IoT Security Awareness
The world of interconnected “smart” devices is here. Seizing the opportunity for Internet of Things (IoT) devices are manufacturers, retailers in consumer electronics, healthcare, factory supply chain warehouses, transportation facilities and many others. IoT refers to a networked computing environment that enables devices able to monitor, record and report data, as well as allows users to interact with devices, perform actions remotely or use a stream of useful information when performing tasks.
What offers huge opportunities for value creation has, unfortunately, also created great risks that could potentially interfere with the further production of IoT-enabled devices. The Internet of Things is susceptible to compromise as well as to cyber-attacks.
Though IoT has generated excitement for a few years now, not all people are aware that security has been a growing issue. The majority of users, in fact, is normally security-conscious when using their personal computers, tablets, or even their smartphones, but many are less concerned when using their connected fitness trackers, smart meters, smart cars, domotics devices, etc. Unfortunately, countless physical objects that have gone online to be part of the ‘global information grid’ have allowed cyber-criminals to hijack IoT-enabled devices, says Marc Goodman, who in his book Future Crimes calls to action for better security measures against ‘connecting everything insecurely.’
The securing of all physical objects that became ‘smart’ (i.e., able to go online and communicate) has been the central focus of any new IoT products under development, and most vendors are becoming more proactive in creating devices for the Internet of Things with increased security and privacy controls.
Nowadays, it is important to focus on the security aspects of the IoT ecosystem, an architecture comprised of embedded systems, sensors, and actuators that require integrating the right level of security without compromising the user experience. It is especially important that users are made aware that applying the same attention to their IoT products and objects as they apply to their mobile or computing devices is paramount to prevent malicious hackers and cybercriminals in general that try to take advantage and compromise this technology with huge potential.
IoT devices are simplifying lives for individuals and businesses. “Gartner, Inc. forecasts that 6.4 billion connected things will be in use worldwide in 2016, up 30 percent from 2015, and will reach 20.8 billion by 2020. In 2016, 5.5 million new things will get connected every day.” We are not just talking of webcams and home security systems, but also smart refrigerators, fitness trackers, meters, baby monitors, connected office devices, smart cars and much more.
However, more connections appear to create more vulnerabilities. Cyber criminals are always looking for ways to gain from exploiting vulnerabilities, and, as Jon Howes, technology director at Beecham Research Limited (BRL), explains, “the attack surface of an IoT system may be substantially larger than traditional PCs.”
The Internet of Things is a significantly complex ecosystem configured as a cloud-based platform enabling services for IoT solutions. Many are the possible targets for a malicious hacker. For example, like Saif, Peasley and Perinkolam mentioned in a Deloitte University Press, “sensors are susceptible to counterfeiting (fake products embedded with malware or malicious code); data exfiltration (extracting sensitive data from a device via hacking); identity spoofing (an unauthorized source gaining access to a device using the correct credentials); and malicious modification of components (replacement of components with parts modified to generate incorrect results or allow unauthorized access). Any or all of these compromises would leave the sensors vulnerable.”
These issues have particular relevance in the IoT where secure availability of data is of paramount importance. These possible governance problems raised by IoT adoption and increased security threats and attacks are areas of concern that might impair the growth of IoT.
Cyber-criminals who compromise IoT devices not only can give physical harm to the owner of the objects (tampering medical machinery, disabling home security systems, turning off electricity or heating systems, and, potentially, affecting car driving), but can also intrude networks and computing systems to which the devices are connected and gain access to PII information, bank data or company vital information.
IoT Security Awareness
As the Internet of Things begins to take shape, prospers and expands, the security concerns of this new technology grow proportionally. Because of its highly interconnected nature, IoT presents a potential security risk, which in turn amplifies the impact of security vulnerabilities, and creates new attack vectors for hackers.
A 2015 report by Hewlett-Packard shows an alarmingly high average number of vulnerabilities per device with a great percentage of IoT objects rising privacy concerns, including insufficient authentication and authorization, insecure Web interface and software and lack of transport encryption. These issues have been observed for various manufacturers across all industry sectors. This is worrisome as IoT devices are poised to become even more pervasive in our lives.
