Are IoT and IIoT safe to use in my organization?
The billions of connected devices currently online are about to grow in number at a fantastic rate.
In addition to developing world economies beginning to adopt and utilize technology in the way that those of us in the developed world consider the norm, the internet of things (IoT) is about to swamp the world’s networks with extra data.
In the business world, IoT deployments offer all sorts of benefits, ranging from plant machinery that can predict its own failures to autonomous vehicles and robots revolutionizing the supply chain, to remote sensors and controls able to manage and feedback from remote and inhospitable conditions.
The bright and rosy future depicted by both technology journalists and IoT suppliers needs taking with a pinch of salt, of course. Every connection of technology to a network is a potential security breach, so should we be worried about the implications of exponentially increasing the number of devices that play roles in our working lives?
Even without flooding our factories, offices, water processing facilities and electricity plants with thousands of remote sensors and control units, every device we already use represents a danger. But short of cutting off our facilities from all technology- especially networked technology- the advantages of using tech outweigh, and will continue to exceed the potential for cyber breaches and ensuing damage.
How to protect IoT
In the same way we are accustomed to protecting our own smartphones that enter our commercial premises every day, we have a responsibility as technology professionals to protect the new generation of IoT devices as they come into our spheres of influence.
A lot of this comes down to our purchasing decisions. One of the significant aspects of IoT and IIoT (IoT’s industrial cousin) is that the devices are, relatively, cheap to produce, deploy and maintain. Integrated circuits and system on chip manufacturers are making devices smaller and more potent so that a single device can be equipped with several communication methods, multiple sensors and a range of control systems all for just a few dollars.
The drive to the bottom of the price range means that many IoT devices are powerful, but not powerful enough to run dedicated security routines. A cheap and cheerful industrial control and sensor array does not possess the capability to firewall itself, detect threats as they occur and inform monitoring systems of a potential breach.
There is a gulf between the ideal IoT device from the cybersecurity standpoint, and some of the more basic devices on the market today. Networked cameras, microphones, and even GPS-powered navigation devices have been compromised, either in the wild or as part of controlled tests by cybersecurity experts. There is a point at which IoT’s costs outweigh the benefits accrued, so no-one is suggesting that every monitor or control system has to be impregnable to attack.
Instead, it is incumbent on IT managers (CTOs and CIOs, VPs of production and the like, as well as CISOs) to pressure IoT manufacturers and suppliers to push security up the agenda.
But until that happens, what are the threats, and how can they be avoided? Is IoT safe, as it stands at the end of 2018?
Google CEO Eric Schmidt told world leaders at the World Economic Forum in Switzerland, in 2015, “There will be so many sensors, so many devices, that you won’t even sense it, it will be all around you,” he said. “It will be part of your presence all the time.” If it’s inevitable, it’s probably worth considering some of the potential pitfalls.
In 2019, is IoT safe for my business?
The three elements of an IoT deployment are where security needs careful consideration and application. The three are: the devices themselves (sensors and controllers, embedded operating systems), the transport layer (cell signals, wifi, BlueTooth, Ethernet, Lora, Zigbee and so on), and the tech systems which draw on the information from IoT devices, managing both the devices but also creating the desired results (more efficient transport, valves and switches which react quickly, and so forth).
“Many things are connected to the Internet now, and we will see an increase in this and the advent of contextual data sharing and autonomous machine actions based on that information.”
Andrew Rose, Forrester Research.
If we can momentarily park the last of the three elements for brevity’s sake and entrust protection in oversight systems to ‘traditional’ networked cybersecurity, it’s the two other elements which we need to consider.
The nature of IoT is that it’s often deployed in physical locations which are out of the way- not necessarily unreachable, but places that can be more susceptible to having their communications methods tampered with. Whether that’s for reasons of sabotage or to corrupt data is irrelevant here. What’s necessary is to consider how physical protection can be provided, not just for cables, but also for any transmission/reception protocols in use, be that wi-fi for something lower powered.
— E&T Magazine Connect (@eandt_connect) November 8, 2018
Additionally, it’s up to users and those procuring IoT to pressure manufacturers to adopt communications methods that are not only secure but widely accepted across multiple manufacturers. Changes at this level can help ensure signaling methods are difficult to tamper with- spoofing and man-in-the-middle type attacks are currently too easy.
As far as embedded systems and hardware is concerned, the lightweight nature of the OS of each device can mean that it can be compromised relatively easily. While headlines concerning commandeered signals from IP cameras are alarming, the main threat to enterprises is hackers using hundreds of millions of identical, compromised devices as the next-gen botnet armies of the future. Or, if not deployed to this type of end, IoT’s ubiquity and very abundance mean that if a single system can be cracked, the potential is there for whole facilities to be simultaneously affected.
Nightmare scenarios like whole cityscapes going dark, or water supplies cut off may be the reality of the future, but only if those in charge of deploying arrays of IoT devices do so without ensuring proper precautions. Who would bear the blame for such an occurrence? The IoT manufacturer that sold the devices complete with gaping security holes in its makeup or the IT professional either oblivious of the risk or ignoring the risk when confronted with a cheap price tag?
The IT industry as a whole needs to ensure that IoT is safe, utilizing pressure on suppliers, but also by the process of self-education as to the risks, and the best ways to ameliorate them, right now.
19 October 2020
19 October 2020