Is IoT Driving Without a Seatbelt?
Guest WriterGuest Writer
Securing the Internet of Things (IoT) has been slow going, and itâs putting user privacy and personal security at risk.  The subject of IoT security has gained a lot of visibility over the last few years. We're wondering whether the industry is doing more than consumers to enhance security.  Moreover, consumers donât seem all that interested in understanding how to protect themselves. What more can be done? In this article, weâll attempt to pull together all the highlights of our research into these points.  Weâll be talking about:
In the 1930âs, United States physicians began installing makeshift safety belts in their own cars as a result of vehicle-related deaths and injuries that physicians witnessed all too often. Over the following decades, there was a great deal of innovation in automotive safety. It wasnât until 1968 when the first federal automotive safety law took effect. It required all motor vehicles (except buses) to be manufactured and equipped with seatbelts. For many people, the basic understanding that a seatbelt could save their life was enough to justify wearing one.
Despite the statistics, many people continued to ride in cars without securing their safety belts. Recognizing that a simple measure was being ignored by many passengers, it took several more years for US states to pass laws that actually require passengers to wear seatbelts or risk fines. Why did it take both the industry and consumers so long to adopt this simple security feature? Years from now, will this same question be posed about the current state of IoT security?
As early as 2014, Target Corporation was dealing with the fallout from a hacker that had gained access to their network remotely (via the HVAC system: a connected device). This breach alone compromised thousands of cardholder records. Security of IoT devices garnered additional attention in late 2016 when the Mirai botnet was discovered to have infected what experts estimated to be hundreds of thousands of connected devices. The malicious code was used to launch distributed denial of service (DDoS) attacks on various targets causing widespread disruption. Another unsettling fact reported by Symantec in their 2017 Internet Security Threat Report, is that the average time to hack a connected device was only two minutes. For a career cyber criminal, this isnât much of a barrier to overcome. Ultimately, the concern for device security isn't merely about the user/device that is infected but also the assets that are part of the larger network on which these devices depend. So, it's no secret that IT security experts and professionals are concerned with the security of connected devices.
Experts estimate that a staggering number of devices will be connected through IoT systems within the next five years. According to Gartner Inc., the number of connected devices reached approximately 8.4 billion in 2017. They predict that the market will grow nearly threefold to 20.4 billion by 2020. Perhaps the only fact more surprising than the number of connected devices is the number of unsecured connected devices.
Consumer and industry demands are driving the need for enhanced functionality and user experience. In keeping with the "instant gratification" appetite of todayâs marketplace, consumers wonât wait. Simply put: gone are the days of making appliances or products that only deliver on their functional purpose. So at the same time that pressures mount on executives to drive change and innovation within their business to provide these products, IT professionals and security experts are faced with an equally alarming concern: how can companies keep up with the demand for smart devices while also being smart about security? In order to answer that question, it might help to outline some of the factors adding unwanted complexity to IoT security IoT:
In a time when a toaster that only toasts bread feels mildly archaic, it seems every company needs to be a tech company.
Given the previously mentioned dynamics, if a company is to remain relevant in todayâs tech-driven economy, they must consider their role within the connected device worldâeven if they're a traditional appliance manufacturer or non-tech company. Additionally, as if the pressure to bring the âsmartâ aspect to their products wasnât enough, tech companies are also finding ways to break into traditional product markets, only adding to the urgency non-tech companies feel to compete in the IoT arms race. This means that original equipment manufacturers (âOEMsâ) or non-tech companies are handed the tall task of rapidly bringing innovations to market that not only meet the original intended use of the equipment but also satisfy the tech-savvy user.
So what is a ânon-techâ company? For the purposes of this discussion, a non-tech company is one that produces or manufactures products or appliances that aren't traditionally considered smart or connected (e.g. refrigerators, toilets, heating systems, medical devices, cars, etc.). On the other hand, a tech company is one that primarily produces or develops technology; think Google, Amazon, Microsoft, IBM, etc. Considering the significant amount of expertise, research, and development that are required to add connected components to a traditionally non-tech device, industry leaders are finding ways to stay in the game. Two common strategies that non-tech companies are employing to compete in the IoT space are merging with or acquiring tech companies, and partnering with tech companies in joint ventures.