As IT and technology experts are devising ways to secure connections to items in our daily lives that are becoming smarter by the day, it is important that users themselves recognize the potential problems related to the use of these devices and begin applying common safety measures as learned with their interactions with personal computers and mobile devices.
Typical IT solutions, including firewalls, will not be sufficient to secure all these new network entry points. It is important to make sure these devices are secure, but many physical objects that communicate through Internet-connected IT infrastructures are not. Most smart devices and machines that communicate over the Internet do so with minimal direct human intervention, thus “leaving the human overseer with the responsibility but reduced capability,” as Steve Prentice, an analyst at Gartner, points out in a ComputerWeekly post.
Network fragmentation, monitoring and software tools will not be enough if users are not fully conscious that the devices they are commonly using and the sensors they are employing in their smart object are potentially as dangerous as e-mail attachments from unknown sources and phishing messages. Also, so far, manufacturers have yet to develop common security standards to secure data at the device level. Encryption and authentication must be part of a new standard that will allow devices from multiple manufacturers to interoperate and communicate with security protections to defend IoT assets.
To ensure a beneficial development of the IoT into society will require security awareness and training for supported users. Most security tips applicable to the use of personal computers and mobile devices can be applied to IoT objects. The “STOP. THINK. CONNECT.” national cybersecurity awareness campaign presented by U.S. President Obama in 2010 during his Presidential Proclamation of National Cyber Security Awareness Month focuses exactly on placing more responsibility in the hands (and actions) of all users who can “learn about and become more aware of risks in cyberspace, and be empowered to make choices that contribute to our overall security.”
So how can consumers mitigate the risks inherent to IoT use and make a difference in the security processes? First of all, emphasis must be placed on the capabilities of the seemingly harmless objects; watches, cars, refrigerators, blood pressure monitors, are no longer stand-alone objects, but they are potential entry-points into databases and homes or business networks, no matter how sophisticated.
As the FBI website points out in a news blog, there are some practical tips that can help secure our IoT world. First of all, it is important to treat smart objects as full computing devices, and therefore, it is essential to use strong passwords and secure routers and connections. If possible, users should segregate the IoT devices and separate them from computing devices in their network, in addition to the setup of firewalls and filters. Another advice is to disable the Universal Plug and Play protocol (UPnP) on routers to prevent access to IoT devices. Also, users should also be aware of what they are connecting to their network. It’s better to purchase devices from reputable manufacturers with a track record of providing security and safety.
[download]Download the BEST PRACTICES FOR DEVELOPING AN ENGAGING SECURITY AWARENESS PROGRAM whitepaper[/download]
Just as with any computer devices, it is essential to update software often and to make sure all apps associated with the IoT objects are updated as well. Users should also spend some time understanding what data their devices collect, who they share them with and how they transmit/receive them. Understanding where data are stored and if the connection is encrypted is essential in deciding what to share and if privacy settings need to be activated in the accompanying software of the devices. It helps also to understand and keep a good inventory of all devices that somehow are connected to the user’s network. If a device is not in use, it should be turned off or taken offline.
Today, we see the growth of this IoT paradigm that contains a network and cloud-enablement of all sorts of physical devices and machines capable of sharing information, optimizing processes on to streamlining analytics. One thing is sure; the Internet of Things (IoT) has transformed businesses (across several industries), the economy (in many areas of society) and how some consumers face daily tasks; they have gained entirely new services or functions from the enhanced features of their connected devices and products.
As the Internet of things evolution proceeds, management issues, privacy and security enhancements become the main concerns on the ‘Smart Manufacturing of Digital Things’ that rely on cloud computing and intelligent devices with sensors built-in and processing power. For years, security experts have warned of the potential risks that come with unsecured devices connecting to the Internet and able to share the information they generate. The emergence of a cloud computing platform that is supportive to IoT, which is needed to serve the users who can be anywhere and at any time, requires the appropriate security controls to keep things in check, to avoid data breaches that could pose significant dangers to individuals and enterprises alike.
