• Hacking and spoofing lead to an estimated loss of whopping 300 billion dollars annually. And this is not all! Other than the financial loss, companies often lose confidential information and thus their image is dented or their quality of services is compromised. From hacking financial transactions to stealing classified info and creating a virtual profile, hackers manage to do it all despite cybersecurity measures and the abundance of anti-phishing and anti-virus, malware software.
• Last year cybercriminals gained access to the servers of Equifax, which is one of the world’s largest credit bureaus, and stole personal data of 145 million people. This hack is among the most lethal security breaches of all time because of the sheer volume of information that was compromised, stolen and exposed. Equifax took two months to recover from the hack.
The above scenario and the looming risk of cyber hacking and assorted malicious acts look ominous, right?
Now imagine what would happen if this risk increases exponentially with the existing or modified security frameworks that cannot keep pace with the massive interconnected networks when almost everything would be connected to the internet.
Sounds like an unmitigated disaster or a modern version of Orwellian dystopia? But this is not an unfounded fear.
Visualize for a second what could be the consequence of security breach when all of our devices, smart homes, public transport systems, heavy machinery, and autonomous cars would be connected to the internet? This would lead to something fatal and not only financial loss or identity theft.
The security risks associated with the Internet of Things ( IoT) are quite alarming and we cannot imagine the havoc that would be unleashed if millions of devices stop functioning or worse are programmed for devastation. For Instance, high voltage in IoT connected electricity networks or sensors in smart homes.
Nonetheless, breakthroughs in the Internet of Things ( IoT) would have a seminal influence on multiple sectors and would lead to the dawn of an unprecedented era of automation when billions of devices would be connected to the internet and would be able to share information. This would undoubtedly provide a boost to technological innovations and foster path-breaking developments. It is estimated that by 2020 over 24 billion devices connected to the internet would be installed.
The number of IoT devices used in households is predicted to increase from 9 devices per household currently to 500 by 2022, as per the research house Gartner.
While the prospects sound promising and ambitious, there is also a lurking threat that is ringing alarm bells and prodding a lot of people to view IoT with cynicism. And we cannot afford to overlook this huge risk.
Mounting concerns about data privacy and security breach have also lead to questions being raised about the security preparedness for IoT, considering the scenario that billions of people would be vulnerable.
Professor Chris Hankin, Imperial College London, believes that “the major security risk associated with the IoT comes from interactions with physical processes. With manufacturers making devices to different standards, problems could include a lack of device interoperability, devices interacting unintentionally and even representing a risk to user safety, devices constructed from cheap or inferior hardware posing a cybersecurity risk by containing malware, etc.”
Spoofing is a major risk as smart electricity meters that are used in Spain were hacked so that they would under-report energy consumption. A massive denial-of-service (DDOS) attack on Dyn’s servers took down many companies including PayPal, Twitter and Spotify. These incidents demonstrate that a lot needs to be done for protecting IoT devices.
A report by Vodafone stated that “18% of businesses said that concern about security breaches is a potential barrier to wider adoption of IoT in their organization. 30% said they were changing or restricting the scope of IoT projects to limit security risks. And more than half of businesses to said they’re more concerned about IoT security risks than they were in the past.”
Assessing data collection mechanism of IoT devices is an important process in determining the safety of data storage and is among the main security concerns.
Challenges and obstructions
Software security is also at the core of IoT. With IoT, companies would not only have to update their servers and systems, but also everything that is connected. Be it a security camera or a home device. Security patches would also have to be updated on a regular basis. In standalone devices, this is often condoned. But in IoT devices, it could lead to the possibility of a severe cyberattack.
Lack of interoperability is also a barrier in security. Intrusive surveillance is another a security risk associated with IoT. Organizations would have to be extra cautious to ensure that importation of new data in the system is not possible and the encryption is safe.
64% of those using IoT devices have encountered issues with it, as per data by software intelligence company DynaTrace. This doesn’t present a good picture and highlights the need to enhance security and performance related issues in IoT devices.
This highlights the need for organizations to conceive meticulous IoT strategies keeping in mind security and performance.
