In a recent article we discussed the growth of wirelessly interconnected devices and the transformative impact it will have for business and more broadly on our lives. In that article we broadly highlighted some of the key issues businesses will need to consider and navigate to realise the benefits which people anticipate will be achieved as the 'Internet of Things' gathers momentum.
The purpose of this article is to consider in more detail the challenge of security in a world of increased device connectivity.
Security in an IoT world
Businesses are striving to introduce wireless internet connected devices to achieve productivity gains in manufacturing, distribution, improved customer insights etc. In doing so, however, they are not adequately considering the security ramifications associated with the introduction of such devices.
The most fundamental problem with internet connected devices is that they increase the vulnerability of a system by creating more avenues for hackers to exploit. Various security weaknesses in internet connected devices have already been exposed from cars having their brakes disabled to webcams being hijacked and fingerprints being stolen from phones with fingerprint sensors. A study of 10 popular IoT devices in July 2014 in areas like TVs, home thermostats, door locks etc identified 250 vulnerabilities including insecure firmware and poorly protected access credentials.
Indeed one of the impediments to the growth of IoT devices is the current lack of interoperability. Currently device manufacturers are not developing the devices to common standards. This creates challenges in enabling IoT systems to communicate and integrate data. Unfortunately, by improving interoperability we simultaneously increase the capacity for the unscrupulous to hack those systems. As IoT devices become more standardised to enhance interoperability, hackers become more familiar with the manner in which IoT devices operate increasing their ability to break those systems.
Compounding this issue is the capacity of IoT devices' hardware to actually provide appropriate security. Often such devices are intended to be cheap and disposable. Security requires higher processing power which in turn increases the cost of the processors incorporated in IoT devices. For example, the processors currently available in wearable fitness devices are arguably incapable of providing the processing power necessary to run quality security measures. Furthermore, in a disposable world, because it is not financially viable vendors are often unwilling to update old products. This means those devices are not protected from new and evolving threats.
Issues to Understand
As most people understand, there is no guarantee that any IT infrastructure can be made completely secure. Systems are constantly subjected to attacks to identify and exploit vulnerabilities. Furthermore, because security measures introduced are often reactive they are frequently redundant at the time of their introduction as hackers identify new ways to penetrate systems.
So in an increasingly IoT connected world what are some of the questions businesses need to be asking in relation to IoT devices or systems they're using or intending to use?
- Security Measures – What are the security measures incorporated into the devices (if any)? Are their security measures current or measures that have demonstrated vulnerabilities?
- Vulnerability Testing – Are the devices subjected to penetration or vulnerability testing? Will the business or a third party contracted by the business engage in periodic vulnerability or penetration testing to pre-emptively determine if the devices or their associated systems are susceptible to security breach using evolving hacking techniques? Proactive vulnerability testing diminishes the likelihood that business will only find out about a breach after the fact.
- Monitoring – To what extent are the devices or systems monitored for unauthorised intrusion or manipulation? Indeed are the devices capable of being monitored for unauthorised intrusion or manipulation?
- Capacity to Patch – Do the devices have the ability to easily adapt to changing security threats? Can they be updated or modified remotely to augment or mend their existing security protections? Does the business have a mechanism for notifying customers of potential vulnerabilities in devices already sold?
- Data – What type of data is collected? How is data collected by the devices being transmitted and stored? For example is it encrypted? Is it being stored in Australia or overseas? Who has access to the data and in what form? What can those parties do with the data once it's accessed? How sensitive is the data? Is it the subject of regulatory obligations and what are the consequences of breaching those obligations?
- Third Party Providers – Are various third parties or one third party responsible for the provision, installation, monitoring and maintenance of the devices? How is responsibility for the IoT devices between multiple vendors being managed by the business? How are these being managed through a business's contractual arrangements?
- Worst Case Scenario Planning – To what extent does the business have a strategy to respond to breaches of security? How will it eliminate the breach, continue to operate, preserve its brand and comply with its legal obligations arising from the breach?
The purpose of this article is not to discourage the introduction of IoT devices into a business's operations or products. Nor does it suggest that it is possible to guarantee that the security of IoT can ever be guaranteed. That said, it does provide a list of some questions any business should consider in introducing IoT devices so that it can adequately evaluate the costs and benefits associated with that introduction and put in place appropriate mechanisms to minimise the impact of any security breach caused by the IoT device.