In their haste to create smart devices, many manufacturers are neglecting security, whilst many operators are failing to implement robust solutions to ensure their networks are impenetrable to hackers. The number of connected devices is predicted to increase to 20.4 billion in less than three years. However, innovation in the IoT will be stifled if the industry cannot mitigate cyber-security threats.
Proactive engagement is required from all: chip and device manufacturers, operators, device owners, governing bodies, security experts and all other parties in the IoT, which must join forces now. This will help drive IoT innovation, encourage the prioritisation of security, ensure safety for consumers, and allow organisations to stay ahead of potential threats.
The automotive industry
Let's take the autonomous car as an example of how IoT innovation poses a threat to security. Autonomous vehicles are necessarily connected to their surroundings through vision technologies, vehicle to vehicle communications, vehicle to roadside infrastructure and cloud services providing traffic information; this opens up an array of potential avenues for hackers to exploit. As vehicles and infrastructure become more connected, data will be sent and received from vehicles to a significant number of parties. But that data needs to be trusted so that the autonomous vehicle can take action; to trust the data the vehicle needs to authenticate it, without necessarily having any previous direct trust relationship with the sender.
The automotive industry is not only developing smart consumer cars, but also connected lorries and transportation vehicles, increasing the scope of damage which could be caused by cyber-attacks. There have already been reports on what happens when attacks occur, including cyber-security researchers remotely hacking and paralysing a Jeep Cherokee on a US highway.
Innovation in automotive IoT has been rapid, with new ownership models becoming closer to reality. However, growth will be stunted if security concerns are not addressed now. This includes securing not only the connected technologies embedded in the vehicles at chip-level, but implementing comprehensive security solutions and strategies across the entire automotive IoT network.
But what does this comprehensive security strategy look like? It all boils down the concept of ‘digital trust.' An end-to-end chain of trust must be established by all parties operating across the entire spectrum of the IoT. This applies to every industry sector, and must incorporate every stage of the lifecycle of an IoT device or process: from embedding management and trust infrastructure into the silicon chip at the point of design, through to establishing trust relationships with app and software developers, digital service providers, public policymakers and consumers. In essence, digital trust allows individuals, organisations, devices and services to be identified, verified and authenticated from the point at which access is attempted.
For a connected car, this would involve security protocols such as biometric readings being integrated into a car's control system, enhanced security implemented in factory operating systems, as well as during the testing and shipping stages. Even when the car is with its owner, over the air updates to security systems must be made available to ensure the vehicle has the highest protection against threats.
Digital trust creates a secure framework, ensuring access between entities at any of the stages in the IoT is reliable and verified. This will involve trust between device and server, and between server and services. It must then extend to the multiple cryptographic touchpoints between IoT node and the cloud. If not, weaknesses at any of these points can be exposed and utilised by hackers, causing damage to all parties across the IoT.
Collaboration breeds innovation
Fortunately, there has been some progress to secure the IoT through collaboration. The National Cybersecurity Centre, for example, aims to provide a collaboration link between government and businesses to improve cyber- security.
The Trust Continuum, a working group and part of the prpl Foundation, has a similar aim and provides guidance, APIs and the frameworks needed for developers and manufacturers to establish end-to-end trust in devices. Groups such as this also highlight the importance of sharing knowledge and educating the industry: best practices, challenges, and resources can be pooled and exchanged, to strengthen the security of individual organisations and thus the larger IoT ecosystem.
Organisations must also look to forge their own partnerships with security companies, which can offer the guidance and expertise many newcomers to the IoT lack. This will ensure the safety and security of a company's workforce, facilities, networks and information, across the digital world.
One recent example of this strategy in action was the partnership between the Automotive Electronic Systems Innovation Network (AESIN), and security specialist Intercede. The company will provide its trust management expertise to AESIN, and will develop rules, facilitate collaboration and share knowledge on how security can be applied to the automotive market.
Relationships must be built and maintained, and trust and transparency achieved between technologies, products, policies, services, regulations and standards. Those with the appropriate knowledge, skills and resources must help raise awareness of how to better secure the IoT ecosystem. It is only via this ‘better together' approach that developments in the IoT continue and with these, innovations in security too.
Contributed by Nick Cook, CIO at Intercede
*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media or Haymarket Media.