By Maria Marinina, Marketing Manager at the software development company Itransition. You can read the original article here.
While there are real consequences for neglecting IoT security, it’s a mistake to feel as though nothing can be done about it. Users, network administrators and developers alike can take steps to make sure their assets are protected in the age of the IoT.
Kevin Ashton’s famous 1999 presentation to Proctor & Gamble made the internet of things seem like both an untapped gold mine for forward thinking industries, and the next logical step in the evolution of computer technology. Correctly assessing that the Internet was “almost wholly dependent on human beings for information,” Ashton went on to envision a world in which many devices and everyday objects would capture and share data all by themselves — making it easier to track commodities, reduce losses and lower costs. Today, that world is in many ways a reality, but many people in the industry think there might be a dark side.
Today, there is such a proliferation of network-censored items worldwide, they are taken for granted by the vast majority of people who use them. A study by Verizon and ABI Research recently put the number of devices connected to the Internet at 1.2 billion but predicted that by 2020 that number would rise to almost 5.4 billion.
In short, the IoT seems poised to obliterate the line between information technology and operational technology altogether. Already a vast amount of machine-generated data is being collected and analyzed by other systems around the world, with the stated goal of opening new avenues for improvement. Python developers are having a field day since this is one of the most vital and useful languages for data science and machine learning. However, the sheer amount of information being gathered has sparked concern among critics, many of whom are unsure of its exact nature—and the potential applications for its misuse. As a result, there has been a lot of heated coverage of the IoT in recent years, making it difficult to determine the real problems it faces. According to ISACA, most concerns about the IoT are based on security, with data privacy the runner-up.The potential for IoT misuse is quite easy to imagine: hacking into an ex’s smart-toaster to ruin their breakfast, for example. The challenge is to separate the speculative concerns from the real and more serious ones. Just look at the February 2017 scandal involving Vizio, whose affordable smart TVs were spying on their owners and transmitting the data back to the company so it could be sold to advertisers. A more recent and dramatic episode occurred in Dallas on April 7, 2017, when hackers turned on all the city’s emergency sirens at once, causing many residents to think they were under attack.
A 2015 paper by Wind River called Security in the internet of things summarized the crux of the matter beautifully: “As we become increasingly reliant on intelligent, interconnected devices in every aspect of our lives, how do we protect potentially billions of them from intrusions and interference that could compromise personal privacy or threaten public safety?”
The short answer is that there’s no magic solution. However, Itransition IoT developers recommend various existing IT controls that can be successfully applied to IoT security, as long as they can be tailored to those embedded devices with network-compromising potential:
● Use digital signatures to start devices securely. IoT security isn’t just about protecting the network; it should start with the moment you first boot up your device. Devices that attach digital signatures to their software images can check them upon startup to make sure that they aren’t loading anything unauthorized — such as a foreign program or virus.
● Limit access from device controls and applications. To keep devices as secure as possible, it’s best to make sure that every piece of software on them is accessing only the information that helps them function properly. This confers two benefits upon users: first of all, it limits the amount of data that a device can transmit to its parent company (like your iPhone to Apple, for example, which allows you to customize the amount of information your phone can share through various apps and services). Secondly, it ensures that if someone were to hack into any of your devices, that person would have limited access to the system — which leaves you and your personal information less vulnerable in a worst-case-scenario.
● Use machine authentication when connecting to a network. Whenever one of your devices connects to its network, it should be required to provide authentication before collecting or sending information. Since many devices are embedded too thoroughly to have flesh-and-blood users authenticating them manually, this requires a process called machine authentication (as opposed to a username and password). This is most often accomplished with a digital certificate, which stores the authentication information securely and delivers it upon establishing a network connection.
● Use firewalls. You might think that having network-based appliances in place would prevent the need for a firewall, which is typically used for securing outward communications. However, firewalls are also essential tools for protocol filtering, which essentially ensures that the devices on your network are all talking to each other properly. This can identify dangerous payloads concealed in non-IT protocols, which can threaten your network, your devices, and your individual privacy.
● Be careful when delivering patches and updates. Practically every object in the IoT is going to receive updates every so often. The problems occur when those updates are happening on a massive scale and consuming vast amounts of bandwidth, or reducing the functional safety of said devices—since this can prevent users from updating them, and leave them open to security breaches. Updates and patches for devices should be rolled out in such a way as to minimize their strain on both bandwidth and connectivity making it easy for users to keep their devices up to date with the latest security measures.
The bottom line is this: while there are real consequences for neglecting IoT security, it’s a mistake to feel as though nothing can be done about it. Users, network administrators and developers alike can take steps to make sure their assets are protected in the age of the IoT — ensuring that the benefits of this technology outweigh the risks.
The views and opinions expressed in this article are those of the authors and do not necessarily reflect the official policy or position of the IoT Security Foundation.