Securing the Internet of Things (IoT)
Sukamal Banerjee, EVP, engineering and R&D services, HCL Technologies
The Internet of Things (IoT) revolution is gearing up to dramatically alter various industrial sectors including manufacturing, healthcare, energy and transportation, which together account for nearly two-thirds of the global GDP. While this promises to bring unprecedented opportunities to business and society, it also opens up various vulnerabilities and security threats. We have already heard news of baby monitors, medical gadgets and smart lights being either hacked or proven vulnerable.
According to Gartner, about 26 billion devices will be connected by 2020. This is a phenomenal jump from about 4.9 billion connected devices in 2015. Along with the exciting possibilities this five-fold growth brings, this also gives hackers 26 billion targets to infiltrate the network. As more and more devices are connected, so the network becomes increasingly fragile. Unfortunately, the speed of innovation means that security is often an afterthought rather than being built-in from the start, leaving vulnerabilities for hackers to exploit. Therefore a key part of the IoT is not only inventing the sensors and connecting the systems but also securing the plethora of data that passes back and forth.
Better the devil you know
The first step in securing IoT is to understand where threats are likely to come from and who the attackers will be. Of immediate concern to enterprises will be passive attackers looking to take advantage of security weaknesses in IoT devices and networks to steal confidential data. These attacks might be difficult to detect, as many are likely to come because of insider activity, so enterprises have to be on their guard from within.
The other severe threats will likely come from active attackers targeting IoT devices with remote access attempts, or IoT networks with techniques such as Sybil or DDoS attacks to cause operational failures and disruption. These attacks could have the most severe consequences, such as shutting down medical devices in a hospital operating theatre. We've already seen several well-publicised cases of hackers exploiting vulnerabilities in wireless webcams, CCTV cameras and even baby monitors to spy on people. When these exploits are leveraged against enterprise networks, as they almost certainly will be, the risk of disruption will be immense.
Take the fight to them
Enterprises looking to leverage the IoT can't afford to be caught unawares. They need to begin developing new security frameworks that span entire cyber and physical stacks, from device-level authentication to application security and robust data protection measures. Every enterprise is different, so there is no one-size fits all approach to creating an IoT security policy, but there are many key aspects that must be considered:
· Secure development – insecure functions and programs in IoT devices are creating a weak link in the security chain, so development teams should review the code in their IoT applications to identify any insecurities. It's also important to consider the challenges of keeping huge networks of IoT sensors and devices patched to fix any newly discovered vulnerabilities in the same way you would with a laptop or smartphone.
· Data encryption – most wireless communications and protocols in IoT are open, and the limited resources for securing sensors and smaller devices with strong algorithms for data encryption and transmission leaves them prone to attack. A carefully considered approach to IoT security will be required. According to a recent report, 70 percent of internet devices use unencrypted network services; sensitive data should be encrypted before use to render it useless to anyone who breaches the network.
· Privacy protection –people are rightly concerned about their privacy being invaded by machines and devices collecting data on their actions and movements, and it's critical to ensure this doesn't stifle innovation. One of the best approaches would be to de-identify any data that is captured to remove any unnecessary PII linking it to individuals in order to safeguard their privacy.
· Access management – since IoT devices and sensors are often programmed over the air, they are more susceptible to being remotely hacked. Organisations will need to have a robust identification mechanism built in, using digital signatures to ensure only authentic commands and code being received by IoT devices and sensors are authorised. It will also be necessary to implement role-based access privileges to reduce the risk of insider threats from employees, partners and suppliers accessing data, devices and sensors that are outside of their remit.
There also needs to be new innovative solutions, because we cannot assume standard practices of network security will suffice across all forms of devices. No single entity can solve the security issues on its own. Government agencies, academia and global enterprises must collaborate and respond rapidly with measured force to build robust security measures and infrastructure.
Security is one of the challenges that needs to be met in an accelerated and focussed way to ensure the potential of IoT is fully realised. The potential benefits far outweigh the security risks; hence while work on security needs to be enhanced, the adoption curve for IoT should be sustained and accelerated.
Contributed by Sukamal Banerjee, EVP, engineering and R&D services, HCL Technologies