Cisco Systems recognizes the risks but is also sure that we would be able to increase security. It said in a report that there is a need for IoT security requires programming cybersecurity and physical security solutions to work in tandem. This would make correlating information easier from multiple security systems and offer a more detailed view.
There is also a need for a direct interaction between the security systems to save response time. The security system should be smartly designed to follow different approaches in different cases.
Strengthening system security
Lack of a broad consensus on the implementation of security in IoT is one of the major challenges before the industry. Divergent thoughts would enrich the debate on IoT security but a consensus around key areas is urgently needed.
According to the International Journal of Advanced Computer Science and Applications, IoT security requires a multi-faceted strategy and a durable system.
For increased security, an IoT system should be able to auto-recover in case it accidentally crashes while transmitting data. Furthermore, the system should have the capability to protect itself from malicious programs that could be externally inserted. IoT devices also require an authentication framework that would permit data transfer exclusively between authenticated devices.
Authentication of devices should go hand-in-hand with authorization to strengthen IoT security. Access controls cannot be arbitrarily assigned and personal data access should be limited so that no random authenticated user can avail the information.
IoT would generate copious data that would have to be processed and stored. This would also mean a spurt in high-speed internet connectivity. So in adverse cases, if a hacker gains access to the system, he can do irreparable damage. For this, companies need to devise an alternative security contingency plan.
What further exacerbates the risk in IoT security is that hackers use IoT devices not as ultimate ends but as launch pads for future attacks, while device owners remain oblivious that the security of their devices has been breached. Unprotected IoT devices in a network can be converted into bots by attackers, and then used to attack third-party systems and fetch data from communication channels. Case in point: 2016 Mirai attack used IoT devices for attacking internet infrastructure, leading to shutdowns across Europe and North America and causing a loss of more than 100 million US dollars.
Most IoT devices function outside organizational firewalls but connect directly to companies’ internal networks and applications, which substantially increase the vulnerability by extending the attack surface, points out a report by IT firm cognizant.
Cognizant recommends performing threat modeling at each security layer, including devices and connected cloud; gathering insights and then performing a test to gauge the vulnerability to attack. Attack routes, which could be physical access points, communication channels or other interfaces, should be detailed properly.
IoT companies should also focus on the resilience of assets and making communication protocols more robust. Also, a strategy is needed regarding what could be done with a compromised device.
Need of cutting-edge IoT infrastructure
The latest McKinsey report reaffirms what we have been saying all along about the feebleness of the existing infrastructure and that it is not sophisticated enough and lacks many things. The report further underscores the confusion in providing end-to-end security solutions for IoT as it is yet not clear whether component suppliers and OEMs are positioned for this task, as the IoT network would feature a diverse set of devices.
IoT also doesn’t have well-formulated security standards that could describe the technology interaction. Different organizations use their own solutions and many segments still rely only on large players. Lack of a uniform standardization is a big impediment in IoT security and even stalls innovation as companies are unsure about regulatory guidelines.
IoT sensor companies also face another difficulty. As per the McKinsey report, increasing security features might not be profitable for sensor manufacturers because of the widespread perception that providing security is mainly the job of software providers, who are supposed to have expertise in the field.
The way around could be semiconductor firms developing a toolkit of security offerings that permits product customization, based on the degree of security that is required. They should also come up with unique solutions.
Mitigating risk smartly
To mitigate the security threat and the make the devices less vulnerable, security testing is a must. IoT device testers should pay heed to the device’s password policy, ensuring that minimum password requirements are by default inbuilt and that they are unfailingly enforced. A recommended practice for devices could be mandatory password change upon first access, and this should be taken into consideration when developing automated tests.
A report by Deloitte emphasizes on the fact that by focusing on some of the defining features of IoT deployments, we can begin to see how the reinforcing principles of security, vigilance, and resilience can assist companies in protecting the underlying value created by them.
The report also states that IoT sensors are most susceptible to counterfeiting (fake products embedded with malware or malicious code); data exfiltration (extracting sensitive data from a device via hacking); identity spoofing (an unauthorized source gaining access to a device using the correct credentials); and malicious modification of components (replacement of components with parts modified to generate incorrect results or allow unauthorized access).
Strong data regulations and a coherent policy around IoT are also needed to provide legal redressal in case of privacy breach along with concerted efforts by all.