisticated sensor solutions, and proliferation of internet- connected devices.
The Promise of the Internet of Things
An internet-connectable device is any device that can connect to the internet directly and has a unique internet protocol (IP) address. Internet-connectable devices range from basic sensor and telemetry devices to powerful computing devices with a full operating system and a rich user interface. The internet of things (IoT) represents the notion that internet-connected devices can be used to enhance communication, automate complex industrial processes, and even create unique new value propositions and business models by linking disparate systems of connected devices.
Among other benefits, the pervasive interconnectedness, which IoT represents, will enable companies to better manage global operations across multiple locations, as well as improve operational efficiencies and link customers more closely with their vital supply chain partners.
The Risks of IoT
This unprecedented level of connectedness is expected to raise enterprise vulnerability, particularly with IP-based connectedness.
With 50 billion IP-connected devices expected to come online by 2025, the security vulnerabilities are dizzying. Vulnerabilities exist at multiple layers, from the actual endpoint devices—such as smartwatches, connected cars and connected industrial sensors—all the way to the cloud. As a result, ensuring secure IoT solutions must take an end-to-end approach to system design, implementation, and installation.
The cloud will also play a pivotal role in future IoT applications—enormous volumes of data, particularly from sensors, will need to be collected and stored in the cloud. Increasingly, advanced analytics will need to be applied to convert all of this “machine data” in the cloud into valuable information.
Assessing the Threat
Vendors must address security concerns to achieve full potential. From a security perspective, areas of particular concern in the IoT ecosystem include the devices, the transport network and the cloud.
In order to lock down security at the device level, semiconductor vendors are looking to create a secure foundation of trust that ensures high levels of security during key times of vulnerability, including at boot-up and also while communicating with other devices and the cloud. Hardware roots of trust, which embed authentication and encryption to ensure security, are able to provide a high level of security at the endpoint.
A number of silicon vendors have made strategic acquisitions recently to burnish their security credentials and to enable software developers to establish high levels of security in their IoT applications. In many cases, chip vendors are beginning to recognize security not just as a core competency but also as one of the fundamental drivers of value within the IoT ecosystem. These companies are relying on acquired technology to augment a value proposition centered on building in security at the transistor level.
This new embedded functionality will be optimized by software to harden security on IoT devices, lock down data transmissions, and offer close monitoring to ensure the success of IoT security implementations.
As the internet of things has moved beyond cellular, it has introduced a number of new wireline and wireless technologies, each with their own set of security vulnerabilities. For instance, in the connected car, embedding cellular along with other wireless technologies such as Bluetooth and WiFi, creates thousands of new points of vulnerability which could potentially be exploited by hackers to gain access and control sensitive vehicle systems.
Such was the finding of a study funded by the U.S. Department of Defense’s Advanced Research Projects Agency (DARPA), in which researchers used a laptop to access a vehicle and control its engine, brakes, steering and other critical components. In 2014, the U.S. Department of Homeland Security reported that a sophisticated hacking group attacked a U.S. public utility and was able to break into its control system network. In total, the agency reported there were 256 cyber-incident reports last year, more than half of them in the sensitive energy sector.
Yet another major point of vulnerability lies in the cloud/data center, as much of the magic of IoT is the ability to store mega-volumes of historical data in the cloud, and to make smarter decisions by analyzing and learning from this real-time data being gathered by sensors and other network edge endpoints. This implies a challenging new role for the data center, and raises the stakes for both data-center security operations and data in transit between endpoints to the cloud.
To combat these vulnerabilities, data centers should aggressively monitor network traffic for potential attacks. For enterprises eyeing sophisticated IoT deployments that take advantage of the power of the cloud, it will be imperative to go the extra mile to ensure that their data centers, and those of their third-party providers, are equipped to eliminate any new security vulnerabilities.
Threat Response, How to Mitigate
While these are just a few examples of some key areas of vulnerability in IoT, the truth is that the security challenges from IoT deployment exist at every point in the IoT network. Accordingly, it behooves enterprises to adopt a multi-layered approach to IoT security:
- Ensuring proper firewalling of networks
- Aggressive monitoring of third-party developers to ensure use of proper security procedures
- In some use cases, physically preventing theft or tampering of IoT modules or devices
Additionally, in many security breaches there proves to be a human element; as a result, employees must be trained on proper security measures and how to recognize scams in which malicious actors are inadvertently allowed access to internal corporate networks.
Enterprises with exposure to IoT security threats should consider how best to mitigate or transfer these risks that could affect their corporate financial goals and operational stability. Implementing proper network firewalls, aggressively monitoring third-party developers and implementing more strict physical access rules to sensitive IoT modules or devices can help to reduce some liabilities. An examination of the potential exposures to risks associated with IoT devices and related services is highly advised. Working closely with its risk adviser can help an organization determine potential cost and risk exposures and develop a range of insurance coverage options available to offset such risks. Most often it will involve multiple segments of risk, including cyber, property, liability, crime, and management and professional risks. Preparing now against the most prominent IoT security threats will improve a company’s competitive position by placing it in a more threat-aware, and risk- minimized position.
At the end of the day, IoT security is more of a journey than a destination, as the nature and level of sophistication will continue to evolve along with the evolution of IoT applications. While it is unrealistic to expect elimination of all IoT security breaches, enterprises will need to maintain a high level of vigilance and implement robust threat monitoring procedures to ensure the highest level of security possible.