- Security TWENTY
- Women in Security Awards
In the Internet of Things (IoT), potentially billions of devices will be connected using machine-to-machine technology enabled by the internet, writes Colin Tankard, Managing Director, Digital Pathways.
This will encompass a wide variety and volume of interconnected ‘things’, including smart buildings and cities, physical security controls, cars, planes, medical equipment and devices, consumer devices and industrial control systems.
According to a recent survey by the SANS Institute covering organisations of all sizes, 66% of respondents are either currently involved in, or are planning to, implement IoT applications involving consumer devices, such as smartphones, and smartwatches and other wearables. Smart building systems are increasingly being implemented as operations management systems get connected to networks.
The IoT holds much promise for the energy, utilities, medical devices and transport sectors, which will see the highest levels of adoption in the near term, according to SANS, as well as smart buildings.
According to ABI Research, there are 1.2 billion connected devices in the IoT, but the market is likely to experience strong growth. Estimates vary widely, but an often-quoted statistic is from Cisco, which estimates that 50 billion objects and devices will be connected by 2020.
Verizon estimates that currently some 10 percent of organisations have adopted IoT extensively, bringing them many benefits. It states that, by 2025, those that extensively adopt IoT will be 10pc more profitable than those that do not. They will be better empowered to innovate, disrupting both established players and new entrants, and will afford their customers better experiences, see accelerated growth and improved performance, and will be able to improve safety and reduce risk.
For example, IoT will enable new ways to protect inventory, equipment and machinery, even in remote locations or over large areas. Within buildings, connected alarms, sensors and tracking devices will make threat detection easier and connected, remotely activated cameras and other networked security equipment will help to improve physical security.
However, whilst IoT is likely to bring safety and risk reduction benefits, there are a number of security risks involved with the devices themselves. HP Fortify has produced research that found that 70pc of the most commonly used IoT devices contain security vulnerabilities. It found that 80pc of devices allow weak passwords, 70pc do not encrypt data transmissions, 60pc had cross-site scripting or other flaws in web interfaces, 60pc do not use encryption when downloading software updates, and, 80pc raise privacy concerns over the amount of data that they collect.
Overall, it found an average of 25 security concerns per device. These findings are in line with the top ten security issues for IoT published by OWASP, which also provides advice on how to prevent them.
Such security issues can have serious consequences, causing damage, disruption to operations or, in some scenarios, even loss of life. In smart buildings, where systems ranging from HVAC, lighting and door access controls, to video surveillance and elevators, are all interconnected, a security threat that is exploited to disrupt power or lighting could cause loss of life in a hospital. In office buildings, a door access control that is hacked could provide an intruder with unauthorised access. Issues with IoT devices are far from hypothetical: one example of a threat is the Stuxnet worm, which has been seen to be able to disrupt industrial control systems, causing extensive damage.
Many IoT devices are not developed with security in mind. Many contain embedded software, often proprietary firmware, which is problematic to patch and upgrade, leading to vulnerability and configuration management issues. Many devices do not undergo any kind of security review. According to SANS, just 52pc of IoT devices undergo security evaluations or testing prior to production.
Solving the challenges
To solve the security challenges of IoT devices and things, a different stance needs to be taken. Security needs to be built into products by design. It cannot be bolted on afterwards. There are moves, such as the stance being taken by the US Food and Drug Administration regarding medical equipment, to encourage manufacturers and facilities to ensure that appropriate security safeguards are built in from the start of the design process, as well as to remain vigilant regarding new risks and threats as they are uncovered.
However, it is unlikely that security will become an over-arching security requirement in the design process any time soon. Organisations should look to limit what is allowed in the workplace, considering the risks versus the benefits, and looking at how systems are inter-connected and therefore how risks such as malware infections can be spread.
Organisations also need to find a way to enforce data protection policies on all devices in use and to control what data people can access. Identity and access rights should be tightly managed in order that all devices and connections are authenticated and authorised, and controls should be placed on what information can be viewed and how it is communicated and stored. All data held on devices or in transit should be encrypted to safeguard it from unauthorised access or loss. In terms of devices that are lost or stolen, device management tools that extend to remote data wipe should be considered, especially for consumer devices that are personally owned.
For devices used for business operations, systems will need to be used to link physical and network security together to enable a total view of incidents, enabling management to make decisions regarding the threat posed and how it can be controlled. This requires that all IoT devices are managed the same way as other equipment connected to the internet and the network. All activity should be closely and continuously monitored to look for anomalies from normal baseline behaviour and organisations should ensure that all devices are correctly configured and are operating properly.
Where anomalies are uncovered, organisations need to have workflow and escalation procedures in place so that those in charge of security are alerted promptly to any potentially serious security threat or incident. This will help greatly in the time taken, and therefore cost, for remediating problems. It is essential that all procedures and processes are documented, completed in a compliant way and an audit trail is generated to provide evidence of the effectiveness of actions taken.
As the IoT is still in its infancy, organisations would also be well advised to communicate with employees, partners and customers about security and privacy risks, especially where sensitive data is at risk. This should include both consumer devices that they wish to purchase and use to interact with corporate information, as well as how devices used, for example, in smart buildings should be closely monitored and maintained. One point of failure in a hyper inter-connected network can initiate a chain of events that could have catastrophic consequences.
The IoT appears to be an unstoppable force and the rising tide of devices cannot be turned back. Until security issues are solved, organisations need to be vigilant, ensuring that they weigh up the security risks against the benefits to be gained, putting appropriate controls and policies in place, and keeping a constant eye over what is connected to their network and how devices are performing.