The Internet of Things (IoT) trend is such a hot topic today… and for good reasons. There is no doubt that a world with a fully functional collection of IoT systems will bring tremendous benefits to our work and personal lives.
Let’s look at just three examples. Sensors in roads and in cars will tell drivers of dangerous road conditions, keep the car in the center of the road, and warn drivers of slow or stopped vehicles ahead. In healthcare, patients will wear medical devices that remotely communicate data to their physicians. In the hospital, nurses and surgeons will wear smart watches and glasses that give them the latest information from patient monitoring devices and lab results. In cities, street lights will inform maintenance crews which bulbs are out, trash cans will also tell crews when they’re full, and citizens will know exactly when the next bus will arrive at their corner stop.
While billions of connected “things” will improve the quality of people’s lives, change business processes and models, and reinvent entire industries, these same things provide new potential entrance points for criminal access to personal and corporate networks and data.
The potential for costly IoT security breaches is significant.
- A recent HP Research study reported that 70 percent of IoT devices have at least one security flaw and that, astoundingly, each device averages 25 security flaws.
- The reality is that, in today’s environment, an amateur hacker can conduct basic attacks from anywhere in the world by downloading existing tools. Even worse, sophisticated criminals, organized crime and nation states have entered the hacking game.
- IDC has predicted that “within two years, 90 percent of all IT networks will have an IoT-based security breach.”
- The cost of a data breach is getting more expensive. Ponemon Institute recently released its annual Cost of Data Breach Study: Global Analysis, sponsored by IBM. According to the benchmark study of 350 companies spanning 11 countries, the average consolidated total cost of a data breach is $3.8 million – a 23 percent increase since 2013.
So this is perhaps the biggest IT challenge of the next decade. Academics agree; according to a recent IBM Center for Applied Insights studies, IoT security is one of the top priorities as they educate the next generation of security leaders.
If the IoT is to realize its full potential, security professionals must secure both IoT systems and the data collected from them. Security must be designed into devices, networks, and all system levels. While traditional network firewalls and security applications can manage the high-level traffic flowing through the Internet, the real challenge is how to embed security capabilities into endpoint devices. This is especially challenging when those devices typically have limited power and resources available to accomplish effective threat management.
The truth is security professionals and IoT device/system vendors have much work to do. However, the good news is that security professionals have been in the business of securing IT systems for many years, and I feel confident that they can apply all they have learned to IoT security, despite the unique constraints of the embedded devices.
Here is some basic guidance for those developing IoT strategies and systems:
- Design security into IoT devices and systems from the ground up. Don’t think of security as something you add on after installing a device or implementing a system. Build security into operating systems, and take advantage of hardware-level security capabilities. Incorporate threat management capabilities as close to the endpoint as possible.
- Plan on collecting and retaining the minimal amount of data needed. Encrypt all potentially sensitive data before sending over any network.
- Partner with vendors that have appropriate emphasis on all elements of security, including threat intelligence analytics, identity and access management controls, and monitoring and patching products after release.
- Conduct a complete security audit of the IoT system as it’s designed. Include privacy, risk and fraud assessments.
- Test the security before launch, inviting security professionals to attempt to hack into the system.
- Train staff on all risk elements associated with the IoT infrastructure and the data collected – from devices, to applications, to networks.
- After launch, conduct another complete security audit of the entire system and continue to perform audits on a regular basis.
For security professionals, there are already a number of resources for raising industry awareness and increasing personal knowledge of IoT design best practices. I’ve selected a few here for you:
- On January 27, 2015, the U.S. Federal Trade Commission released a guidance document entitled “Careful Connections: Building Security in the Internet of Things.”
- Stanford University launched the “Secure Internet of Things Project” along with UC Berkeley and the University of Michigan.
- IBM offers a number of resources, including “Device Democracy: Saving the future of the Internet of Things” and “IBM Security: A New Way.”
While the future looks bright for the benefits the IoT will have on all our lives, we must all focus on designing security into these new systems from the ground up. It is a very important issue, and I believe we are ready for the challenge.
Re-published on the Thoughts on Cloud blog on July 2, 2015
- Previous blog posts in this series on Internet of Things