Here are some hard truths.
The Internet of Things is coming to business. You’re going to need to adopt it in some fashion if you want to survive. When you do, your network will be more susceptible to being hacked than ever.
At last week’s Internet of Things Security Summit in Boston, professionals from all over the world gathered to learn about how Internet of Things would impact business, and discuss how to secure all of these devices so that data isn’t up for grabs to the hardest working hacker.
In reality, IoT is already here. We’ve been using sensors to monitor our businesses for a while now. The difference is that one day someone decided they wanted remote access to those sensors, connected them to the web, and thus the Internet of Things began. The result, for the network, was similar to blowing a hole in the side of your house for easier access. Yes, it was more convenient, but it also made it easier for anyone to walk in and start taking stuff.
How do we protect hundreds of new gateways onto the network? How do we ensure the products we make will remain secure for years to come? How do we know that the products we’re buying are secure right now? They aren’t easy questions to answer.
Statistics on IoT Adoption
The following statistics come from Machina Research, which defines IoT as “Connection to remote sensing, monitoring and actuating devices, together with associated aggregation devices.” Based on this definition there were 6 billion IoT connections in 2015. Machina projects for 27 billion in 2025.
These statistics come from a study of 420 business decision makers, director level or higher, using companies with greater than $10 million in annual revenue. The survey was completed between July 14 and Jul 30 of 2016.
What Machina found was an overwhelming adoption plan for IoT devices:
- 38% actively using IoT technologies
- 29% planning to deploy IoT within 6-12 months
- 14% expect deployment within 1-2 years
- 7% have a longer term interest
- 7 % have no interest or expectations
Top strategic reasons for IoT adoption (percentages measured by each answer appearing in the top 3 reasons):
- To expand revenue opportunities (54%)
- To better compete with rival products/services (51%)
- To better monitor performance of products/machines/devices for better service/maintenance (50%)
- To reduce operational expenses (44%)
- To analyze product/service performance for improving future designs and/or systems (39%)
And top concerns with pursuing IoT solutions:
- Security (58%)
- Complexity of integration with existing systems and software (48%)
- Expense of implementation (46%)
- Complexity of solution implementation (44%)
- Data privacy (39%)
Is reality setting in? The truth is that most organizations are planning to implement IoT solutions, many within the next two years. Companies believe that these IoT devices will generate more revenue, streamline processes, help them compete with rivals, and make their products better using better research.
When I say IoT is coming, these stats prove it. When I say you need to adopt IoT to survive, I mean that your competitors will be adopting IoT and will have so much more information than you it will be impossible to compete. When I say your network will be susceptible… there’s a reason the number one concern for IoT is security.
It’s well known that your network is only as strong as its weakest link. In the IoT world, there will be hundreds of links, each created by a different company, and if one of these links breaks, they all fall down.
Staying Secure with IoT
It isn’t all doom and gloom. Some really smart people are working on solutions. Here are a few that were posed at IoT Security Summit:
The iNode Method
This method comes from a company called IoTium.
It starts with legacy equipment. As I mentioned earlier, there are already sensors in your factories and around your building. The goal is to connect, secure and protect these devices while attaching them to the network. In addition, you’ll have new devices that are added to the network. For the legacy items as well as new, there is the potential of poor security device to device. All it takes is for a hacker to penetrate one device to gain access to the network. Then they can do as they please.
But what if the devices aren’t connected directly to the network? IoTium offers the iNode, a piece of hardware that acts as a conduit for data. You have your devices, where the information is gathered, and you have the destination that you need to send that information to. Traditionally, each device would send information to the destination. That’s the idea, at least. A hacker would tell the device to send the information somewhere else.
With IoTium’s method, you have an iNode at one end that gathers all of the data. You have a separate iNode at the other end that receives data in order to give it to the destination. The two iNode’s are only able to send data to one another. So even if a hacker gets into a device, the hacker can’t send data anywhere but to an iNode. Even if they get into an iNode they can only send data to the corresponding iNode. In this way, a hacker can get in but can’t leave with anything.
The Fog Method, or Edge Analytics
Another proposed method comes from Daniel Paillet, Cyber Security Lead Architect for Schneider Electric. His discussion centered around the Industrial Internet of Things (IIoT), where the clear crieteria is that response time is critical, continuous operation is needed, resources are constrained, and health and safety are paramount. Basically, we’re talking OT (Operational Technology) instead of IT here.
In Paillet’s IoT, the system of the future must be secure by design. Trusted Platform Module (TPM) is a standard for secure cryptoprocessors, where hardware is secured by integrating cryptographic keys into devices. To Paillet, secure by design means a secure boot, integration into Public Key Infrastucture, secure management of keys and certificates for machine to machine (M2M) communications, signed firmware, and implementation of TPM.
For IIoT, solutions must have low-latency and immediate processing. You cannot afford a delay from the trip back and forth from the cloud. Decisions are made in milliseconds, and sensitive information/data would be better off not pushed up to the cloud. Take healthcare for example – life support devices can’t skip a beat, the information on them contains the most sensitive data about a person’s health, and if something goes wrong the device must act immediately. This is literally life or death. The same could be said for factory floors and other arrangements.
Paillet offers the fog. It’s essentially a more local cloud that is connected to all of the devices in your IIoT world. Paillet suggests that it is paramount that control and command remain away from the cloud. With the fog network available, sensors and command and control can be sent to the fog and analyzed. From there, the analytics can be sent to the cloud for further use. In this way, the data remains in your secure fog, and all someone that accesses the cloud will be able to see are the results of that data. Sensitive information is saved because we only see the trends, not the information. It would be like if someone tells you the answer to a question is 8 but doesn’t tell you what the question was. The answer is essentially useless at that point.
This method is very similar to edge analytics, where the analysis occurs on the sensor or at a network switch and the analysis is then sent to the cloud.
The Third Party Method
Perhaps you don’t have your own crack team of IoT security experts. It’s a problem that many companies are going to have. The talent pool is only so large, and IoT is going to exponentially grow. Instead of waiting to develop your own team, why not outsource the work.
Marcel Hill, Global Senior Director of IoT and Software Solutions at Intertek, doesn’t claim to be the only answer to your security problems. He believes there are a lot of smart people out there, and collectively the security community will need to use all resources to protect against threats. That doesn’t mean he can’t help.
The Three Types of Penetration Testing:
- Black Box – Penetration tester has no information, except what is publicly available, about your product/system and attempts to hack into it to determine vulnerabilities.
- White Box – Penetration tester has all information given by the company about the product/system. Using this information, the penetration tester attempts to hack into the product/system to determine vulnerabilities.
- Phased Approach – A combination of Black and White Box. Phase one consists of Black Box testing, Phase two consists of White Box testing. In this way the tester can test the product/system from every angle.
Marcel offers three level of threat:
- Automated and Rudimentary – Your run of the mill attack. They come from anyone, they’ll attack anything, and they’ll hit it anywhere.
- Sophisticated and Malicious – Targeted attacks at a specific company or entity. Often undertaken by hacktivists or organized criminals.
- Specific and Specialized – Cyber terrorism against the military or nation states.
You want to be safe against all of it. Obviously, the third level is almost exclusive to government bodies. But the idea remains the same – there are multiple reasons you could be attacked.
Marcel offers six steps that a third party should take when testing your cyber security:
- Regulatory Assurance
- Proprietary Solutions
- Vulnerability Assessment (VA)
- Application Security Testing (Penetration Test)
- Hardware Testing (Penetration Test)
- Data Inspection
As attacks get stronger and more sophisticated, the security of your IoT environment must go deeper. A third party is able to do what hackers want to do to find out how a hacker could get into your system and how long it could take. By testing your system in such a manner, you can account for and patch problems. By learning how long it would take for a hacker to get in, you can determine your risk management threshold to learn if you’re happy with your current level of security.
All of this could be for naught if there aren’t certain standards set. We don’t want security to be a trial and error venture. Losing data could have irrevocable effects on individuals, companies, and entire societies depending on the level of attack. By bringing products to market that have no standard for security, we’re inviting hackers to hit us now. It does us no good to secure devices after an attack if the data is already compromised.
By creating certifications for products, companies know that the devices they are getting are secured when purchased. By ensuring that products and systems are secure at point of purchase, we’re going a long way in securing the companies that buy them, and the customers that those companies serve. The next several years will be make or break for IoT. Where break doesn’t mean it just goes away – break could mean jobs, fortunes, and even lives are lost.
As it stands there are multiple alliances. Open Connectivity Foundation, One M2M, IoT Forum, ISO, Industrial Internet Consortium, OpenFog, LoRa Alliance, OMA, AllSeen Alliance are some of them. There are multiple protocol standards: MQTT, COAP, DDS, AMQP, XMPP and so on. There are even multiple networking standards. Zigbee, WiFi, Bluetooth, Lte, SIGFOX, NB-IoT, and Z-Wave are only some of them.
That’s all I have to tell you for now. It will be up to the industry to decide which, if any, should be the overarching standard. And it will be up to consumers and companies as well.
If we demand for companies to adhere to certain codes then they will. Technology decision makers rule the market by the sheer act of purchasing. If we commit to purchasing only the most secure products, we’re going a long way to ensure that all products are secure. It may cost more up front, but when statistics show that a single attack can cost a company upwards of $4 million, that cost doesn’t seem so bad.
It’s going to be an interesting decade folks. Secure yourselves.