IoT and Security: Cause for Concern?
The Internet of Things (IoT) holds great promise for the future. Enterprises view IoT as a new revenue stream. A study we commissioned by Oxford Economics shows that revenue growth is by far the biggest factor driving IoT adoption. Throughout 2016 and beyond, we'll continue to see IoT deployed as a mainstream path to generate higher revenue, thanks largely to the rise of four key trends which have come to an inflection point in the past year - data monetization, core IoT networks & low power devices, platforms as a service, and investment in IoT startups.
"As IOT devices become more loosely integrated with are enterprise system important it is that security paramount from the start."
But with great promise comes great responsibility. IoT devices collect, store, transmit, aggregate and analyze massive amounts of data. If properly protected, the data and the devices can make life easier. If not, it can become a nightmare. Thus, when developing any IoT strategy, it is important to look critically at what information the IoT device is collecting, and how it will be used. And also look at how the information can be abused or misused as well.
The sheer volume of IoT devices constantly producing communications, require careful security and privacy considerations. There is no current IoT protection framework that's ahead of the implementation of this technology. The industry is keeping up with the development of technology by looking to the rising threat vectors - some old, some new - that will impact deployments and ongoing operations. Authentication of critical data, and baseline triggers for action are the emerging security focus.
How devices will mutually authenticate to a reliable degree of authenticity to prevent rogue commands and communications or data leakage is a priority consideration. Communications could be interrupted given a variety of factors and unless there is an assurance that corresponding devices are legitimate, there is no basis for secure operations.
The scale of data being communicated within specific ranges or environments is a factor for maintaining consistent operations, but critical data that can be traced and identified requires a privacy technique known as 'pseudonomization' of the data - that is, assigning an obscured identifier to the data so that it doesn't readily map to a known person, address, or others. This is not one process, but a series of interactive pieces that will be a priority to test, protect and defend.
Communications between devices that trigger activity is of the highest concern to validate and secure. The timing of response ultimately is what creates the beneficial experience when the technology is functioning as designed, it is always the unintended, overlooked, or malicious capabilities that have to continue to inform security and privacy design, and implementation.
According to our Oxford Economics study, security and privacy concerns are long-standing issues. Respondents noted that success depends on developing systems, policies and procedures for managing the information that IoT generates. Changes in the ways of working and new skills are key opportunities.
Don't Panic - the Same Rules Apply
IoT is all about making the things around us smarter. But many sensors, especially those embedded in assets, must be frugal. Limitations on space mean that processing power and battery life are often limited. This means that many sensors aren't capable of running the endpoint protection capabilities we're used to seeing in more sophisticated assets, like laptops. But while some familiar security rules - such as applying anti-virus to all endpoints - don't relate to IoT systems, many do:
- Authenticate all IoT connections. Digital certificates provide a robust solution without compromising practical operation.
- Ensure that patches are applied to IoT devices promptly. The 2015 DBIR found that most attacks exploited known vulnerabilities where a patch has been available for months, often years. You don't want to have to rely on manual methods to keep hundreds or thousands of devices up to date. Investigate secure methods to deploy updates automatically.
- Only collect the information that you need from IoT devices, and dispose of it securely when you no longer need it. If you don't have it, it can't be stolen.
- Encrypt sensitive IoT data.Encryption won't stop criminals from stealing your data, but it will make it a lot harder for them to do anything damaging with it.
- Segment IoT networks and systems to limit the spread and damage of any attack - You don't want a breach of a relatively innocuous sensor to lead to the compromise of your Connected Device or enterprise systems. Segmentation will also help reduce the amount of sensitive information criminals can exfiltrate.
Don't Cut Corners
As IoT devices become more widespread and more closely integrated with core enterprise systems, the more important it is that security is made paramount from the start. Just as with any other IT system, organizations should regularly assess the risk, apply appropriate security measures, and test their effectiveness. So before deploying an IoT strategy, consider all of the data to be generated, how it is to be used, and most importantly, how it is to be protected. And do this before you roll out the implementation.