The Internet of Things or IOT is here to rule our lives and take charge of the mundane tasks and be pervasive, intrusive and everywhere in our lives.
Whether it is the smart city, electrical grid, manufacturing, entertainment, sports, health care, leisure, parking, our transportation grids, our railway grids and every aspect of the way we live, breathe, travel and exist will be managed by the promise of utopia driven through IOT technology.
But is IOT secure, pilot-less drones, cars, rockets all managed remotely by a small mobile phone or by a voice command device poses its own threats if not secured.
Here is an outline to secure the internet of things which could well be the next big industry after IOT, securing IOT. Unfortunately the IOT did not begin with a secure architecture and it has exploded in various modes and forms of deployment exposing it to cyber threats and attacks. Today most IOT implementations need security build in as an afterthought which may be a daunting task. The first step in securing IOT is to understand the devices and networks that are used in IOT implementation.
The diagram below illustrates the key components which need to work together to make IOT a reality,
The Devices in the Internet of Things
IOT Applications are used in retail sales, sports, healthcare, travel, navigation, weather forecast, agricultural, industrial, entertainment, manufacturing, utilities, municipalities, dairy, law enforcement and more new IOT application are emerging, Each IOT deployment has a different risk profile and needs security to be customized based on the risks and vulnerability and value.
Security Challenges of IOT
IOT is not an out of box solution which can be deployed as a plug and play solution, the implementation of IOT has Technical and Procedural challenges have to be surmounted before IOT deployment, thus security takes a back seat at the time of implementation.
IOT needs expertise from business and technology teams and is a medley of networks, networking devices, power supplies especially batteries, security, access and data processing.
The Generation of large volumes of raw data poses its own challenges for storing and analytic and there is the challenge of transforming the organization as a secure data-driven organization.
Ownership of Big Data and privacy of data are focus areas and also the ability to get the analytics right poses a Risk. Basic data analytical skills will not suffice –IOT needs people who know analytics and understand what this new data can do for their business.
Securing the IOT Ecosystem
Sensors -, The sensors are the devices that capture the information from a desired device and are either Active or Passive Sensors. ,The sensor has to be secured since it is an end point device and can be vulnerable, it has network connectivity either through LAN/WLAN making it vulnerable. Sensors have to have security built into them based on the nature of activity that they are designed to perform, a risk profiling of the sensors functionality will be a must before deployment. Hardening of sensors will be difficult and it may be easier to replace existing sensors with sensors which have security built into them.
Devices –The sensors connect to a device from which they communicate data, they can be interface in a multitude of standards, but all of them may need to be secured.
The device in the IOT could be vulnerable especially if it was not made with security built in. Every device will need an unique approach to securing and hardening from threats.
The more valuable the device more will be the security required to protect it, for e.g. a Drone will need more security built-in than a lawn mower in an IOT implementation.
Networks – Networks in any form and flavor will continue to be a threat if not secured, all network security hardening that we use for LAN, WAN, WLAN, PAN and other flavors of networks will also be needed to harden the IOT network. The trusted methods of network security Defense in Depth, Compartmentalization, Principle of Least Privilege, Weakest Link in the chain, Accountability and Tractability need to be applied in securing the IOT networks.
Network Devices – Network gateways, switches, routers and any other devices used in the IOT network will need to be secured from attacks from outside and within the network.
Cloud – the cloud is used for storage and analytic of data collected in the IOT ecosystem and also algorithms run on the cloud which communicate action that need to be taken by devices in the IOT network. Securing the cloud based on the CSA and NIST recommendations will be needed to be implemented in IOT systems. Data privacy is another important areas where the legal pundits will be required to advise based on the legal compliance needed in the country/state/ region of IOT implementation.
Unknown Threats – We still do not fully understand the vulnerability of IOT systems from unknown threats, this is still a nascent stage of adoption and post great security risks if IOT is used in mission critical implementations e.g. health care.
Consumption Devices – The data which is stored in the cloud and analysed is available for consumption to devices connected to the cloud, these could be mobile, tablets, desktops and any other device which can connect and access data on the cloud. This end point security is of utmost importance and any compromise of data confidentiality, integrity and availability will not be acceptable. The recommended standards for securing data in the cloud must be adhered to for data at rest and in motion.
IOT Security Standards
Most IOT implementations are bespoke and no security standards have been made for IOT leaving this disruptive technology vulnerable to cyber attacks and disruption.
Many companies promise standards, but these are most often proprietary security solutions, customized for the IOT solutions offered by their companies.
The IOT systems security needs a fresh approach in providing security and it is still early days and a new organization similar to Cloud Security Alliance will be required to address IOT Security in 2015.
Until IOT security standards are in place, IOT pioneers must use services of Cyber Security experts who can provide holistic solutions for devices, networks, data and the cloud in which are components of the IOT implementation.
There are a number of IOT security solutions kits available in the market and one can also explore whether they can be used in a given IOT ecosystem to build in security.
The security risks will not stop adoption of IOT rather 2015 will be the year of IOT, but it will be a good idea to understand and mitigate the risks in your IOT implementation. We must remember that there is no purpose in closing the stable door after the horse has bolted.
Mr. L. S. Subramanian is a thought leader in Digital Transformation and is the Founder & CEO of NISE an advisory firm whose clients include e-commerce companies, Startups, Banks, Microfinance companies, retail, manufacturing and exchanges.