Internet of Things Security - Can We Meet the Growth Challenge?
“More than 12 billion devices are already connected to the Internet of Things – and by 2020, that number could surge to 30 billion,” says Simona Jankowski of Goldman Sachs Research. She declares that 5G technology is enabling the revolution with networks being 100 times faster with 1/50 the latency of 4G cellular networks. With this growth, key applications and markets will be IoT enabled.
The concern for security and privacy grows as the sector thrives, with adopting industries to include oil and gas, electric power, building automation/smart homes, security, automotive, healthcare, transportation, vehicle management, shipping, construction, retail and manufacturing. Home security, smart grid for electrical distribution and healthcare devices will all have critical data to protect, and it’s in the public interest to meet regulatory and compliance directives such as HIPAA regulations. But, as new ventures emerge in the Internet of Things (IoT), we need to approach IoT implementation with security in mind from the beginning – including critical controls which will allow secure transmission of data collected by the device.
Cloud security and IoT security closely related
The threats to IoT based devices are similar to vulnerable SaaS applications and Big Data. However, protection of sensors, actuators, and gateways is not as robust as today’s standard cyber security practices in the datacenters with protection by firewalls, authentication and network isolation techniques of networks. For efficient operations and cost-effective deployment, security protection may need to migrate into firmware. Such an innovation will provide common security approaches and a method for managing upgrades and maintaining affordable operations, driving the demand further all with best IoT practices for security.
The significant increase in the number of connected devices means there are now many more access points, some of which might exist outside of the secure networks.
Today’s IoT Security practices
Existing security practices already in place for IoT are insufficient for known threats, much less unknown ones. As new classes of sensors or actuators, devices or data servers are being introduced, it is impossible to predict what component will become susceptible to breaches. Many IoT solutions have instantaneous transmission of data to collectors. The applications of tomorrow will have a store and forward technique for data held on the device, creating new data management issues to be solved. The only way to deal with the issue is to first determine through a risk assessment the security complexity and measures required to mitigate threats and then test, test and test again.
More points of vulnerability
Traditional data collection and management systems have generally relied on a small number of access points. End point devices have often been behind concentrators, gateways or on secure networks. The significant increase in the number of connected devices means there are now many more access points, some of which might exist outside of the secure networks. It is critical to develop security controls commensurate with the importance of the information collected.
IoT lacks industry standards
Product vendors and the financial firms, which fuel them may not consider security as important as market entrance. Depending on the industry, security and privacy have different degrees of emphasis – and security of the infrastructure is a product of a focus to protect information; for example, protected medical information in healthcare. An element of risk for the data or control of the device security must be introduced and considered as IoT devices are rolled out.
Companies entering the IoT sector, including the vendors offering solutions, must implement control measures that can validate devices and their access permissions. A key concept to consider is the connection of external devices to a secure network.
Where is the point of vulnerability? Is the vulnerability for data in-use, in-transit or at-rest? Are sensors or actuators, devices or data servers a vulnerable point? Experts focus on the end-point sensors or actuators. There are presently no security standards specifically for IoT. Standards must include identification and authentication, encryption for transport and maintenance of data and system integrity to ensure software, firmware, drivers and settings have not been tampered with, nor altered. Private Key Infrastructure (PKI) systems provide a well-established security solution for identifying and authentication, but PKI principles have not been rolled out to any significant extent like they have for internet and secure encrypted communications.
Data management presents similar problems
Large volumes of data from IoT connected sensors, actuators and gateways will be stored in the cloud. IoT has a similar data management perspective as cloud-based operations. A solid data management strategy should address classification of data, storage within the device, and persistence of data on the device after retrieval and in data warehouse systems.
The Internet of Things will deliver tremendous value. New applications will be disruptive by providing solutions that, up until now, were not feasible or too cost prohibitive. But with benefit also produces security dangers due to the very scale and the very sensitive applications that demand IoT solutions. The challenge is balancing security for value and ease of use. Conducting a risk assessment of the opportunities and constraints of IoT solution operations will expose any inherent risk. Discussion about security issues is important to have with vendors. The security of the devices and data must be considered, with privacy and the potential exposure of customer information top of mind, as the development of the IoT market potential expands.