- Published: 13 February 2020
The Internet of Things (IoT) market is growing so quickly that by the time you finish reading this, thousands more devices will have come online. In 2019, there were an estimated 26 billion IoT sensors worldwide. This number is expected to grow to 30 billion this year and to over 75 billion by 2025.
These connected devices are found in everything from cars, trucks and buses to household appliances, healthcare systems, buildings and even children’s toys. Connected sensors help us to measure the environment around us. The data they gather can transform into real insights for businesses and government organisations, and improved services for consumers. But in the race to bring these innovations to market, sometimes security has not been given the attention it deserves.
That has led to situations, for example, when hackers took control of thousands of IoT devices including home routers and security cameras in 2016. The hackers used these devices’ bandwidth to create the Mirai botnet, which they then used against a range of online services by flooding them with network traffic that made them inaccessible to the outside world. These were some of the biggest attacks of their kind ever seen on the internet to that point, made possible by security flaws in those IoT devices.
Perhaps, the most infamous breach originating from unsecured IoT sensors occurred in the US in 2014, when a refrigeration vendor serving department store Target was breached. The breach compromised as many as 40 million payment card accounts, along with the personal information of about 70 million Target customers.
Connected means vulnerable.
The following year, two security researchers famously hijacked a Jeep while it was driving, by hacking its internet connection. These are just a few of the many examples of IoT security shortcomings. As the famous security researcher Mikko Hypponen has said: “if it’s smart, it’s vulnerable”.
Looking to the future, if we think about a smart city full of automated self-driving cars, what could potentially happen if attackers took over the traffic lights and made them change from red to green? What would happen if facial recognition cameras were compromised? Imagine the risks of vulnerable healthcare IoT systems.
From a business perspective, the risks include IoT infrastructure becoming a route into the company network that attackers could exploit to steal confidential information, or to plant malicious software that disrupts operations.
The more we rely on connected devices, the bigger the risk. This is why it’s important to consider security from the very start of an IoT project; to identify potential weak points and put measures in place to minimise the risks.
Allocating resources to security.
The level of resources available to do this will vary depending on the size of the company involved. Businesses that want to integrate the IoT devices onto their existing network will need robust security protocols, since this potentially opens back doors onto the corporate network. For this reason, this approach is better suited to a large organisation with the in-house IT capability to manage the integration in a secure way.
Some companies roll out IoT projects on a completely separate network environment from their existing IT environment. For smaller companies in particular, this approach is probably the most suitable. It speeds up the time to launch the project, and more importantly, doesn’t expose existing systems to additional risk.
The data question.
Although company size will dictate the approach to security, it’s just as important to examine the business case for IoT. A small to medium sized retail store that just wants to install temperature sensors, may choose to accept the risk of putting this information on its network. However, if it installs footfall counters that could potentially identify individuals within its store, that data will need higher levels of protection.
It would be advised to install a password-protected edge router with the necessary firewall to guard against attackers trying to hack sensors. It’s also a good idea to conduct a security audit to ensure any devices allowed onto the network can be identified, to ensure that they have the right permissions and can be disconnected quickly in the event of a security breach.
GDPR is a four-letter word.
Securing devices is just one part of implementing IoT correctly. Another critical element is to protect the data that the sensors are sending. Privacy regulations like the General Data Protection Regulation mandate that if an organisation collects data about people’s movements or about anything that can identify an individual, they must manage the security of that data, both in transit and at rest.
GSM standards are highly secure, so data travelling across mobile networks is automatically encrypted, however, you should also consider protecting any data travelling across the internet and ensure that that data is also encrypted.
The other aspect of data protection involves protecting data when it’s at rest – that is, stored on devices like servers, smartphones or tablets. This is the responsibility of the business and requires robust policies and procedures to prevent data loss. To ensure protection at rest, all computing devices that will be collecting or storing data should be encrypted. At the planning stage for the IoT project, it is also worth considering how long the organisation plans to keep data, since GDPR imposes time limits on data retention.
IoT projects come with a lot of security considerations. The key is to take a practical approach and to examine all risks in advance and develop a plan for your business that will minimise risk. Strong IoT security is good practice for now, but the signs are that it may become compulsory soon. The UK Government, for example, is proposing measures that will force IoT manufacturers to deliver stronger security for their sensors and connected products. Now is the time to get ahead of the curve and build security into IoT projects from the start, rather than trying to bolt it on later.
Autor(en)/Author(s): Myles Gardiner
Quelle/Source: The Three Business, 06.02.2020