The internet of things has arrived — everyday objects are getting smarter and internet connected, enabling rich information streams that can be shared seamlessly between devices, networks, industries, organizations and users. Today, billions of connected, smart devices are active around the world — and this number will only continue to rise. Gartner predicts 8.4 billion connected devices (“things”) will be in use this year, and almost 21 billion by 2020.
The rapid adoption of IoT-enabled devices brings with it a new set of challenges, which raise questions about where and how these devices should be used. The security implications of IoT for both government agencies and public services are particularly interesting, as governments grapple with how to manage and deploy this technology to become more efficient and innovative. Traditional security and IoT security are very different. For example, traditional IT security processes can assume that systems or devices can be taken off air or reset at short notice to apply security patches. This may not be possible with an IoT device, where in general high availability is assumed, and resetting a device at short notice may have safety or financial consequences. As such, securing the IoT requires new ways of thinking and new end-to-end planning measures.
For government organizations, the IoT revolution carries two significant security considerations. First, when deploying IoT technologies to enhance public services, government agencies must not only understand the benefits of such technology, but also the security risks that such networked technologies bring with them. Second, as IoT (and industrial IoT) become an integral part of critical national infrastructure (CNI), government must develop defense and security measures and procedures to address threats to the CNI — as well as society more broadly — that may emanate from this technology. IoT is not just an extension of an existing infrastructure to be managed, but rather incorporates radically different protocols that must be planned for. Ultimately, the IoT market will only reach its full potential once these security challenges have been addressed, and governments have established actionable recommendations for securing the digital economy.
Security is not keeping up with innovation
Controlling cyberthreats is a critical concern for citizens, businesses and governments alike. However, not all organizations have the right tools or systems in place to protect sensitive data. Even though most IoT connections rely on secure wireless networks, data can still be vulnerable. For example, unlike data from smartphones — which are part of IoT — information from other IoT devices doesn’t always start and end its journey with a human who can make decisions about access. Increasingly, devices are sharing data directly, without first evaluating the data for quality, integrity and security. Ultimately, IoT data needs to be secured on the connected device, on servers in the cloud, when shared between IoT devices and at every point in its journey.
For these reasons, there is rightly an increasing concern about the security of IoT-enabled devices and their ability to provide reliable, trustworthy data for decision-making, for example in the areas of healthcare, policing, justice and revenue. Not all cyberattacks aim to steal or destroy data; some seek only to manipulate data — often with equal, if not worse, consequences. The need to protect data from malicious or accidental manipulation is and must remain a priority for organizations that use connected devices to support decision-making.
Over the coming years as sensors, biometrics, healthcare monitors and autonomous vehicles become far more prevalent, they will bring with them an array of new challenges for governments. The impact of data breaches on these devices could be dire for citizens and governments alike, so steps must be taken to ensure device and data security now and in the future.
Steps to manage IoT security
- Engineer trust and understand the threat landscape — The security challenge for hardware manufacturers and service providers that specialize in machine-to-machine connectivity is significant. These types of IoT devices are usually easily hackable because they are designed to be accessed over a local network and often come with unsecured, hard-coded default passwords. While the adoption of IoT in the home and workplace is inevitable, device manufacturers must build security into products and solutions to provide added security and resiliency. Accenture research has found that by addressing cybersecurity proactively, an organization’s ability to thwart cyberattacks increases by an average of 53%. Organizations that use threat-assessment models that are tailored to their specific digital posture will improve their ability to detect security breaches and limit damage. Companies can enhance existing security by using IoT devices for authentication, or by allowing security teams to monitor employees’ digital behavior for potentially harmful deviations, whether intentional or not.
- Government and industry collaboration — The private and public sectors must work together to develop and implement universal standards for application development that place security, privacy and trust at the center of new product design and deployment. IoT devices would benefit from security protocols that offer enhanced authentication requirements and increased supervisory control. Data capturing technology and embedded analytics are also important to extract the full value from data shared across IoT devices, whether the data is travelling to the cloud for processing or remaining on the device where analytics tools can be applied. Together, industry and government can address end-to-end security requirements for the IoT market, including application development, device and application testing, embedded hardware and software, and connected products and platforms.
- Secure critical infrastructure — Governments should devise a national strategy or stance on managing security risk around critical infrastructure, recognizing that malicious actors are seeking to exploit vulnerabilities. This will be especially true in the IoT age, as connected devices become a core part of critical infrastructure (e.g., smart meters in homes). Some public-sector agencies are already taking steps in this direction. The U.K. Centre for Defence Enterprise recently expressed concern about IoT security challenges, especially as these relate to the protection of critical national infrastructure such as hospitals, power networks and telecommunications systems. Meanwhile, the U.S. government has made significant progress in developing policies, programs and technologies that help protect North America’s critical infrastructure. According to a U.S. Government Accountability Office Report, the Department of Energy, the Department of Homeland Security and the Federal Energy Regulatory Commission have implemented 27 electrical grid resiliency programs since 2013, which are designed to address a variety of security concerns.
- Educate citizens and employees — In today’s connected world, citizens and employees must understand the inherent online risks and take steps to strengthen their defenses. Effective cybersecurity depends on citizen and workforce awareness, education and an ability to understand, prevent and respond to increasingly sophisticated cyberthreats. Employers must also understand the implications of BYOD for internal security, personnel privacy and data protection, and work to develop policies that balance the reality of the digital device age with necessary restrictions on using personal devices and accounts in the workplace. Citizens must also take steps to protect their personal or organizational data to ensure they don’t fall victim to social engineering hacking and ransomware incidents which have become an unfortunate daily occurrence today. Government also has a responsibility to inform and help educate citizens about trusted sources of information online, as well as where to go to for help should their personal data be accessed or stolen. Equally, law enforcement and public services agencies must understand how to handle the reporting of crimes, fraud or mismanagement of IoT devices and their data.
IoT is creating new and exciting opportunities for businesses, consumers and service providers alike, but at the same time is also introducing significant challenges. The internet is not a secure environment, and any device connected to it is a potential target for cyberattack. We know from the number of successful cyberattacks that conventional cyberdefenses are no longer sufficient to keep determined cyberattackers at bay. With the IoT revolution comes great opportunities but also increased security risks, which must be addressed by using new, creative and agile thinking to defeat the cyberattackers, and to ensure IoT technology can deliver on its potential.
This article was co-written by Kevin O’Brien, Security & Intelligence Lead for Accenture Health & Public Service at Accenture.
Dr. Kevin A. O’Brien is the senior principal leading security and intelligence efforts within Accenture’s Global Health and Public Services practice. Prior to joining Accenture in February 2015, he served as an intelligence program manager, as well as a senior advisor on analytic and operational transformation, in the Canadian Department of Public Safety. Among other roles, he led projects and programs on cyberthreats, digital intelligence exploitation, counterterrorism, and protective and preventive security. Prior to joining the Canadian government, he served as Director of Alesia PSI Consultants Ltd from 2005-2009, which provided security and intelligence advisory services to the U.K., U.S., Australian and Canadian governments; Deputy Director of the Defence and Security Programme in RAND Europe from 2001-2005, with responsibility for its public security and intelligence work; and Deputy Director of the International Centre for Security Analysis and Visiting Lecturer in the Department of War Studies at King’s College London from 1997-2001. From 1997-2006, he was a Special Correspondent and Contributing Editor on Information Operations and Cybersecurity for Jane’s Intelligence Review.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.