What is your weakest security link? I’m blown away when I talk to IoT professionals that can’t immediately answer this question.
The promise of IoT is that it has the potential to connect machines that generate data which can be used to provide us with insights that make the world a better place. Today, the focus of IoT has everything to do with enabling this promise, and little to do with security.
IoT security is life and death
In an IT world, a security breach can mean the misuse of data, which could result in fines or a company’s reputation could suffer. With IoT, a security breach can literally mean life or death.
Take the latest Netflix cybernightmare, where a hacker stole and released part of the fifth season of Orange is the New Black and later demanded to be paid to keep it off the internet ahead of its premiere. Not good for Netflix, but the problem was solved when Netflix decided to release the show early and refused to pay the culprits.
Now consider Stuxnet, a computer worm that infected at least 14 industrial sites in Iran, including a uranium plant. The worm’s authors could cause the fast-spinning centrifuges to tear themselves apart, unbeknownst to the human operators at the plant. Or what about when security researchers Charlie Miller and Chris Valasek proved to the world how easy it is to hack into a car and control everything remotely including the brakes, acceleration and cruise control?
Threats like these have made security one of the biggest barriers to meaningful IoT adoption in the enterprise.
Security by design
As an industry, we say “things” but we mean “everything.” From energy and drinking water to manufacturing and transportation, most physical things will get connected in the next few years. Various experts estimate that there are 25 billion connected things in the world today, and this number will hit 50 billion by the end of the decade.
Unlike IT, there is no “end user” in IoT. For the business owner or enterprise administrator, being able to monitor and control these connected devices means relying on technology to do the job for you.
To ensure our devices are secure, IoT implementation must be designed with security in mind from day one. Ask yourself: What kind of networks are you connecting to? Which external users are available? What is the environment in which your system operates? What other systems are the devices interacting with?
The ecosystem and the value chain are very complex, and it’s nearly impossible fix every single flaw in a system. However, if companies design their devices for an extreme scenario on one end, they will be one step ahead of a potential attacker rather than trying to play catch-up with one who has already done damage. Having proper recovery policies and smartly updating these policies are critical to ensuring continuity of operations after an attack.
Framework for protection: Start with the device lifecycle
When designing IoT security frameworks, I always advise customers to build protection into the device lifecycle. Here is my seven step device lifecycle, including examples of the types of protections to consider:
- Registration: Installing security software, discovery, uniquely identifying the connected devices, registration, can it call home?
- Provisioning: Secure credentials, exchange certificates, capturing registration info
- Commissioning: Installing the device in the field, initial configuration, finding status
- Configuration: Remote secure updates of a commissioned device, updating privileges
- Monitoring: Health, operational, security and connectivity status, alarms and alerts
- Control: Remote decisioning, over-the-air updates, performance, remote service
- De-Registration: Decommission, end of life
There is no doubt that IoT will transform the world in our lifetime. Ensuring the protection of our data and personal safety will ensure better adoption. And the secure management of these systems will play a critical role in whether or not we can trust IoT.
My advice to companies implementing IoT is don’t try to solve it all yourself. Play to your strengths and design what you’re good at. Partner with security providers for everything else.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.