The acquisition of tech companies by non-tech companies has seen an uptick. The New York Times, relying on Bloomberg data, reported that in 2016, â682 tech companies were purchased by a company in an industry other than technology, while 655 were acquired by tech companies.â Based on these figures, non-tech companies account for nearly half of tech company acquisitions. In 2017, General Motors made a bold move in order to compete with Tesla in the self-driving car market. They acquired Strobe, a relatively young company based out of California, that specializes in the development of driverless technologies.
Whirlpool is an example of an OEM that embarked on a joint venture in 2010 to connect their home appliances to the internet.  This strategic move allows consumers to control and monitor their appliances remotely via a smartphone. They did this by partnering with a tech company Prodea to help them build the connected portion.
Itâs important to note that each strategy described above presents its own challenges in terms of security. With the acquisition of a tech provider, there's still the responsibility to ensure proper funding for IoT security development. âGartner predicts that by 2020, more than 25 percent of identified attacks in enterprises will involve IoT, although IoT will account for less than 10 percent of IT security budgets. Security vendors will be hard-pressed to provide usable IoT security features because of the limited budgets for IoT and the decentralized approach to early IoT implementations in organizations. Vendors will focus too much on spotting vulnerabilities and exploits, rather than segmentation and other long-term means that better protect IoT.â
Outsourcing doesn't absolve non-tech firms of their responsibilities either. Â Careful plans should be made to determine who's responsible for ensuring the secure design of products and subsequent support of devices. Insofar as a non-tech company outsources the software development piece to a third party, non-tech companies need to be responsible for a well-developed plan for security and sustainability. In essence, this requires them to be a tech company by proxy.
The impressive growth in demand for smart technologies is matched only by the growing deficit of personnel that possesses the skills to build those smart technologies securely. As reported by Sudashan Krishnamurthi of Cisco, âMany organizations are struggling to understand what skills are and will be required to allow for successful IoT implementations.â Additionally, according to ISC2, analysts believe that the security professional shortage will reach 1.5 million by 2020.
That isn't to say that the IoT industry isnât trying. In an attempt to remedy the lack of qualified professionals, leading security industry organizations are ramping up certification programs and training opportunities. For example, ISC2 has created the International Academic Program to support higher education institutions in developing security curriculum, along with the Center for Cyber Safety and Education, which has established scholarships to entice individuals to consider the cybersecurity field as an option. Additionally, ISC2 has highlighted the following suggestions for this issue:
Paramount to the risks just described is the speed at which these products are being created and brought to market. As quoted in the Chicago Tribune, Colm Lennon, founder of Haka Products, "All of the roles in this connected Internet of Things space, they have to really work closely together if the company wants to innovate at great speed but also innovate with the intent of doing so to protect their customers, to protect themselves and to protect their partners." As businesses strive to grow and change, their strategy needs to incorporate consumer protection over beating the competition to market.
There's a range of devices and architectures and that presents a variety of security challenges. Connected devices perform various functions including processing, storing, and transmitting data; some do all three, others, only one. Additionally, IoT devices come in various shapes and sizes. A majority of devices are small and discrete. So why do function and size create security issues?
As noted by Dr. Nick Allot at the 2016 IoT Security Conference, a significant security challenge is dealing with constrained or low power devices that have difficulties supporting adequate encryption. The devices are small and processing capabilities are naturally limited. Finding the harmonious balance between device functionality, size, and security has proven to be one of the major hurdles for device developers and manufacturers.
Finding harmony between #device functionality, size, and #security has proven to be a major hurdle for #IoT #developers and #manufacturers. 'Secure by design' must become the standard.
Various types of architecture are available. However, according to a study published in the Journal of King Saud University, "the central issue of these architectures is the lack of full interoperability of interconnected things in abstraction level. This leads to invoke many proclaimed problems, such as: degraded smartness of high degree, less adaptability, limited anonymity, poor behavior of the system, reduced trust, privacy, and security. IoT architectures do pose several network oriented problems due to its limitation of homogeneity approach.â In short, there are many great "security by design" architectures, but making them work together is proving a challenge.
