The consequence of innovation moving at lightning speed has meant that too often security considerations have become an afterthought. The recent AT&T Cybersecurity Insights Report tells this exact story, with 85 percent of enterprises in the process of or intending to deploy IoT devices, despite only ten percent feeling confident that they could secure those devices against hackers.
Just as the web was designed for collaboration and sharing, IoT devices are designed for interoperability and machine-to-machine communication. In fact, in some cases, the devices were never intended to make use of the internet at all and have been retrospectively ‘connected’ to the internet; often presenting further challenges for those hoping to secure the environment these devices exist in.
Even when security is front of mind, nothing is 100 percent secure. When you consider that an attacker only needs a single vulnerability to gain a foothold within the network, combined with the fact that the IoT world is so intrinsically linked together, the damage that could be done once an attacker is within the network can be devastating.
With IoT, the most important part of security is understanding that it can’t be solved with a single solution or by one company in the ecosystem; it takes a village.
Who is responsible?
Unlike with other technologies, in IoT it’s often difficult to pinpoint who is responsible for security. If your coffee machine breaks, for example, you take it back to the manufacturer. If it’s connected to the internet, however, there are many more stakeholders that could be responsible for the malfunction – often IoT devices don’t perform as they should due to an error in the software. In terms of security, there are manufacturers involved, application developers, cloud platform providers and other third parties all of which could have some level of responsibility.
It’s also important to understand that end-users often don’t see the layers of responsibility. A car buyer, for example, may well assume that the automotive firm is responsible if its connected car is faulty when, in fact, the automaker may have little expertise in IoT security. What’s more, regardless of this, they will still be held accountable by the user.
Breaking it down
There are three important factors of IoT security; device, network, and cloud.
For the device, it is important to consider the use case, what data is collected and its ubiquity to understand the level of risk. With numerous security solutions that can be deployed – authentication, user access, application access, device lifecycle management and data encryption, for example – often a cost-benefit trade-off is required between protecting everything and paying for everything. A sensor tracking radiation from a nuclear power plant is arguably more sensitive than that from a farmer’s weather station, for example.
The movement of data as it is transported to the cloud and delivers IoT services must also be secured. Devices can connect to the internet via cellular, Wi-Fi, Bluetooth, LPWAN or even satellite; all of which have their own security implications. Across the board, data in transit should always be encrypted and passed in secure private networks, rather than openly sent over the internet, and users should be required to verify and authorise devices on both the network and applications within the network. With cellular connectivity, a layer of security is already built in thanks to global standards which include ciphering keys and encryption algorithms on the SIM to securely transmit and receive data.
To secure the broader cloud environment it goes without saying that standards such as ISO/IEC 27001 should be adhered to, but organisations also need to get granular with controls for the IoT applications themselves. Role-based access should inform the identity management and access control strategy and anomaly detection with a degree of automated remediation will also add additional protection for the broader security of the IoT portfolio.It is fundamental that all those within the IoT community take notice of the security provisions needed to properly protect the ecosystem.Click To Tweet
It is fundamental that all those within the IoT community take notice of the security provisions needed to properly protect the ecosystem. With much of the technology still in its infancy, it’s still early days when it comes to understanding the security significance of having so many devices tied together. As a minimum, all user data should be encrypted, ‘personal’ and regulated data should be treated according to its own local private and data protection rules, and identification and authentication of all those within the ecosystem is paramount. Securing connectivity is vital and an IoT connectivity management platform, with rules-based security policies that identify and act on anomalous behaviour from connected devices, should be a top priority.