The Internet of Things has great promises, yet the IoT industry is still evolving, and a flexible security framework is required for the devices that reside in the IoT infrastructure to protect inherently insecure endpoints from known and unknown threats to new devices, protocols, and workflows explains Cisco.
As more things become internet-connected, systems are expected to change the Web as we know it. Combining smart devices, cloud and big data analytics will make our society, businesses and homes be more efficient and productive.
Users, however, more and more are asked to step up and help secure the IT environment in which they operate. The increased use of “automated helpers” in our daily lives comes with the responsibility to keep the network and the entire IoT ecosystem safe for everyone. Awareness and proper training become paramount to make sure that all smart device owners know how to implement the basic security countermeasures that are the first and, possibly, a most effective line of defense.
Ashford, W. (2014, September 10). Act now on IoT security, says Beecham Research. Retrieved from http://www.computerweekly.com/news/2240230348/Act-now-on-IoT-security-says-Beecham-Research
Cisco Systems, Inc. (n.d.). Securing the Internet of Things: A Proposed Framework. Retrieved from http://www.cisco.com/web/about/security/intelligence/iot_framework.html
Cooper, C. (2015, May 14). The IoT Revolution Promises New Challenges for IT. Retrieved from http://www.cio.com/article/2922897/cloud-computing/the-iot-revolution-promises-new-challenges-for-it.html
Coty, S. (2015, April 28). Security Problems with IoT and The Imminent Danger We Need to Prepare for. Retrieved from http://www.bsminfo.com/doc/security-problems-with-iot-and-the-imminent-danger-we-need-to-prepare-for-0001
EMC Digital Universe with Research & Analysis by IDC. (2014, April). The Digital Universe of Opportunities: Rich Data and the Increasing Value of the Internet of Things. Retrieved from http://www.emc.com/leadership/digital-universe/2014iview/internet-of-things.htm
Gartner, Inc. (2014, November 11). Gartner Says 4.9 Billion Connected “Things” Will Be in Use in 2015. Retrieved from http://www.gartner.com/newsroom/id/2905717
Gartner, Inc. (2015, November 10). Gartner Says 6.4 Billion Connected “Things” Will Be in Use in 2016, Up 30 Percent From 2015. Retrieved from http://www.gartner.com/newsroom/id/3165317
Goodman, M. (2015). Future Crimes: A Journey to the Dark Side of Technology – and How to Survive It. (pp. 230-38). Great Britain: Bantam Press (as imprint of Transworld Publishers)
Hewlett-Packard Enterprise. (2015). Internet of things research study. Retrieved from http://h20195.www2.hp.com/V2/GetDocument.aspx?docname=4AA5-4759ENW&cc=us&lc=en
Infosecurity Magazine. (2013, November 30). Criminals Prepare to Attack the Internet of Things. Retrieved from http://www.infosecurity-magazine.com/news/criminals-prepare-to-attack-the-internet-of-things/
Paterson, A. (2015, October 20). IOT—the Next Frontier for Security? Retrieved from http://www.infosecurity-magazine.com/opinions/iotthe-next-frontier-for-security/
Paul. (2013, November 8). IT Pros: Internet Of Things Is A Governance Disaster. Retrieved from https://securityledger.com/2013/11/it-pros-internet-of-things-is-a-governance-disaster/
Saif, I., Peasley, S., & Perinkolam, A. (2015, July 27). Safeguarding the Internet of Things: Being secure, vigilant, and resilient in the connected age. Retrieved from http://dupress.com/articles/internet-of-things-data-security-and-privacy/
Stop Think Connect. (n.d.). Presidential Proclamation. Retrieved from https://www.stopthinkconnect.org/about/presidential-proclamation
The FBI. (n.d.). Cyber Tip: Be Vigilant with Your Internet of Things (IoT) Devices National Cyber Security Awareness Month. Retrieved from https://www.fbi.gov/news/news_blog/cyber-tip-be-vigilant-with-your-internet-of-things-iot-devices