The Internet of Things (IoT) stands to have a tremendous impact on business – and life – as we know it. Gartner estimates that by 2020 the IoT will grow to 26 billion units installed, and IoT product and service suppliers will generate incremental revenue exceeding $300 billion, mostly in services. In the meantime, the cost of adding IoT capability to consumer products will gradually decrease, and connectivity will become ubiquitous. New industries will develop and old ones will disappear altogether or evolve into something entirely new. Society will be transformed as more data becomes available to us as consumers, enabling us to make informed decisions about how we live our daily lives.
The IoT will also have a significant impact on however, as an industry, approach security. Security approached as an afterthought or layered preventive controls will not suffice in the IoT. In order to fully benefit from all the IoT has to offer, companies must consider its security implications and address them early on. This blog introduces the security risks inherent in the IoT and how this new technology stack must be secured.
Going a step further, this product system is being integrated with other product systems to create a system of systems of which the farming equipment is just one component. It might also include a weather data system, a seed optimization system and an irrigation system, all of which feed into a farm management system. Thus, the competition within the farming industry is shifting from discrete products to product systems, while the farmers themselves gain a competitive advantage through increasing yield.
But that’s just the beginning. We have barely begun to scrape the surface of what’s possible by connecting smart devices.
The IoT Technology Stack
A new technology infrastructure is required to participate in the IoT. Companies must build, support and secure a new technology stack that begins with the endpoint – the ‘thing’ in the Internet of Things. This hardware may have embedded sensors and processors, as well as embedded software including an operating system, onboard software applications, a user interface and product controls.
The data collected by the endpoint’s sensors are transmitted over a communications network (often the Internet) to the cloud, where the data is managed in a big-data database system, and analyzed to optimize product operation and uncover new product insights. Additional applications that manage the monitoring, control, optimization and autonomous operation of product functions may also run in the cloud. External information sources, such as weather, traffic and prices, as well as business systems (ERP, CRM, etc.) may also be integrated at both the endpoint and cloud layers.
Security Risks Inherent to the IOT
As with any technology stack, there are a number of risks inherent to the IoT. Perhaps the most obvious relates to data privacy. The collection of vast amounts of customer and product data sparks concerns regarding its ownership, how the data is used, who has access to it, who is responsible for securing it, what constitutes sensitive data, what constitutes competitive intelligence and more. These questions need to be answered and data protected accordingly, as there is great opportunity for abuse – from insurance companies using personal health data to increase rates, to attackers stealing data to sell to the victim’s competitor. The IoT also forces companies to consider the new legal liabilities that arise from sharing data access with trading partners.
Algorithms are used to control endpoints in the IoT. Algorithms are rules that dictate the endpoint’s behavior based on environmental changes or changes in the product’s condition. For example, an algorithm might dictate that when the temperature reaches 70 degrees, the air conditioner turns on. Algorithms can be built into the endpoint itself or reside in the product cloud. Unfortunately, an error in an algorithm could have an effect ranging from a mere annoyance to catastrophic, depending on the application.
Embedded software on endpoint devices also poses a risk. Vulnerabilities can be exploited using malware and the devices used as bots to execute denial-of-service attacks. Attackers can potentially take over device functionality to, for example, intercept sensitive communications or even cause bodily harm in the case of health devices like pacemakers and insulin pumps, or automobiles.
Security Measures and Challenges
In order to help reduce these risks, security by design is required at every level of the IoT technology stack. The traditional development approach of quickly releasing a product then adding security after the fact in the form of patches, updates and preventive software, falls apart in the new world of the IoT. Users cannot be expected to download antivirus software for every smart connected device they own. Nor does it make sound business sense to deploy patches and other updates to disposable, lightweight devices. IoT devices must be built with security and privacy controls baked in. The FTC has developed guidelines for building security into the Internet of Things, which includes security measures for protecting data at rest and in motion, preventing unauthorized access, and securing access between the endpoint’s technology stack and other enterprise systems.
Security efforts don’t get any easier as you move up the technology stack. The network must be protected against unauthorized access, and the data traversing the network must be properly encrypted to prevent sniffing. The cloud infrastructure and the third-party software running on it must be secured to prevent attackers from gaining access to endpoints through software vulnerabilities or weak configurations. Finally, user authentication and system access must be properly managed across the entire technology stack. This becomes a significant challenge in light of multiple stakeholders sharing interest in the assets and increasingly interconnected systems.
Service Providers Play a Key Role
ISPs and carriers play a key role in the IoT. IoT devices connect to the cloud over the ISP’s network. ISPs must undergo big changes to accommodate for this, beginning with flattening their networks. Today, ISPs have limited visibility to the devices that sit behind Network Address Translation (NAT) home cable modems. ISPs are
removing the NAT and adopting IPV6 in order to address all these devices and offer services on top. One of the key services that ISP will offer is security. ISPs will want to differentiate by offering a safer, more secure way for the IoT world to operate.
It has taken the information technology industry more than a decade to recognize the need for a detect and respond approach to network security. Given the presence of advanced persistent threats and the value of data, we will not have the luxury of time with the IoT. A holistic approach to securing the IoT is necessary from the start, with an emphasis on detecting and respond.