Advances in digital technology are delivering new applications at a rapid pace. The use of sensors and wireless communications is enabling information to be captured, transmitted and processed to solve problems and create opportunities in healthcare, utilities, manufacturing, insurance, transportation and many other sectors.
This new world of the Internet of Things (IoT) is transforming organizations as well as personal homes and even individual consumers into “data centers” where information technology is used for numerous applications.
While it is easy to see the benefits as new IoT solutions are brought to market, it is also important to stop and consider the security of the data in these devices and the impact of an inadvertent or malicious attack on them.
When it comes to IoT in the consumer world, the stakes for cyber-attacks are high, and there are a whole new set of consequences to understand and address. For example:
- An attack against a medical device could result in physical harm or loss of life.
- Jamming a sensor used for smart metering could result in loss of power and related damages from not having electricity.
- Hacking into a self-driving car could potentially result in the loss of control of a vehicle on a crowded highway.
- Exploiting an IoT device weakness could allow access to high-risk banking and personal health data.
Key considerations in securing IoT
IoT device manufacturers should be looking at these threats, but currently there is no certification organization—such as UL (Underwriters Laboratories), which certifies products to industry-wide standards—to test the trustworthiness of IoT devices. Furthermore, all of the many elements of IoT—including sensors, networks, applications and hosting—each need to be assessed from a security perspective and then protected, while the integration of the different components also must be considered.
Another key issue when securing IoT is whether the data transmitted can be intercepted and/or altered by an attacker. An IoT device should be uniquely identifiable to enable communications and security status updates for the related application. For example, manufacturers could use physical unclonable functions (PUFs) to generate unique certificates for each device so that no two have the same certificate. Even if a certificate or device is compromised for an IoT system with hundreds of devices, this approach makes sure that a second device is a new challenge for the adversary.
In addition to technical controls, other assurance elements should be provided to the IoT users themselves. For example, the intended use of the device should be clearly outlined for the consumer along with the potential risks associated with using the device in a manner other than intended. A user’s awareness and understanding is an important element that often is overlooked.
While the opportunities for IoT are unlimited, the technology needs to be implemented at a managed pace with security in mind. I invite you to read previous blogs on related topics by my colleagues Daina Warren on next-generation connected cars require a solid security foundation and Mike Corby on the connected healthcare system requiring a new security approach.
About this author
Hi Jim, I hope you are doing well.. other key aspects that are usually overlooked at, are the security of development environments, and since time to market is usually key, is not rare that secure product development practices are not well implemented and so performing testing only at the end, making it very expensive to remediate, or simply just skipping the entire security dimension .
Thank you, Rodrigo, for the comment. Here is a reply from Jim: "Rodrigo I could not agree with you more. Technology is moving very quickly with little attention to security, and new threat vectors are being introduced with each new application. We, as security practitioners, have a lot of work to do to raise awareness of this critical issue. I am interested in what other people think."