Cutting the wire: IoT security Part I
By Benjamin Cher November 9, 2015
- Companies grappling with the new threat vector the IoT provides
- Security needs to span from IT policies to firmware design
EVERYONE is excited about the Internet of Things (IoT), which promises to connect everything from your fitness tracker to your fridge, to the Internet. The predictions range from 26 billion (Gartner) to 50 billion (Cisco) smart devices being connected by 2020.
The IoT is the new reality that both consumers and enterprises live in, where the ‘always-on’ paradigm rules.
However, in this initial rush to connect everything to the Internet, security seems to have taken a backseat, leading to well-known hacks such as the one involving carmaker Jeep, among others.
Are companies aware of the need for security in the new IoT world? How are they balancing the need for security with that of ease of use? Is security just an afterthought?
Digital News Asia (DNA) spoke to various technology companies, as well as legal and analyst firms, via email to find out.
READ ALSO: Why the world isn’t ready for the IoT
Awareness up, security not
There appears to be a divide in opinions among the companies we spoke to, with some agreeing that security is still an afterthought, while others argued that it has become a priority.
IoT security awareness has improved, according to Charles Lim (pic), senior industry analyst of Networking, Information & Cyber Security at Frost & Sullivan Asia Pacific’s Enterprise ICT practice.
In the past, security did not really matter to companies when they were busy connecting just about any device to the Internet, he said.
“But recent breaches – from connected cars to traffic lights – have raised the alarm with smart appliance and device makers, as well as organisations running industrial networks that are now connected to the Internet,” he said.
The cybersecurity industry is also jumping in, working to create solutions for IoT devices, he added.
Newer considerations for IoT have surfaced, such as who is accessing which service, according to CA Technologies Asia Pacific & Japan vice president of Security and API Management, Vic Mankotia.
“This has led device-makers to focus on enabling services rather than working with security in mind,” Mankotia told DNA via email.
The IoT is seeing an explosion of devices being connected to the Internet, increasing the threat vectors, which makes the lack of focus on security especially troubling, argued Microsoft Asia chief security officer Pierre Noel (pic below).
“IoT must be embraced with security in mind, especially with growing concerns among the public about the susceptibility of their devices to cybersecurity attacks,” he said.
“The vectors of attack will increase, which will potentially mean more points of vulnerability,” he told DNA.
This in turn would lead to a greater impact when an IoT device is hacked, according to Ashish Thapar, managing principal of Investigative Response at Verizon Enterprise Solutions.
“With the IoT, we are talking about threats beyond the typical breach of confidential data – areas that may have impact on issues relating to human safety (whether you look at a connected car or an insulin pump) and financial/ legal liability.
“Or even at a nationwide impact from a critical infrastructure perspective,” he said.
Security is hard
However, Cognizant’s Emerging Business Accelerator chief operating officer Sean Middleton (pic) disagreed, arguing that security is definitely at the forefront of IoT considerations.
“This isn’t because security is an afterthought, it’s just that security is hard,” he said.
“As with all aspects of security, there will be a perpetual race between those seeking to circumvent controls and those looking to improve them,” he told DNA via email.
Gemalto’s South Asia & Japan M2M (machine-to-machine) Solutions head Manoj Kumar Rai concurred, pointing out that 42.4% of IT professionals in a Gemalto survey said that security is the biggest inhibitor to IoT development.
“This means many organisations are aware of the gravity of having a robust security system in place before they even launch an IoT project,” he said.
Citing another survey by Markets and Markets, Manoj highlighted that the IoT security market is set to grow to US$28.9 billion by 2020.
“This further proves that companies are recognising security as an important component in their IoT systems and should not be taken lightly,” he told DNA.
While security might not currently be the top priority in IoT deployments, companies are taking more interest in it, especially when it comes to critical infrastructure operators, according to Frost & Sullivan’s Lim.
“This is because in the past, critical infrastructure operators used to implement an ‘air-gap’ for their industrial systems to be isolated from the Internet,” he said.
“But now they are connected to leverage on the benefits connectivity brings, such as real-time transmission of data for monitoring production efficiency,” he added.
The various respondents pointed out that companies have stepped up and implemented various measures to help secure IoT devices.
“We see a lot of organisations that, upon witnessing the surge in Internet-connected devices, have been actively harnessing, managing, and securing access controls and APIs (application programming interfaces),” CA’s Mankotia (pic above) said.
“In particular, companies handling medical data, inter-agency data exchanges and logistics, are trailblazing in this adoption,” he added.
Companies have been securing their IoT through a variety of measures, from encrypting data traffic to embedding security in the hardware itself, according to Gemalto’s Manoj.
“Encryption is very important to prevent interception of data when it travels through the cloud and an IoT environment,” he said.
A secure element consisting of a crypto-processor and an algorithm can be installed onto the hardware itself to encrypt data, according to Manoj (pic below).
“The data that is originating from the embedded device is encrypted using the encryption algorithm, which is safe and secure,” he said.
Companies have also been focusing on areas such as authentication and network security, according to Verizon’s Ashish (pic).
“[But] to better wrap security around the IoT, companies should also look at a corporate security events/ log analytics platform, strong authentication, and transaction/ communications channel security.
“[They should also look at] interface-level security that facilitates the intercommunications between IoT devices and a gateway device,” he added.
These measures are essentially a ‘defence in depth’ model which is an effective security strategy, said Cognizant’s Middleton.
“In other words, [this is] implementing control points at multiple layers in a system – at the device itself, on the gateway it connects through, on the database it accesses, and so on,” he said.
Up next: Shadow IoT and security by design
Invaders in the airspace: The problem with IoT security
Accenture opens IoT centre in Singapore
HP study on 10 smartwatches finds ALL vulnerable to attack
Security issue in fitness wristband, says Kaspersky researcher