IoT isn’t designed with safety in mind
Simon Heron, Redscan
The Internet of Things (IoT) has the potential to rapidly transform the workplace, writes Simon Heron, the CTO of Redscan. Companies that are investing in new technologies have started to experience improvements in business efficiency and competitiveness. As the IoT expands, protecting a company’s data and intellectual property (IP) will become more important than ever.
This is because the security of IoT devices is typically quite poor. The diverse mix of sensors, manufacturers and the speed of solution development have created a complex environment that proves challenging for organisations to secure.
At the same time, the software driving the IoT is still not designed with safety in mind. Time to market is the governing principle, so code is written quickly and issues are fixed as soon as they appear rather than from a holistic security point of view.
A recent study from HP revealed that 70% of IoT devices are vulnerable to attacks, however what exactly are the vulnerabilities? Below are some common examples:
- Poor authentication policies are common. Recently the Nissan Leaf had an authentication vulnerability. Only the vehicle identification number (VIN) was required to take control of climate features. This code is usually stencilled into the windscreen, making it easy to copy and use.
- The IoT uses technologies such as cloud, mobility, and big data which means that solutions suffer from the same threats that these industries are still learning to resolve – mass proliferation of devices, unsecured public Internet connections and poor security posture from users are common examples.
- The protocols used vary and many can be cracked by a knowledgeable individual. For instance, there are freely available tools to hack the ZigBee protocol – KillerBee can be installed on the ethical hacking platform Kali Linux and used for malicious purposes.
- Many IoT management platforms have web interfaces and are exposed to common web application attacks (SQL injection, Cross-site scripting). However, the impact can be magnified if an attacker gains control of a management platform that manages a large number of systems. A system like a power grid in the hands of a malicious attacker could cause an incident of national significance. From a business perspective, the company could find itself struggling to regain control of key applications and infrastructure.
A more secure future
Essentially, to make the IoT more secure, systems need constant updates as a start. Building security into software applications and network connections that link devices is also critical.
Next, implement network monitoring and segmentation that enables organisations to detect when malicious activity is taking place. This can significantly reduce the damage caused by security breaches. Properly securing cloud applications and corporate communications with encryption will help the organisation to shield sensitive information.
Alongside these security measures, organisations have to understand that there isn’t just one ‘gatekeeper’ that ensures the company’s security, but a degree of responsibility lies with everyone working for the business.
Most people want to focus on their professional roles and forget they are a custodian of the data they create, control and share. People need to improve their cyber security behaviour and companies can assist their employees by defining acceptable usage policies (AUP). It is crucial that businesses address how they approach security and awareness strategies together.
Cyber security is a fundamental enabler of the IoT, but if it is not treated as a strategic priority, growth opportunities will be undermined and issues will quickly arise.