The Internet of Things (IoT) is a field of information and communications technology (ICT) that has been increasing exponentially for the past few years, with the number of connected devices now exceeding the world’s human population.
But many IoT device users may not be aware of the inherent security risks of their internet-connected devices, according to a January 2018 study by the Cybersecurity Research Institute. According to the report, hackers have already proven themselves adept at discovering flaws in these devices and turning them into botnets (botnets are a collection of connected devices infected with malware and controlled without the owners' knowledge).
In this article, we review some of the vulnerabilities inherent in connected devices and steps you can take to secure your network and protect against hackers.
What is IoT?
IoT can be defined as the inter-networking of physical devices, buildings, and other objects with electronics, software, sensors, and actuators. The resulting connectivity of these objects enables them to collect, exchange and send data, and to act upon this collected data. These objects can be stand-alone devices specifically designed for IoT, such as smart sensors (e.g. temperature, light, humidity, motion, CO2, or wind sensors), smart imaging and audio devices (e.g. video camera, microphone, still image camera), smart actuators (devices that move things such as an electric motor or a hydraulic piston), or can be equipment and appliances that have been around for years but have been made “smart” by the addition of electronics, software and network connectivity. Such devices could include a car, a washing machine, a traffic light, or a home alarm system.
The connectivity of these devices allows them to be controlled remotely, either individually or en masse, by a human being, or, more commonly, by a centralized control system or even directly by other connected devices. Additionally, these smart devices can send information such as temperature, status, video, sound, text, images, statistics, or just about any kind of quantifiable and digitizable data to a data repository for later processing and analysis, or to a dashboard to be viewed in real time.
Some common examples of IoT in action include:
- Smart buildings - Environmental, security, and operational systems work together to provide a more efficient operation of the building. Heating, cooling, and lighting function only where humans are present, window shades are mechanically opened or closed based on the location of the sun, and security systems automatically respond to threats by locking doors, engaging sirens and summoning the authorities.
- Manufacturing – Factory floors are a prime application of IoT. Sensors are placed along the production line and collect quantitative and qualitative information to determine process efficiency. Actuators are programmed to respond to this collected information and adjust the production processes as needed.
- Smart cities – IoT can be employed to provide city-wide system monitoring and real-time adjustment to these systems for optimal operation. Applications can include the monitoring and manipulation of the power grid and public lighting, the municipal water supply, vehicular traffic, pedestrian traffic, and public transport systems, among other things.
IoT and Security
The benefits that can be enjoyed by the correct and appropriate application of IoT systems are for the most part indisputable. Nevertheless, as with most applications of ICT, the issue of network security must be addressed.
There are several characteristics of IoT that make it inherently susceptible to the attack of malicious hackers. These include:
- Multiplication of entry points – By increasing the number of connected devices, the number of potential entry points into a supposedly secure system are also being increased. If we use an analogy of the physical security of a building, the more doors it has, the more susceptible the building is to unauthorized entry. IoT devices are essentially doorways into a system that, if not properly secured, can potentially be used to compromise the system. An example of this is a case where malicious hackers stole a casino’s database through an internet-connected thermometer in a fish aquarium.
- Use of wireless as a connectivity technology – The vast majority of IoT devices utilize some sort of wireless technology to connect to the network. This simplifies implementation and reduces costs, especially because IoT devices in a single network can be quite numerous. Traditional wireless technologies such as Wi-Fi and Bluetooth are often used, though wireless standards specifically designed for IoT such as Zigbee and LoRa are becoming more widespread. The problem is that wireless networks are intrinsically more susceptible to attack. All transmissions of a wireless network can be intercepted by anyone that is close enough to a transmitter.
- Implications of security breaches – Malicious hackers choose their targets based on what can be gained from the attack. IoT systems that manage and manipulate widespread networks, such as a city’s power grid or all of the manufacturing machines on a factory floor, can be attractive objectives. The greater impact an attack has on the intended target, the greater the allure of launching such an attack.
Security Standards for IoT
Although it is true that IoT presents some security risks due to its nature, its greatest vulnerability lies in a completely different domain. This vulnerability is due to two basic deficiencies.
The first has to do with the lack of mature and comprehensive security standards and best practices for IoT, like those already developed for more established networking technologies such as VoIP, VPNs, or web and mobile applications. It is natural for a new technology to go through the maturing process of developing such standards. The rapid pace of implementation of IoT, however, is outstripping the rate of maturation of these standards and best practices, often leaving vulnerabilities of IoT unchecked.
The second involves the readiness of companies and even their willingness to employ the appropriate security precautions to sufficiently secure their systems. According to an AT&T Cybersecurity Insights report, 85% of enterprises surveyed are in the process of, or intend to deploy, IoT devices, but only 10% of them feel confident that they could secure those devices against malicious hackers.
Even though security precautions and best practices have not yet matured enough to promulgate a well-established security standard for IoT, networking principles in general do provide adequate guidelines for appropriately configuring and deploying secure IoT networks. Companies planning to invest in IoT must invest in the security of the IoT devices themselves, of the network serving them, and of the IoT applications that run on the devices, as well as of their centralized management systems.
IoT Security Best Practices
When applying security to any network, whether it includes IoT devices or not, the fundamental principles and best practices of network security should always apply.
Secure the wireless network – As mentioned before, IoT infrastructure most often leverages wireless network technologies. Unfortunately, data networks are often compromised by poorly configured security parameters. Although difficult to secure correctly, there are best practices that adequately secure Wi-Fi for any purpose, including IoT. By using the strong encryption provided by WPA2, adequately complex passwords, appropriately segregated subnets, and MAC address filtering for IoT devices, a strong level of security can be achieved.
Employ appropriate firewall security policies – For threats that originate from the internet, an appropriate firewall with adequately configured security policies should be employed. This will protect the internal network from the multitude of threats that exist on the internet. If configured carefully, most, if not all, external threats should be nullified.
Unified threat management appliance – For threats that originate both outside and inside your network, a UTM appliance offers a more complete and integrated solution for network security. These types of solutions are more often employed by larger corporations on their enterprise networks. Such an appliance combines multiple security features, including firewall functionality, intrusion detection and intrusion prevention, all of which protect against malicious users both inside and outside the network. This is ideal for a network employing IoT technology, since the UTM appliance can be programmed to respond automatically to preconfigured threat thresholds.
Ensure the reliability of the IoT devices themselves – IoT device manufacturers, like those of all types of technology, develop a reputation that is based on the past experiences of users and developers. Beyond consulting with your TeleDynamics rep, online forums are a good place to obtain objective and reliable information about the level of security offered by specific IoT devices directly from people who have had first-hand experience with them.
Secure the data – Having secured the network infrastructure and making sure the IoT devices themselves are protected and reliable, the next important item of security is the data that are captured. One of the main functions of IoT devices is gathering data. Environmental input, images, mobile phone signals, and citizen and user behavior statistics are just some of the categories of data that are typically collected using IoT. These massive amounts of data, especially those accumulated over large periods of time, are valuable and irreplaceable. Data sets may also include personal and private information that should not be proliferated in any way.
For this reason, they must be secured not only from malicious hackers, but also from human error, physical security threats, and even natural disasters. Security polices protecting such data should include off-site backups, user training, appropriate audit trails and other forensic security capabilities.
IoT is quickly outstripping all other forms of data accumulation and will account for the majority of internet traffic worldwide in the coming years. This makes it imperative to employ the appropriate levels of security to protect IoT devices, the network infrastructures they are connected to, and the data they accumulate.
You may also like: