The IoT can open a Pandora’s box of security vulnerabilities. Here’s how to keep the lid closed:
Is the rising Internet of Things a big happy hunting ground for hackers? With lax or even non-existent security seen across various devices, and already a major incident in which IoT-connected devices were harnessed into a major malicious botnet, the prospect is disturbingly real.
“More data, and more sensitive data, available across a broad network means the risks are higher and that data breaches could pose significant dangers to individuals and enterprises,” according to a new report from Deloitte. Deloitte recommends building an IoT framework that assures technical security, builds in vigilance on the part of employees and administrators, and ensures resiliency in the event of an incident.
In other words, consider all the due diligence that’s been applied to IT systems in recent years, and multiply that due diligence by a factor of 10. “Every new device added to an IoT ecosystem adds a new attack surface or opportunity for malicious attack, and each hand-off is a new opportunity for a security breach,” state the report’s authors, Irfan Saif, Sean Peasley, and Arun Perinkolam, all with Deloitte.
IoT opens a Pandora’s box, they add. Potential attacks “are quite effective at exploiting weaknesses never imagined by their creators. The nature and intensity of attacks can change in ways that render previously effective security measures obsolete.”
Internet of Things security solutions
The Deloitte team recommends the following steps to safeguard IoT efforts:
Build security into IoT solutions from the beginning. “Security cannot be an afterthought — it must be integral throughout the design process,” Saif and his co-authors state. “IoT solutions will need to blend a deep understanding of organizational operations with knowledge of multilayered cyber risk management techniques, creating offerings that are secure, vigilant, and resilient.”
Work to define standards for interoperability. Interoperability – or lack of it – between devices is a major Achilles heel in IoT security scenarios. Multiple standards mean an inability to cohesively address security issues. “Adhering to one standard only or actively getting involved with consortiums to develop a set of standards can help ensure that devices within a network can all communicate and work together safely and effectively,” the Deloitte team writes. (Related: “Industrial IoT needs semantic standards”).
Have a plan in place. Many companies have disaster recovery and business continuity plans ready when needed. The same should be the case for IoT breaches. “When a breach occurs, limiting the damage and reestablishing normal operations are much more easily and effectively done when there are processes in place to quickly neutralize threats, prevent further spread, and recover,” Saif and his co-authors urge.
Use devices designed for IoT. Attempting to shoehorn devices not intended for a network as expansive as IoT only opens up security vulnerabilities. “Rather than retrofitting or extending functionality of old systems in ways for which they weren’t designed, companies should strongly consider wholly new, secure technologies designed specifically for the IoT,” the Deloitte team advises.
Develop clear responsibilities for the players in your ecosystem. Security responsibilities may be murky when one organization is using data coming from another company’s devices. Don’t try to share responsibilities – instead, let each player ion an IoT ecosystem have a definitive area of responsibility. “Players must know where their responsibilities begin and end, and what they are responsible to protect,” Saif and is team state. “Taking an assessment of all stakeholders and assessing the potential risks at each point—and making sure the stakeholders are aware of those risks—can help make a solution more secure.” Effective and clearly articulated data governance is also part of this formula. “Guidance around how data can be securely collected, used, and stored can help prevent unwanted breaches and prevent a risk event from snowballing into something larger, and can also outline the lines of responsibility in the event of a breach.”
Establish a baseline of data. Know the norm, so it is easy to spot events that are out of the norm. “Viewing IoT systems more broadly and monitoring environmental attributes such as usage, location, and access would better enable enterprises to gather a broad enough scope of data to establish a baseline, helping companies to discern what is normal and what constitutes a suspicious aberration,” the authors suggest. “This, in turn, enables enterprises to take appropriate and effective action when data do stray from the norm.”
Create loosely coupled systems. The idea of loosely coupled systems arose with development of service-oriented architecture, which advocated that individual systems or services could stand alone, and not break if something happens to an upstream or downstream application. “Ensure devices within an ecosystem are loosely coupled and resilient so that the failure of one device does not lead to widespread failure.”