Mention the Internet of Things (IoT) to anyone and it’s almost inevitable that the size of the market comes to mind. While research firms and vendors don’t exactly agree on the forecast, general consensus is that 50 billion devices will be connected by 2020. This is a staggering figure.
What many don’t realise is that this surging IoT technology wave is at the “peak of inflated expectations” to use a Gartner term. The early publicity generated by a new technology produces a number of success stories but is also often accompanied by lots of failures, too.
Society is certainly familiar with the failures. The Mirai botnet comes to mind. This took down the internet on the US East Coast, stalling websites such as Netflix and Twitter. This was a relatively benign attack considering the potential damage that vulnerable IoT devices can cause.
The types of malware-based attacks and huge data heists that we’ve become used to in the general computing world could be multiplied many times over with IoT. And in many cases, because these attacks target devices that control the physical world, IoT security is truly life and death.
Device security doesn’t cut it
IoT device manufacturers have, by and large, simply not prioritised security. Manufacturers are driven by tight margins and rely on high-volume scales to generate revenue and profit. Embedding adequate levels of security into IoT devices requires significant investment, deep expertise, and possibly a product redesign to accommodate, for instance, larger processors which power the security features. The fact is that many device manufacturers are not equipped to prioritise security.
This lack of security is the single biggest barrier to IoT adoption. Vulnerable IoT devices don’t cause damage in the abstract, they affect people’s lives. Imagine an attack on a hospital network.
Hundreds of internet connected things could be brought into a health organisation by unsuspecting business departments and are hacked to saturate a hospital’s Wi-Fi network. Doctors who rely on wireless communications don’t receive vital information and medical information systems get crippled resulting in delays and denial of care.
You might question who would hack a hospital but I point you to the ransomware plague that has specifically targeted healthcare organisations in both the UK and the US. Vulnerable IoT devices are the perfect means to launch ransom attacks.
How long will it be before we see people locked out of their smart homes until a ransom is paid? And of course, the damage could be so much greater in the business and industrial world, with fraudsters potentially commandeering and taking over an organisation’s network and tech tools.
IoT requires security by design
It’s hardly surprising then that lots of organisations are dragging their feet; it must be tempting to adopt a blanket ban approach informed by fear. This is a traditional IT playbook approach.
It was applied to Wi-Fi when it first surfaced and then to iPhones when they began to multiply faster than rabbits. But clearly, this doesn’t work, because the benefits in new technology areas are simply too immense to ignore.
To ensure our devices are secure, IoT implementation must be designed with security in mind from day one. Ask yourself: What kind of networks are you connecting to? Which external users have access to your systems/networks? What is the environment in which your system operates? What other systems are the devices interacting with? What is your risk/recovery plan for operations ? How often do you review your network security policies?
In the consumer space, there are some innovative technologies emerging that use tools like machine learning and cloud-based security to identify attacks, lock down home networks, and apply security across the homes they protect. But when it comes to enterprise, scale becomes a real problem with millions of devices that all need to be managed.
When designing enterprise IoT security frameworks, I advise customers to build protection into the device lifecycle. Here is a 7-step device lifecycle, including examples of the types of protections to consider:
1. Registration: Installing security software, discovery, uniquely identifying the connected devices, registration, can it call home?
2. Provisioning: Secure credentials, exchange certificates, capturing registration info.
3. Commissioning: Installing the device in the field, initial configuration, finding status.
4. Configuration: Remote secure updates of a commissioned device, updating privileges.
5. Monitoring: Health, operational, security and connectivity status, alarms and alerts.
6. Control: Remote decisioning, over-the-air (OTA) updates, performance, remote service.
7. De-Registration: Decommission, end of life.
Of course, this level of security also requires a cloud that can support the device scale and investment in embedded computing and operating systems. But if there’s any one thing that defines the technology industry, it’s a level of accelerated innovation never previously seen in human history.
The challenge of securing large-scale IoT implementations will be successfully addressed. In fact, it is an absolute necessity if organisations want to move from what are currently relatively small, tightly controlled IoT implementations to reap the full blown, business driving benefits of this revolutionary new technology wave.
Sourced by Santhosh Nair, VP of IoT, MobileIron
The UK’s largest conference for tech leadership, TechLeaders Summit, returns on 14 September with 40+ top execs signed up to speak about the challenges and opportunities surrounding the most disruptive innovations facing the enterprise today. Secure your place at this prestigious summit byregistering here