Regardless of the path that non-tech companies are taking to integrate connected devices into their product portfolios, one thing is certain: security must be at the forefront. While management across various industry sectors figures out how to incorporate IoT into future business plans, security professionals must develop and build consensus on standards. The trouble is that advanced global economies continue to grow through technology, and IoT device manufacturers don't have a set of regulatory standards to ensure device security.
There's much the IoT industry can start doing now to improve security outcomes. Best practices are being set forth by the industry, government, and SRO's alike. Cloud providerâ Google, Amazon, and Microsoftâall publicly boast IoT security best practices that guarantee secure infrastructure, encryption, authentication, timely patching, and protection from malicious activity. Some cloud providers even guide device makers through building with security in mind. They promote such standards as a patchable device design, encrypted data, no hard-coded passwords, no known security vulnerabilities, and the use of industry standard internet protocols.
Along the same lines, IoT security foundation (IOTSF) is a non-profit organization and has developed numerous guidance documents to address an IoT security framework checklist for device makers, the reporting and public announcements of vulnerabilities, and product and consumer security awareness support. IOTSF established the Best Practice User Mark which can be used by organizations that implement the compliance framework recommendations. Massachusetts and California senators drafted a bill in Oct. 2017 to ensure IoT devices meet certain cybersecurity requirements. A seal of approval may gain momentum similar to the ratings that are now required on video games. The anticipated outcome would be â[to] help consumers identify products that meet certain standards,â said Sen. Edward J. Markey. The benefit to having these seals or marks in place today is that they are helping to bring awareness to the consumers versus waiting for regulations to be put in place. In this way, the economy might drive protected devices faster.
Cloud and IoT network providers could unite to secure IoT systems. For example, consider how the payment brands (Visa, MasterCard, & American Express) created the Payment Card Industry Data Security Standards, which helped to reduce credit card fraud. The security standard protected credit card users while also saving card providers time, money, and brand damaging hacks.
Will cloud and IoT solutions providers like Google, Microsoft, and AT&T protect connected devices by enforcing security standards? It would be interesting to see the day when these providers ask device makers for their third-party audit security statement. To this end, third-party audit organizations will be needed more and more to independently review security due diligence.
Perhaps a quick win security best practice the industry can put in place today would be to update the internet protocols that connected devices use. As stated by Charles Sun of Computer World, âThe moment we turn off IPv4, we will eliminate global cyberattacks and security threats based on the IPv4 stack.â Interestingly, this 2016 article shows the US government leading the way in the adoption of IPv6, which may force the solution. Governments have more at stake when protecting data than consumers. As such, governments are more in touch with security concerns. Not only will we be better protected with IPv6, but IPv6 is scalable to the future growth of connected devices. The FDA and NIST have published guidance for industry and international cybersecurity standardizations while the FTC is actively seeking and rewarding easy and user-friendly solutions that help to protect consumers with devices in their smart homes.
Some of the latest security issues with IoT medical devices donât actually stem from the device itself. According to HealthcareITNews.com, âThe most common types of Internet of Things medical devices security alerts originate from user practice issues, such as using embedded browsers on medical workstations to surf the web, conduct online chat or download content, accounting for 41 percent of all security alerts, according to a new study by ZingBox, an Internet of Things cybersecurity company.â
Consumers cannot yet rely on the industry to produce secure devices, but 90% of consumers lack confidence in securing their own devices. However, it's worth mentioning a few things consumers can do. Recall that solving the automotive fatalities crisis in the 20th century required individual, industrial, state, and federal parties to unite around a common and simple solution: seatbelts. IoT devices are connected to your home network, and typically your smartphone or a hub maintains direct control over the home network. For this reason, you need to make sure to secure all three areasâsmartphone, home network, and connected devices.
The Most Comprehensive IoT Newsletter for Enterprises
Showcasing the highest-quality content, resources, news, and insights from the world of the Internet of Things. Subscribe to remain informed and up-to-date.
New Podcast Episode
Related Articles