IoT: The Security Risk Iceberg

While politicians and security experts are constantly warning about the risk of cyber-attacks, they rarely, if ever, mention the risks associated with the Internet of Things (IoT). They should. Global connectivity between all devices creates significant security concerns. Recent reports of hackers being able to remotely control cars illustrate the immense risks posed by IoT. This raises questions regarding current security risk management practices and illustrates the challenges that are being created by IoT’s all-in-one connectivity.

What is IoT anyway? According to analyst firm Gartner, “IoT is the network of physical objects that contain embedded technology to communicate and sense or interact with their internal states or the external environment”. Nowadays many devices have embedded operating systems and are connected to the Internet, which introduces a board range of new opportunities for consumers and businesses alike. Gartner predicts that by 2020 there will be over 26 billion connected devices, while other analysts believe the number will exceed 100 billion.

There are many applications of IoT, ranging from a house alarm system providing status alerts to a smartphone, smartwatches collecting health data and sharing it with doctors, vehicles accessing calendar data to pre-calculate the best route to take the driver to an offsite meeting, a wake up alarm triggering the coffee machine to prepare a dark roast just minutes it wakes the user, a refrigerator reminding the owner to purchase grocery items, or office equipment automatically re-ordering supplies when they run low. On a macro-level, smart city applications such as smart lighting and smart parking, would allow us to reduce waste and improve efficiency for things such as energy use. IoT provides endless opportunities and interactions, many of which we can’t even imagine yet.

The IoT market is still in its infancy, but is being driven by high expectations built around offering consumers a more convenient life style. Meanwhile, it promises to open up new markets for businesses by providing vast amounts of information on customer buying habits, which can be leveraged to drive further sales.

However, there is also a darker side to IoT, related to security and privacy. A good example is the recent case of hackers taking control of a car and crashing it into a ditch by remotely breaking into its dashboard computer from 10 miles away. That this is not an isolated incident was documented in a study by PT&C|LWG Forensic Consulting Services, which outlined that many other car makers’ were susceptible to being hacked. This is just one illustration of the tip of the iceberg when it comes to IoT’s security risks. Unlike traditional cyber-attacks, IoT incidents are not limited to extracting information; instead they can be used to cause physical harm and exploited by state-sponsored cyber-attackers to wreak havoc.

Ultimately, IoT opens up companies all over the world to more security threats. According to Robert Bigman, former CISO at the Central Intelligence Agency (CIA), IoT devices that manage personal health and safety systems will become the next ransom-ware gold mine. Like they have for the Bring-Your-Own-Device (BYOD) phenomenon, businesses need to adapt their risk management practices and broaden the scope of risk assessments to include all connected devices. If an employee’s smartwatch can be leveraged to spy on the corporate’s WiFi passwords, the watch suddenly falls into the scope of an organization’s risk assessment. In this context, one of the leading challenges for organizations will be how to store, track, analyze, and make sense of the vast amounts of data generated by including IoT in the risk assessment process. Emerging big data risk management technologies can assist here.  

To complicate matters, the development of IoT products preceded the creation of a common security framework or standard. In the case of many IoT products, security is an afterthought. The only reasonable solution to address the lack of security in IoT devices is for new standards and government regulations to be established that require the use of trusted networks and operating systems.

While it is encouraging to see several initiatives (e.g., Cloud Security Alliance, Open Interconnect Consortium) working to create frameworks to secure IoT ecosystems, an accepted standard will be needed to ensure the interoperability required to achieve this goal. Until then, IoT vendors need to incorporate security at the design phase of products to make them less of a threat when connected to networks. In addition, they need to consider early on what regulations devices will have to comply with so those requirements can be baked in and not added later when they would be less effective. Finally, device communication channels should conform to standards-friendly hub-and-spoke networking protocols, which are less vulnerable to attacks.

Time will tell if the IoT vendor community can come together to create a common security framework that helps shrink the security risk iceberg and minimize the risk of cyber-attacks.

Related: Learn About IoT Security at the ICS Cyber Security Conference