Media coverage of existing and potential security breaches can make it difficult to know what is—and isn’t—a viable threat to the growing number of Internet of Things systems in use in homes and businesses. Increasingly, the fear is that unauthorized parties may be talking or listening to a user’s devices, and there seem to be numerous ways for them to do so.
What kind of security issues an IoT system faces can be broken down into at least three categories: intruders’ ability to access data stored on a Web-based server in the cloud, the vulnerability of data being transmitted between a device and a server or other device, and the risks of the device itself being hijacked by an unauthorized party. In the third case, even if the device is hacked, there is the question of what the intruder wants to—and can—accomplish, such as capturing data from that device or remotely controlling it to do something the user never intended.
It’s a heady list of concerns, and one to which a multitude of agencies and companies, as well as engineering teams, are devoting research to solve.
When it comes to a server’s vulnerability, that problem is not unique to the IoT. With servers collecting data from thousands of sensors, how can users be sure that a hub hosting their information isn’t vulnerable? How is data being protected? The security of stored data is a concern that extends far beyond the Internet of Things to every PC, laptop and mobile device.
Another security issue that is not unique to the IoT—but to all Internet users—is the need to secure data as it is being transferred, and to ensure that machines, sensors and other connected things cannot be controlled from the outside.
Although much media attention is being focused on creepy consumer-related IoT security risks (such as the possibility of a hacker spying on a family via a child’s Barbie doll), there are potential hacks that could cause significant harm to businesses that employ IOT technologies.
According to a spokesperson with the U.S. Department of Homeland Security‘s Industrial Control System Cyber Emergency Response Team (ICS-CERT), the DHS’s primary concern with regard to cybersecurity and the Internet of Things is that viruses, malware and cyber-attacks could cause objects to cease functioning entirely. For example, malware injected into the software controlling a refrigerator could simply shut that appliance down, spoiling the food or medicines stored within. It would be a simple and highly effective way to wreak havoc.
The solution on the device side may lie in the hands of the manufacturers. It doesn’t make sense for users or systems integrators to install antivirus software or firmware in every sensor or device like a refrigerator. Such firmware or software must be built into products at the point of manufacture.
On the other side of IoT device security is the actual eavesdropping on a device, or the collecting of data that belongs to a user. The collection of such data has a more tenuous benefit for those with malicious intent. Information stolen from connected things would not necessarily lead to cash, the ICS-CERT spokesperson told me, or to personal data such as credit card numbers that could be sold for cash, “which is a main motivator behind today’s cyber-attacks.”
However, with the IoT’s vulnerability to eavesdroppers in mind, users need to be sure that their IoT systems are isolated from corporate or engineering data, or from other networks. Systems should be completely standalone, while the devices themselves should be rigorously protected from a changing-of-controls point of view.
Dan Lohrmann, the chief security officer at Security Mentor, which provides companies with security awareness training, has warned that IoT devices that process less-sensitive data could become “back-doors” into networks containing more sensitive information. For example, a Wi-Fi-connected kitchen appliance might provide a trusted connection to a PC with tax information stored on it.
ARC Advisory Group, a technology research and advisory firm for industry and infrastructure, reports that the necessary technology, such as antivirus software, exists to build secure IoT deployments. However, ARC notes, suppliers also need to understand end-user concerns and constraints in order to configure secure solutions. This includes the expected IoT use cases, the most likely cyber threats and a system-management strategy.
ARC is conducting a survey, known as “Industrial Internet of Things Cybersecurity – 2015,” that it hopes will shed some light on security issues. The company launched this survey because a lot of its end-user clients expressed concerns regarding cybersecurity implications, “and this seems to be a serious roadblock to adoption,” says Sid Snitkin, ARC Advisory Group’s VP and general manager for enterprise advisory services. IoT end users are being asked how likely they are to collect and analyze information within their facility, share data with service providers, allow a supplier to remotely change control parameters, or enable someone to remotely control device performance in the field. Any of these actions could require a unique security strategy, and much of that may fall on the device makers. Other questions focus on how data is being collected.
Under its enforcement authority, the Federal Trade Commission (FTC) can investigate and take action against deceptive and unfair practices. In the future, the industry can expect that the FTC will have some oversight for devices that fall within the Internet of Things when it comes to deceptive marketing or unfair business practices. However, its role with regard to the security of IoT systems is less clear. The FTC will likely offer IoT user tips and suggested best practices to businesses.
As the number of IoT products and sensors grow, other federal agencies are likely to drive research and develop policy around security. For instance, the U.S. Department of Health and Human Services and the U.S. Food and Drug Administration will help to protect patient health data as it is transmitted via IoT devices. Expect the U.S. Department of Transportation to be involved in such technologies as self-driving cars.
Finally, there is the issue of data-transmission security. Companies are dedicating solutions to better securing data as it passes from a device to a server. One example is Secret Double Octopus, an Israeli startup that seeks to offer a scalable alternative to standard encryption. Raz Rafaeli, the firm’s chief executive officer, likens the solution to a paper shredder that can “unshred” the data once it reaches its recipient. Instead of encrypting data and requiring an encryption key to unlock that information, the system breaks it down into many small pieces, each sent along a different route to the server, where it can then be restored to its original form. The multiple transmission routes that Secret Double Octopus employs to send data can include the public Internet, virtual private networks (VPN), Google Drive and Amazon Web Services (AWS). The company is currently testing its solution with a large firm that, according to Rafaeli, cannot yet be named.
No security is stronger than that of a user’s own employees, however. Ensuring that you’ve hired reliable individuals to oversee your IoT system is the first line of defense.
Claire Swedberg is a senior editor at RFID Journal and a freelance writer for IOT Journal.