The Internet of Things (IoT) has gone from a futuristic buzzword to become a reality. The security of IoT has become an industry in itself.
By 2020, Gartner expects 20 billion IoT "things" to be used. These IoT "things" don't include smartphones and PCs. These are everyday devices, such as household appliances, cars and vending machines, that have internet connectivity to use.
The Gartner report places the data in an ever-growing number of devices that benefit consumers.
It also creates additional headaches for CIOs and IT professionals. This can be difficult work for IT managers because it involves more than managing a closed network and virtual assets. This means managing physical devices and objects that are beyond the immediate control of the organization.
IoT generates a large amount of highly personal consumption data. The generation of increasing amounts of data creates layers of security concerns, particularly in light of the new privacy legislation. The EU General Data Protection Regulation (GDPR) and the new California Consumer Protection Law (CCPA) are two examples.
Our security solutions at the height of the IoT boom? Deloitte survey of organizations' confidence in IoT security reveals that only 18% of the 500 C-level executives who oversee cybersecurity in large enterprises say they are very confident that the "things" of Internet of things are secure. This is significantly less than the 31% who say they are unsure or not at all confident in the security of IoT.
Massive amounts of personally identifiable data
The preponderance of IoT devices used will make it even more difficult to protect the huge amount of personally identifiable data that is collected. All of these devices combined mean more attention to data collection, storage and security.
Enter PKI. PKI stands for Public Key Infrastructure. A public key is mapped to a private key known to the user. PKI has a certification authority to issue and sign digital certificates, which can be revoked. This authority verifies the identity of those who seek to store digital certificates. Combined with TLS (Transport Layer Security), encrypted communication is activated.
Manage the security and privacy risks of IoT in devices
The National Institute of Standards and Technology (NIST) has identified three critical risks in IoT devices that show the difference between conventional computing:
- IoT devices interact fundamentally different from traditional computing devices in the hands of consumers
- IoT devices cannot be monitored or managed in the same way as they are beyond the physical control of your IT staff
- The availability, efficiency, and effectiveness of IT controls are different. Additional restrictions and controls need to be developed and managed, as well as a different approach to risk mitigation.
These key risks boil down to three concepts that IoT requires:
- Device security protection
- Protect data security
- Protect user privacy
Protection of IoT security in devices
When devices are available for public use, cybercriminals can easily get hold of IoT devices. The key is to prevent them from using these devices to carry out attacks, including things like DDoS or intercepting network traffic
Protect data security
With the exception of devices that do not need permissions, it is essential to protect the privacy and access to personally identifiable information collected, stored or processed by IoT devices. In addition to best practices, this may also be subject to strict compliance rules depending on the type of transaction in progress.
Protecting user privacy
We have witnessed many high profile data scandals in the past two years. In 2017, Marissa Meyer, CEO of Yahoo, was forced to resign after publicizing that the company had provided U.S. intelligence agencies with access to millions of user emails. Just this year, two of Facebook's best employees followed because of the company's plan to combine Facebook, Instagram and Whatsapp together.
As IoT becomes even more integrated into devices, privacy will become a more important concern for users.
Operational security as part of your DNA
To be effective, the cybersecurity of IoT devices must be at the heart of everything you do.
"Security needs to be built into the DNA of operational programs to allow organizations to have great products and have peace of mind," said Sean Peasley, leader in IoT security in cyber risk services at Deloitte & Touche LLP.
Peasley said organizations need to consider potential threats as dangers and take a close look at them as priorities.
The defense of data security begins with the development of products that use security from design to manage risk. This means implementing default cybersecurity practices when designing and producing IoT products.
Top 10 IoT Security Risks
Deloitte notes the top 10 security risks associated with the management of IoT products by organizations. Each of these elements must be treated with significant solutions.
- Lack of security and privacy policies and procedures
- Lack of governance to protect data
- Lack of product design and secure ecosystems
- Lack of awareness and training for engineers and designers
- Lack of product security and privacy resources
- Lack of monitoring of devices (and systems) to detect attacks / events
- Lack of implementation security and risk management
- Lack of visibility into product safety
- Lack of identification and mitigation of product risks
- Lack of experience with incident response
Managing these risks takes a top-down approach to cybersecurity with the corresponding budget. Security is not something delegated to the IT team. It must be integrated into all phases of the design process, from senior management to the end.
Security risks are becoming more and more known to the public.
With security risks becoming more widely known to the public, employees are beginning to make employment decisions based on the security practices of their employers. As Ray Walsh, Digital Privacy Expert at ProPrivacy.com explains, "technical workers understand that if something is wrong – and the company they work for suffers a data breach – they could end up with an unwanted black mark next to their name, or worse, the potential for liability. "
Walsh continues: “Employees often leave with an understanding of basic business practices, trade secrets and knowledge of intellectual property. There is also a risk that companies will not be able to fill the void created by these resignations (with equally competent talents). On the other hand, companies that may manifest a real desire to protect consumer privacy are likely to become increasingly attractive to consumers and employees of the technology sector.
This focus on safety does not stop when the design is completed. It must continue throughout the product life cycle.
32.7 million IoT attacks
Attacks on IoT security aren't just theoretical. More than 32.7 million attacks on IoT devices were detected in 2018. This represents an increase of more than 215% compared to the previous year. Too many devices have little to no security controls.
As consumer adoption of IoT devices continues to grow, concerns about privacy and security will also increase. When a network is internal and under the control of the RSSIs and their IT teams, strict compliance with data security and protection can take place. When devices are in the hands of consumers, it is more difficult to manage.
A recent study has shown that more than 40% of smart homes have at least one IoT device vulnerable to remote attacks. Outdated software, unapplied patches, and weak credentials allow cybercriminals to exploit the weakness.
"Concerns about security and privacy are more common than ever," said Michael Chertoff, former US Secretary of Homeland Security.