Convergence of multiple technologies from the industrial and information technology worlds has resulted in what is commonly known as the Internet of Things or IoT. IoT combines concepts from embedded systems, networking, sensors, control systems, data analytics and artificial intelligence. IoT technology is being used not only in industrial applications but also in everyday consumer/household applications. It is estimated that there will be 25 billion connected devices by 2021, thereby transforming the way we live and work. Current estimates of data output from IoT are around 2.5 quintillion bytes daily. With the growth in the number of IoT devices, network complexity and data will also grow creating vulnerabilities and presenting greater opportunities to attackers. Thus, there will be higher risks associated with device, network and data security.
IoT devices are being used in consumer, industrial and medical/hospital applications, and each of these segments face different types of threats. Simple consumer IoT applications may be hacked which can result not only in privacy concerns (e.g., hacked home camera/baby monitor) but also a risk to physical safety (e.g., when a car is hacked). Similarly security flaws found in implantable cardiac devices is a major risk to physical safety. Industrial automation systems may be targeted for various reasons like industrial espionage, denial of service attacks, stealing data for ransom or to disrupt normal operations of the business. In August 2017, a petrochemical company with a plant in Saudi Arabia was attacked with an intention to sabotage the firm’s operations and trigger an explosion.
IoT devices usually have embedded chips with some processing power that may be able to connect to cellular networks. IoT devices are tiny and designed to run with minimal manual intervention. While this is extremely convenient, they can be easily forgotten when compared to other IT equipment. As such the basic step towards securing IoT devices would be to ensure they are accounted for and reported along with other equipment. However small, an IoT device has some processing power and hence should be handled responsibly. The same authentication and authorization principles should be applied to them as would be applied for any other device on the network. Unused network ports should be disabled, strong passwords used for authentication and admin credentials should be safeguarded.
In order to ensure that the required security processes are followed, the security by design approach may be useful. This ensures that security features are considered during the design and deployment stage of the IoT project. The entire system can be viewed holistically at this stage and security requirements for each of the devices that form the IoT network may be defined. A secure digital device Id may be created and embedded into the device hardware at this stage. Device Ids help to prevent malicious access to devices and device cloning. Security lifecycle management should be in place for all devices. This would include regular software updates and recycling of passwords and/or digital access keys. This would also include alerts enabled on devices when a potential security threat is detected.
Another key aspect of IoT is the huge amounts of data that it generates. While this complex data arriving from multiple sources is useful to the organization and provides valuable insights, it is also necessary to ensure that it is safeguarded. Policies and procedures for data governance should be defined and implemented during the design stage. To ensure that data governance is implemented without reducing the usability of data, it is necessary to understand what normal data activity looks like so that controls may be established to detect abnormalities in data.
A world with IoT applications is definitely smarter and more efficient. There are many use cases and benefits for IoT in almost all areas of life and work. However it is essential that manufacturers of IoT devices, telecommunication providers and finally the end users, think it through before adding new devices to this expanding and complex network. Finally since it is the end users (both consumers and industries) who have most to lose, it is they who should ensure that they protect their IoT devices just like they would protect their bank accounts. Identity management, encryption, strong passwords, multi factor authentication, data protection and authorized access are as relevant in the world of IoT as they are in any financial transaction.