The strength of a system is beholden to its weakest point.
This concept is the reason that security in the Internet of Things is an altogether different brand of security than in the past. In a world where objects and environments are digitally connected and placed onto networks, objects themselves become windows of data transmission and collectors of potential insight and utility… but also potential vulnerabilities.
Harbor forecasts some 36.4B devices will come online within the next four years. This exponential growth of new devices and sensors will emerge in mixed environments, with incumbent and legacy technology, equipment, gateways, controllers, routers, databases, all communicating over a plethora of protocols. As organizations digitize their internal and external processes, services, and products, they enable countless devices to send and receive information over the Internet. This data transmission has powerful potential to drive tremendous efficiency increases, from supply chain automation to software updates, to self-monitoring, self-adjusting, and self-optimizing smart systems. But these useful interactions also create potential new attack points for malicious entities.
Examples of cyber intrusions and security breaches are everywhere.
Examples start small. Single consumer devices—synonymous with “IoT” for many people— are where we have seen the news headlines. But these are only the tip of the iceberg… and so are their security risks.
These consumer devices are often manufactured by start-ups with limited funding and a ship-or-die urgency, limited in time and investment spent on security (never mind in taking the time to educate consumers about the threats, updates, and best practices to mitigate such risks). Several security firms have found that many consumer devices are vulnerable to even the most basic hacking attempts. Some have made headlines, while others have quietly flown under the radar.
- Strangers hacking into baby monitors, spying on little ones, even talking to them over the intercom!
- Security researchers hacked into a smart refrigerator by intercepting communications between the fridge and its user’s Google Calendar, exposing Gmail login credentials.
- A hacker developed a $32 device to hack into cars and garage door openers.
Then there are the larger examples; examples we have barely tasted in their potential scale. Security vulnerabilities in larger contexts, in or across [fleets of] cars, buildings, factories, or even the grid, transcend ‘creepy,’ privacy, even security of proprietary information. They can have profound impacts on people’s safety and their lives.
- Security researchers successfully took control of a Jeep Cherokee while it was on the road and were able to remotely turn on the windshield wipers, control the radio, shut off the transmission and disable the brakes
- Retailer Target’s infamous customer identity and financial breach was a result of hackers penetrating the company’s HVAC system service provider to gain access to Target’s network passwords.
- Hackers revealed significant vulnerabilities across multiple brands of connected lightbulbs and lighting solutions which seriously compromise physical and digital security and safety across a range of environments, from factory floors, retail environments, hotels, stadiums, street lamps, and any other ‘smart’ building or infrastructure involving lighting.
In each example, seemingly mundane components introduce new risk as they exist and transmit data across one or more networks in a system.
It’s not just manufacturers, retailers, and consumers who are concerned; governments are also grappling to understand, advise, and determine their and others’ role in safeguarding data. Director of National Intelligence James Clapper warns, “devices, designed and fielded with minimal security requirements and testing, and an ever-increasing complexity of networks, could lead to widespread vulnerabilities in civilian infrastructures and U.S. government systems.” Look no further than Ukraine, where experts say control systems were more secure than some in the U.S., for a real-life example. On December 23, 2015, sophisticated cybercriminals penetrated Ukraine’s power grid, leaving more than 230,000 customers in the dark, and disabling backup power supplies to 2/3 of its power distribution centers.
But the examples only tell part of the story. In the end, it’s less about the device and more about the system.
What organizations and consumers alike must realize is that, while hacking seemingly occurs at a single endpoint—a thermostat, for example— the inherent systemic architecture, i.e. the network, that supports any single device renders vulnerability far greater than any single device.
Consider a smart city. A connected city is a smart system in which the most value and sustainability impacts are felt when disparate entities “talk” to each other seamlessly. Smart stoplights optimize traffic flow based on real-time data aggregated from other stoplights, cars, beacons, or historical datasets. Car manufacturers or other service providers use this data to communicate changes in traffic conditions to drivers, re-routing them based on weather, construction, or congestion. Patterns of movement through a city also inform and help optimize municipal services such as waste management, areas for repair or remodeling, infrastructural energy consumption and creation, shared or on-demand services such as ride-sharing or delivery, the list goes on and on.
The ‘network effect’ illustrated in a smart city isn’t limited to smart cities. Indeed, these same sorts of benefits and risks are inherent to any smart system, whether buildings, factories, commercial environments, cars, homes, etc.
The very flow of data in a system drives value, but also introduces risks, including but not limited to:
- Hacking, breaches, theft, cyber intrusion of devices, networks, private and public services, individuals, transportation mechanisms, infrastructure
- Nefarious use, manipulation, or exploitation of data, device identity, assets, rules, features, services, system upgrades, etc.
- Disruption of features, services, functions, safety mechanisms, identity authentications, etc.
- Use of surveillance leveraged (by hackers, foreign states, terrorists, domestic law enforcement) for nefarious purposes
Every organization engaged in architecting and deploying IoT solutions must understand these risks. They must also understand the scope of their responsibility, and that of their partners and other stakeholders, to thwart ever-increasing threat vectors.
IoT Security requires a shift in mindset.
To best mitigate ever-expanding threats to security and privacy, organizations must change their ways of thinking about security. This shift in mindset is one that addresses security through a fundamentally broader scope at every level of the interaction.
Organizations must understand the nature of the challenges, risks, and technological advantages and disadvantages unique to their product or service environments. They must understand the internal skills, existing practices, policies, governance, and controls related to security, what is lacking, and where the gaps lie. They must understand the impacts of these elements from other organizations associated with theirs, such as partners, third parties, and even consumers. And this is only the beginning.
To support this shift, Harbor Research has developed a three-step process to guide organizations in their approach to IoT security. We have designed this process to aid companies in designing and implementing a holistic approach to security in IoT solutions.
- Step 1: Address security impacts and implications across diverse environments
- Step 2: Apply a multifaceted approach across the five critical security functions
- Step 3: Define lifecycle controls across the entire device and data lifecycle
Regardless of your role or phase in IoT deployment, we welcome and encourage your engagement with this important topic to better understand the scope of the threats facing your business and key steps to mitigate. Download our latest report, written in partnership with Dell, on Security for the Internet of Things. We hope this provides a valuable perspective on the opportunity to design security solutions from inception to deployment.
Forward-looking IoT security strategies begin with product design, but like the IoT itself, they transcend products, across services, stakeholders, customer segments, threat vectors, and lifecycles. Security no longer belongs solely to IT; increasingly, we all have a role in understanding, architecting, and defining better, more robust security to mitigate the inherent vulnerabilities and edge closer to the inherent value of a connected world.