Overlooking security could break the Internet of Things
Everyone is talking about the Internet of Things. Connected devices are gaining momentum in homes, businesses and public service infrastructure. These devices are not only creating new possibilities for how we work and communicate but fundamentally transforming every aspect of life, from automated drug administration devices to traffic lights and air sensors in buildings.
Yet in a bid to manage the sheer scale of IoT devices, organisations are failing to consider not just the security implications, but also the human risk.
The new threat landscape is both broad and deep. Borderless enterprises create larger attack surfaces that place critical operational data at risk; while compelling new consumer services, such as remotely managed heating, open the hacker’s door to personal data. Even more disturbing, the misuse of public service devices, from traffic management systems to drug administration, could have fatal consequences.
Paul German, VP EMEA, Certes Networks, insists that overlooking security could fundamentally undermine the entire IoT evolution: if the problem gets too big, retrofitting security might just not be possible.
The Internet of Things (IoT) is opening up enormous potential for new business models. As organisations look to IP enable every device in use across businesses and homes, the Centre for Economics and Business Research (Cebr) predicts the total economic benefit of IoT will reach £81 billion between 2015 and 2020 – equivalent to an average of £14 billion per year, or 0.7% of annual GDP. Indeed, adoption is set to rise from 30% in 2015 to 43% by 2020 as businesses benefit from efficiency, innovation and creation gains.
However, in the excitement of the new IoT enabled opportunities, organisations risk fatally undermining these new business benefits by overlooking the security implications. Bizarrely, given the growing awareness of the continually expanding, Internet-driven threat landscape, when it comes to IoT deployments the emphasis is on managing scale, rather than mitigating risk. And it’s not just financial and security risks that need to be considered; it’s human risk.
Just consider the new risks created by adding an IP address to air conditioning, video cameras or patient identification systems. To traditional concerns of corporate espionage, denial of service attacks and ransom ware, IoT introduces new risks including health & safety. A hacker can compromise a patient drug administration system to change dosage or remotely access an IP enabled kettle to make it repeatedly boil until it bursts into flames. When the implications of IoT breaches extend beyond financial risk, infrastructure downtime and data integrity to risk of death, organisations need to take IoT security seriously.
IoT represents an essential change in the way technology is used. It represents the merging of information technology and operational technology and, as such, previously segregated systems and operations monitoring and control data are now using shared resources and networks. Securing IoT, therefore, is far from an insignificant challenge. The scale alone means traditional network based controls are simply unmanageable, leading organisations to segment networks into multiple, distinct islands of control. However, segmentation fragmentation creates inconsistencies at the boundaries between two logical areas of control that result in a failure of security policy and can be easily exploited by hackers.
This fragmentation has made it painfully clear over the last few years that attempts to use private networks to keep hackers at bay are flawed. Adding layers of firewalls and network access controls in an attempt to keep private networks separate from the public network is no more than a sticking plaster. Once an organisation is managing thousands, even tens of thousands of IP enabled devices, the inadequacy of this model becomes even more stark.
New thinking is clearly required. There is no option to go back and retrospectively secure the Internet; organisations need to recognise that any Internet connection cannot be trusted.
Extending the Identity Model
So what can be secured? Essentially, organisations need to stop thinking about securing the perimeter and concentrate on managing the applications that are being deployed or used by the IoT devices and the actual users of those devices.
Building on the existing policies for user access and identity management, organisations can use cryptographic segmentation to control the way in which IoT devices are managed. Each device is allocated an identity which determines the extent to which that device has network access, including application and data access. The key aspect of this model is that each cryptographic domain has its own encryption key, making it impossible for a hacker to move from one compromised domain or segment into another. It is simply not possible to escalate user privileges to access sensitive or critical data or to exploit vulnerability in one device to gain control over another, more critical system.
Taking this approach, an organisation can narrow the scope of a breach to a small, contained area rather than system wide and, critically, do so in a way that removes the need to build new security policies into the network infrastructure. For example, if a hacker managed to access one individual traffic light he would be restricted from the management system that controls the city-wide traffic infrastructure – or any other part of the network.
Risk managers need to start considering the implications of IoT. Organisations are eagerly embracing innovative technologies in order to improve efficiency and develop compelling new business models. Few, however, appear to have considered the rising risk – from all angles. Just picture the reputational damage that will result from a consumer’s remotely managed heating system being hacked to gain access to financial data or personal photographs; or the public outcry should a rogue IP enabled device result in injury or death. Undermine confidence in IoT devices and organisations will see products returned, service contracts cancelled and new business ventures postponed at a rate that could be terminal.
No one wants – or can afford – an IoT backlash. But the security induced business liability associated with IoT is as significant as the commercial opportunity. If the economic predictions are to be realised organisations need to adopt a far more robust approach to security and one that accurately reflects the challenges. From scale to threats, IoT demands new thinking. Organisations cannot persist with the current approach to security – it simply will not work. Retrofitting security to IoT is not a viable option.