Alex Brisbourne, CEO
Over the past decade, businesses have taken a risk-based approach to security, balancing the need to keep critical data secure against the risk that a breach of some sort will occur. In many cases, thats still the case. Despite some high-profile breaches against major retailers, healthcare companies and financial institutions, many organizations including those running sensitive industrial applications still arent protecting their data as well as they could and should. One thing is changing all that: the Internet of Things (IoT).
The IoT comprises all of the smart systems and devices that are being connected to the Internet. These include consumer devices, such as home automation devices (thermostats, refrigerators, etc.) and connected vehicles, but also include the growing number of sensors and applications developed for more industrial and B2B uses. These include things like remote monitoring applications for ranching, irrigation systems for agriculture, utility metering and other applications for industries such as construction, mining and oil and gas. Even remote ATMs and machines that collect credit card data, such as automated car washes, fall into this category. In these industries, IoT devices are often located in remote areas where they are not monitored by a human and rely on Internet access to gather the information they are intended to collect.
While IoT devices and applications for these industries traditionally fall into the machine-to-machine communications (M2M) category, theyre getting increasingly smarter. These devices and sensors are no longer just creating alerts when things go wrong; theyre delivering valuable business intelligence to the companies that use them. As such, these systems will increasingly generate a staggering volume of data that businesses will be able to analyze and leverage to improve productivity, protect expensive assets and otherwise cut costs and grow their bottom line.
So why is now the tipping point for figuring out ways to better secure these systems? The answer is simple: the volume of connected devices is expected to grow five-fold over the next five years. Cisco Systems estimates that the number of connected systems will grow to 50 billion by 2020, generating $19 trillion in new revenues for businesses worldwide during the next few years. Analysts from IDC expect the IoT technology and services market to reach $8.9 trillion in that same time period. While reality may not reach those lofty numbers for some time, its clear that we are in for a lot of growth.
Its easy to look at the IoT and be awestruck by the promise of increased efficiency and business productivity, especially when systems such as those that control building automation replace manual checks at remote sites. However, there isnt the necessary urgency surrounding the potential security issues that can arise when so many systems are connected via the Internet. More devices and systems online means more devices and systems that need protecting, and IoT systems are not usually designed for cyber security. At the same time, most IT departments are very familiar with protecting laptops, servers and traditional IT infrastructure, and are not equipped to manage a much broader set of interconnected devices and systems. This increased complexity within the enterprise cant be overlooked.
Growth is coming, so what are we going to do about it? Any device that connects to the Internet with an operating system can potentially be compromised, opening a backdoor for attackers into your business. Companies will not have the option to take a wait-and-see approach while the industry hammers out a series of standards around IoT security. There are, however, things that businesses can do today to ensure their remote assets are as secure as possible. Before you deploy that next connected application, here are five things you need to keep in mind:
1) Make Sure Security is Front and Center – The building blocks of the IoT are billions of tiny sensors, which by their size and nature are limited in terms of being able to support a robust security solution. But that doesnt mean they can be left unprotected; it just means you need to build with security as a priority from the start. By identifying potential threats and discovering solutions early on in the development process, youll develop a strong precedent that can be followed throughout the application and device lifecycle.
2) Understand How Your Data and Devices are Protected – According to a report from HP Security Research, up to 90 percent of M2M / IoT devices collect personal information. The problem is, most companies only have a basic understanding of how that data is being protected. In many cases, they believe someone else is responsible for securing devices, data, applications and systems. As discussed earlier, securing IoT systems and devices takes an adjusted mindset, and many IT departments dont truly understand how IoT security differs from traditional network security.
Any IoT application that transmits sensitive information through the network needs to be encrypted. While this is especially true for financial and healthcare data, each industry has data it considers critical, and different devices and applications in different industries may have different needs. For example, some application developers may look to incorporate SSL to secure communications, however SSL requires additional processing power and memory (which adds a lot of overhead to devices and applications). In addition, wireless data charges associated with encryption and decryption processing may be high. Creating a site-to-site VPN tunnel from the IoT operator to the backend servers network might be the best solution as it allows encrypted data to be transmitted across the Internet. One thing encryption cant protect against is physical attacks. IoT devices such as sensors are the eyes and ears for businesses in monitoring remote assets. Businesses need to have a strategy in place to protect valuable assets and the systems that monitor them.
3) Know Who Has Access to Your Data/System – Lets face it, a lot of people and a lot of things likely have access to your systems and your data. In todays highly networked IoT environment, its possible theres a hole somewhere that is waiting to be exploited, possibly through a partner or service providers own network or even via another connected device. Its time to do inventory to see who really needs access and what level they need. This exercise should take place at every level of the technology stack, from the removable SIM card to operating system to hardware. A stolen SIM card, for example, may create fraudulent data charges, but a bigger worry is that it could provide direct access to your backend application servers. Securing software is also critical; secure over-the-air (OTA) application updates are gaining popularity as a way to ensure the authenticity and integrity of transmitted data.
4) Understand Your Biggest Vulnerabilities and What the Response is if Something Goes Wrong – IoT systems collect data that provide significant advantages to companies by allowing them to run advanced analytics and spot underlying trends. But with all that data coming in, it can be difficult to notice an issue, especially if the issue is at a remote site. Applications do not always respond to issues by alerting administrators and potentially blocking devices from communicating with the server, but this is functionality for organizations to seriously consider.
Just like you need to assess security at every layer of the technology stack, so too should you monitor at every layer because, if an event is detected, you want to ensure that its stopped in its tracks. A backend application can detect patterns in the data its receiving, and should be able to spot abnormalities and alert the administrator. To prevent any malicious use, the affected device should trigger a responsive action that blocks it from communicating with the server. The site-to-site VPN tunnel between the application server and the IoT operator has a fixed IP address, which makes it easier to isolate and disable the device if necessary.
5) Ensure Your Network Partner is Serious About Security – IoT applications generally use cellular connectivity to transmit data via three discrete networks: the mobile network operator (MNO), the IoT service provider and the Internet, which means youre putting a lot of trust into third-party networks. Dont be afraid to ask questions to make sure these third-party-managed networks place the same value on security as you do.
There are some common questions you can ask to get started:
- When and how often are patches and updates made? Are all security and patches up to date across the network?
- What kind of Intrusion Prevention Systems (IPS) and denial of service systems are being used?
- How do you handle background checks for employees with root access to servers and network devices?
- Who can access what? In other words, what level of security is required of anyone with access to systems? How do you enforce that?
Securing the IoT isnt an easy task. Already dozens of companies are emerging with solutions that claim to solve the IoT security dilemma. One thing, however, is for certain: Companies cant rely on someone else protecting their secure data. By developing applications and devices with a security first mentality, companies can create and manage applications that provide significant benefit to their organization while keeping their sensitive data safe and sound.
For more information visit www.koretelematics.com