IoT Security

The Internet of things has the potential to radically change business and everyday life – and that could be a problem if we don’t focus on cyber security.

The rapid growth of the Internet of things isn’t in doubt, but you can argue about the numbers. Is the number of connected devices 27 billion heading to 125 billion by 2030; or just 20 billion and looking to reach 50 billion during the 2020s? Perhaps all we can safely say is that we’re already losing count.

It’s certainly a massive market, although again estimating its size and forecasting its growth is a subjective business. Proposals that spending on IoT will soon pass $1 trillion don’t seem outlandish, though. That’s because, as the title of one report puts it well, IoT is not just a market, but a movement. It promises to transform not only businesses and industry, but also everyday life. It’s changing the way we do things and think about things. It’s one of those technologies to genuinely warrant that old cliché: A paradigm shift.

Fast things: 5G and IoT

The applications of the technology are pretty much infinite. If it’s an object and you can find some purpose in connecting it to the Internet, you can have a new IoT device.

Admittedly, not that many of us yet feel the need to connect our soap dispensers, bins or hairbrushes to the Internet – not for smart toasters, once a joke, now a reality. Some IoT devices are already proving useful and increasingly ubiquitous, however. Think of Fitbit’s fitness trackers and smart watches or smart speakers, such as Google Home devices and Amazon’s Echo. Others are widely available, if less immediately visible, and growing fast, such as connected cars and industrial devices. Many are still to be conceived.

New technology in the form of 5G mobile networks will turbocharge this. It promises massively faster speeds, the ability to connect far more things and hugely improved latency (the speed with which devices respond to a request to connect) – vital in applications where a delay in a device activating could be dangerous, such as where the device controls an industrial process, for example.

It’s well worth listening to this recent radio discussion about some of the possibilities from a business perspective. It truly is exciting.

But it’s also the weak link in an increasing number of businesses’ cyber security.

Cybersecurity risks: Outrageous IoT hacks

In the rush to harness the opportunities from the Internet of things it would be a mistake to forget the risks, though. It’s not that dangers aren’t recognised. In fact, part of the problem here is that the discussion tends to focus on some pretty well publicised and notorious examples. They can be shocking:

• Researchers hacking into and remotely controlling a Jeep on the highway– leading to the recall of 1.4 million vehicles; and, more recently, hacking of Tesla vehicles, for the second year in a row.
• Hacking of Internet-connected baby monitors, allowing people to view and talk to children in their cots.
• Cybersecurity vulnerabilities discovered in close to half a million pacemakers – raising fears of assassinations or even mass murder by hackers using just a computer.

A range of vulnerabilities – IoT Security Issues

These cases do a good job of conveying some of the possibilities, but little to illuminate the probability of more banal threats: In fact, it’s estimated that by 2020 a quarter of all cyber attacks will target IoT devices.

They also don’t well convey the range of risks IoT devices bring:

• Threats to privacy – with the creep of Internet-connected devices into every aspect of our lives posing an insidious threat to freedoms, giving government agencies massively increased scope for surveillance of the population; and exposing intimate personal information, such as health care data and movements to data breaches, with the possibility of significantly liabilities for businesses – particularly with GDPR now in force.
• Threats to network security, with not just the business’s own devices at risk, but those brought in by employees, contractors, customers and others, with an average of 3.5 Internet enabled devices per person. In a study of businesses, over a third had more than 5,000 personal devices connecting to the network each day, opening businesses to social engineering hacks, phishing and malware.
• Threats to public safety and the environment, with attacks on industry and infrastructure systems. We’ve seen increasing attacks on such systems in recent years, whether that’s hackers knocking out the electricity grid for half a million people in the Ukraine; or deliberately targeting safety systems of critical infrastructure – a “watershed” moment in industrial cyber security. The introduction of millions more Internet connected devices as the Industrial Internet of things or Industry 4.0 grows will open up new vulnerabilities.
• Threats to other organisations, with malware such as the Mirai and the Leet botnets infecting and harnessing thousands of IoT devices and massively increasing the complexity and scale of denial of service attacks, for instance. In this way, the IoT hasn’t just added to the number of threats, it’s changing the nature of existing, well-established threats, too.

The risks are particularly pronounced for highly regulated industries – whether that’s utilities and critical national infrastructure or pharma and healthcare, as well as the legal and financial sectors. As regulatory requirements increase, businesses in these sectors (and others) face the possibility of significant penalties and reputational damage even where no attack takes place but authorities determine that their security is inadequate.

 IoT Regulation

Not surprisingly, given the scale of the attacks and potential seriousness, many are calling for governments to do more. The UK is already taking up the challenge, with the British government recently launching a review on the issue. That’s expected to lead to requirements on IoT device manufacturers to embed security in the design process and a new Code Of Practice to improve the security, developed in conjunction with the National Cyber Security Centre (NCSC).

“The NCSC is committed to ensuring the UK has the best security it can, and stop people being expected to make impossible safety judgements with no useful information,” as the NCSC’s technical director said.

We should certainly welcome tougher standards for device manufacturers. Most consumers just assume IoT devices have security built in, when, in fact, the security and safety of many are – to quote one reviewer – “atrocious”.

Self Help

There are a few good reasons businesses would do well to avoid relying on the government to bring security, though.

First, new requirements will take time to come, and longer still to secure devices already out in the world. That means present vulnerabilities will persist for a long time.

Second, policy priorities won’t necessarily match those of businesses. The code, for instance, is to address “consumer internet-connected devices”, and the governments’ focus is likely to be on consumer safety and privacy. Preventing disruption to businesses’ operations and profitability is going to be secondary.

Finally, of course, there are no guarantees with cyber security. Taking things on faith and simply trusting that government requirements will bring security would be a mistake. If businesses want the Internet of things to work for them, rather than against them, much of it is going to be down to their own efforts.

Five Steps to IoT Security 

So what can businesses do?

Well, it’s not actually rocket science. Basic security principles and processes followed in a structured way will get you a long way towards security.

So, five steps to making your IoT deployment more secure:

1. Identify what devices are connected, because you can’t protect devices if you don’t know they’re there. If your toaster can actually connect to the Internet, you need to know. All security starts with knowing what you need to protect.
2. Put devices behind a firewall – An obvious security step that for some reason is often forgotten when it comes to IoT devices.
3. Set up a separate local network for IoT devices or separate VLANs to keep them isolated. The surest way to keep hackers out is to cut their connectivity.
4. Use complex, unique passwords for each device. Even where manufacturers include security with passwords, they won’t provide much protection if you keep the default.
5. Keep software up-to-date, just as you would for computer systems to keep virus definitions and patching updated. The threat landscape is constantly changing, and device manufactures need to address new vulnerabilities as they are discovered.

This isn’t really much different to traditional security: The principles of securing networks and their endpoints are well understood. It’s the scale of the challenge, in terms of the numbers of IoT devices – and the constantly shifting landscape as new devices are introduced and brought in and out of the network – that’s arguably new.

That just means that it’s not a job that’s “once and done”, though. Procedures need to be in place to continually review cybersecurity and the state of the network; the five steps above are a constant cycle of work, not an annual checklist.

IoT has the potential to set connectivity free and transform businesses and our way of life. As ever, though, the price of liberty will be eternal vigilance.

For more IT security advice take a look at our IT security support page and contact us to see how we can help you.