How to secure the Internet of Things
Sukamal Banerjee, HCL Technologies
The Internet of Things (IoT) revolution is gearing up to dramatically alter various industrial sectors of the economy including manufacturing, healthcare, energy and transportation amongst others, which together account for nearly two-thirds of the global GDP, writes Sukamal Banerjee, the executive vice president of engineering and R&D services at HCL Technologies.
While this latest technology wave promises to bring unprecedented opportunities to business and society, it also opens up the doors for various vulnerabilities and security threats, which if compromised can lead to damaging consequences. We have already heard news of baby monitors, medical gadgets, smart lights and even autonomous cars being either hacked or proven vulnerable.
According to Gartner, about 26 billion devices will be connected by 2020. This is a phenomenal jump from about 4.9 billion connected devices today in 2016. Along with the exciting possibilities this five-fold growth brings, this also gives hackers 26 billion targets to infiltrate the network. As more and more devices are connected, the network is becoming increasingly fragile. Unfortunately, the speed with which innovation is happening means that security is often being added as an afterthought rather than being built-in from the start, leaving vulnerabilities for hackers to exploit. This is no small problem. A key part of the IoT is not only inventing the sensors and connecting the systems but also securing the plethora of data that passes back and forth.
Better the devil you know
The first step in securing IoT is to understand where the threats are likely to come from and who the attackers will be. Perhaps of most immediate concern to enterprises will be passive attackers looking to take advantage of security weaknesses in IoT devices and networks in order to steal confidential data. These attacks might be very difficult to detect, as many are likely to come because of insider activity, from employees, partners and suppliers abusing access privileges. As a result, enterprises will have to be on their guard from within as well as keeping a close eye on their borders.
The other severe threats will likely come from active attackers targeting IoT devices with remote access attempts, or IoT networks with techniques such as Sybil or DDoS attacks to cause operational failures and disruption. These attacks could have the most severe consequences. For instance, Hackers could potentially shut down medical devices in a hospital operating theatre, putting lives at risk. We’ve already seen some pretty alarming attempts at small scale remote access in practice; with a number of well-publicised cases of hackers exploiting vulnerabilities in wireless webcams, CCTV cameras and even baby monitors to spy on people. More recently, Black Hat hackers in the U.S. demonstrated an exploit enabling them to take control of brakes and other critical systems in connected cars. When these exploits are leveraged against enterprise networks, as they almost certainly will be, the risk of disruption will be immense.
Take the fight to them
IoT is still in its early evolution, so we’ve thankfully yet to see any truly catastrophic breaches or security incidents. However, hackers won’t rest on their laurels for long, and enterprises looking to leverage the IoT can’t afford to be caught unawares when the attackers do start to come for them. As such, they need to begin developing new security frameworks that span the entire cyber and physical stacks, from device-level authentication to application security and robust data protection measures. Every enterprise is different, so there can be no one-size fits all approach to creating an IoT security policy, but there are a number of key aspects that must be considered by all.
- Secure development – There are a number of insecure functions and programs in IoT devices that are creating a weak link in the security chain. Development teams should take this as a warning to carefully review the code in their IoT applications to identify any insecurities and close open doors. It’s also important to consider the challenges of keeping huge networks of IoT sensors and devices patched to fix any newly discovered vulnerabilities in same way as you would with a laptop or smartphone.
- Data encryption – most wireless communications and protocols in IoT are open, and the limited resources for securing sensors and smaller devices with strong algorithms for data encryption and transmission leaves them prone to attack. As such, a carefully considered approach to IoT security will be required. According to a recent report, 70% of internet devices used unencrypted network services. Sensitive data should be encrypted before usage with secure cryptographic keys, rendering it useless to anyone who breaches the network.
- Privacy protection – data privacy is the elephant in the room when it comes to IoT. People are rightly concerned about their privacy being invaded by machines and devices collecting data on their actions and movements. It will be critical to ensure these concerns don’t stifle innovation. One of the best approach would be to de-identify any data that is captured to remove any unnecessary PII linking it to individuals in order to safeguard their privacy.
- Access management – since IoT devices and sensors are often programmed over the air, they are more susceptible to being remotely hacked. As such, organizations will need to have a robust identification mechanism built-in, using digital signatures to ensure that only authentic commands and code being received by IoT devices and sensors are authorised. It will also be necessary to implement role-based access privileges to reduce the risk of insider threats from employees, partners and suppliers accessing data, devices and sensors that are outside of their remit.
There also needs to be new kind of innovative solutions to this. We cannot assume the standard practices of network security will suffice across all forms of devices in this emerging world of hyper-connectivity. Already significant work is on in this space. However, no single entity can solve the security issues on its own. Government agencies, academia and global enterprises will need to collaborate and respond rapidly with measured force to build robust security measures and infrastructure.
IoT with its immense potential is clearly here to stay. Security is one of the challenges that needs to be met in an accelerated and focussed way to ensure the potential of IoT is fully realized. The potential benefits far outweigh the security risks and hence while work on security needs to be enhanced the adoption curve for IoT should be sustained and accelerated.