Jonathan Newell looks into the challenges of securing the Internet of Things – which could be supporting up to 50 billion devices by the end of the decade.
Opinions vary on just how big the so-called Internet of Things (IoT) will become, as its rate of growth continues to accelerate over the next few years. Conservative estimates based on a study by IT company Verizon for consumer devices brings the total to around five billion devices by 2020 but when the far larger Industrial IoT is taken into account, the figure could be 10 times that estimate.
During the progress that has been made so far, focus has been on technology, bandwidth, communications protocols and big data handling, with security typically being looked at only as a secondary factor. It’s one of those elements that’s often washed over as something that the existing office system security vendors will take care of, or as something that isn’t really a problem.
It would seem that some security vendors are saying that connected devices are just endpoints like any others, therefore require no special consideration. Some end users are perpetuating the “air gap” myth. So there is indeed a substantial problem to be overcome.
The extent of the IoT
The internet that we have all become so familiar with is about the connectivity of computers, laptops, tablets and smart phones across a nebulous network. Everyone knows about the benefits, the drawbacks and the security concerns posed by spam, phishing attacks, malicious software and other threats that can propagate across the same network.
The Internet of Things merely extends that same kind of connectivity to other devices that could be active (an embedded processor) or passive (a camera or sensor). If these devices can connect to the internet using wireless or cellular communications and can obtain an Internet Protocol (IP) address, then they become part of the IoT.
The extent of the IoT therefore becomes almost limitless and creates staggering opportunities in both industrial and commercial environments for device monitoring, feedback, remote or autonomous control, healthcare and thousands of other applications.
But it also presents similar opportunities for cyber-criminals, extortionists, terrorists, hackers, industrial spies and saboteurs.
Mixing business with pleasure
As the Internet of Things takes hold, one of the issues facing corporate IT administrators is the explosion of connected devices on their networks. Increased support requirements, security exposures and bandwidth limitations are cited as the top three concerns that IT professionals have with the advent of the IoT.
Whilst bandwidth may not be an issue with industrial systems (due to a greater drive towards processing at the device level which reduces the amount of network traffic), the same cannot be said for commercial devices that employees are increasingly bringing to work with them. Such devices are often used for personal purposes rather than in connection with the business. They include wearable devices, such as the Apple iwatch, Fitbit activity monitoring devices and Google glass.
Network security specialist company Ipswitch recently studied wearable technology in the workplace, concluding that, despite almost half of the companies they surveyed having employees with wearables which are connected to the network, only a fifth have policies in place for managing the impact of such technology on their networks.
Commenting on the increasing use of wearable technology in the workplace, Ipswitch’ Alessandro Porro said that, although this might be desirable for the employee, it creates greater support workload as well as more exposure to security breaches.
“IT professionals can be better prepared to deal with Apple Watches and Fitbits if they have the proper tools to provide total visibility into network traffic and bandwidth utilisation. A clear picture of what is happening helps to ensure that wearable technology isn’t going to affect network or application performance,” he said.
Different security tools for the IIoT
The Industrial Internet of Things (IIoT) has its own set of requirements that goes beyond the existing commercial security software, which makes certain assumptions and relies on a number of pre-requisites such as standard operating systems and an ability to perform software updates.
These assumptions start to fall apart with bespoke software written on industry-specific platforms or for highly-regulated industries like healthcare, where software updates have to be performed under strict testing and certification criteria.
Similarly, condition monitoring systems involving arrays of hundreds of connected sensors, controllers and measuring instruments are not catered for in the existing suite of commercial off-the-shelf security software packages.
However, the principles remain the same. It is these principles and how they can be applied to industrial environments that will be addressed in the inaugural conference of the Internet of Things Security Foundation (IoTSF), scheduled to take place in early December.
Although broad in its brief, the IoTSF recognises an urgent need for focused thought on how critical infrastructure and industrial networks will be protected as levels of connectivity increase.
Commenting on the launch of the IoTSF’s conference programme, board member David Rogers states, “There’s a need to raise awareness of the issues surrounding IoT security from a system and organisational perspective. The concept is so broad that a universal answer does not exist and new applications will reveal as-yet-unknown vulnerabilities. It is crucial to the adoption of IoT that we are ready to deal with problems as they arise.”
Removing human dependency
Despite the heavy technical emphasis involved in most discussions on securing the IoT, there are human factors that need to be taken into consideration as well. Attitudes towards having a secure computing environment now need to extend beyond the desktop into everything that is connected, whether these are consumer products or test systems on a manufacturing floor.
However, being on the threshold of such an explosion of connected devices, security weak links such as human fallibility are seen by many in the industry as being unsustainable. Jim Carlsson of Swedish industrial security company Clavister told us, “As things stand, security on smart devices usually relies on users changing passwords and other settings away from defaults and ensuring the devices are not left open – in the same way that people are recommended to protect their home WiFi networks. But relying on such primitive security measures is likely to be futile in the battle against cyber-crime.”
Carlsson believes that security should be built in to every endpoint connected to the network for more robust protection. “A new generation of security will be required to protect our connected lives and manufacturers will be tasked with adopting a new generation of protection – embedded security, which actively protects devices against interception of data and data theft by hardening the devices themselves with security and encrypting data traffic,” he argues.
According to analyst IDC, the market for intelligent embedded systems, which includes processors in devices other than PCs, phones, servers and tablets will grow to over 2.2 billion units and over $1 trillion in revenue by 2019. This forecast covers the industrial sector, healthcare, smart buildings and transport.
For suppliers and users of connected industrial devices of any description, this represents a new way of thinking that must be adopted to prevent the spread of cybercrime into the IIoT.