Human beings have long dreamt about a world where devices speak to each other autonomously, cars drive themselves, people attend meetings virtually and 3D printing is commonplace. Thanks to the power of the cloud and decreasing technology costs these ideas are already becoming a reality. Smartphones, smartwatches, and connected health and exercise devices are becoming part of our everyday lives, promising to help businesses easily engage with clients and partners, access vast amounts of data on the go and reduce their need for travel.
However, reports of numerous high-profile data breaches have raised the alarm about how hackers could access electricity meters, medical devices, cars, industrial machinery and even prison cell doors. Organisations, small and large, face unprecedented levels of cyber-attack, all seemingly targeting their’ most valued asset, their corporate data. With data security breaches being a matter of not “if” but “when”, how can businesses prevent the Internet of Things (IoT) turning from dreams come true into nightmares?
Organisations should assume that prevention and threat detection tools can only go so far, and should be used as part of a layered approach to data security that can defend data once criminals get into the network.
The vulnerability of PLCs
At the heart of the IoT, is the idea of having as many devices as possible connected to a network where they store, share and analyse data in an automated way. Among the tools that will enable that are Programing Logic Controllers (PLCs), small computers which can be programmed to control a wide variety of things including assembly lines, security cameras, temperature controls and doors.
Although PLCs are widely used, organisations have only recently become aware of their vulnerability. This is in large part due to the Stuxnet breach, one of the first attacks designed to target PLCs with the goal of compromising nuclear centrifuges. Similarly, research into the susceptibility of keyless correctional facilities revealed that prison cells can be opened by compromising PLCs. This can be achieved by signing malware with a stolen certificate authority key, the name given to data files that contain identity credentials to help websites, people, and devices represent their authentic online identity. Masquerading as a trusted key, over time this code works its way to the PLC system and wreaks havoc.
Keeping keys safe
Certificate Authorities form the root of trust for the systems we depend on every day. When private keys and certificates are compromised, the systems built on that trust fall apart. Preventing attacks of this type requires robust security for the private keys and certificates to ensure only legitimate code is signed, which is why stronger access controls with multi-factor authentication (MFA) and data encryption are needed as part of today’s data security strategies. They are the last lines of defence for any company.
Hardware security modules (HSMs) are specifically designed for the protection of cryptographic keys and certificates. HSMs are cryptographic appliances that protect the infrastructure of some of the most security-conscious organisations in the world by securely managing, processing, and storing keys inside a hardened, tamper-resistant device. They provide protection for transactions, identities, and applications by provisioning encryption, decryption, authentication, and digital signing services for a wide range of applications, including data in transit.
By implementing MFA – also known as two-factor authentication – organisations can secure access to corporate networks, data and applications, protecting the identities of users, and ensuring that their identity is verified. The system works by requiring users to identify themselves with a combination of ‘something they know’ (password or PIN) and ‘something they have’ (token or smart card).
Nonetheless, addressing the issue of data access is not enough. Organisations often underestimate the magnitude of the risk to their business-critical data while it’s in transit across public or private data networks. However, this approach is short-sighted. It’s not simply systems and servers that are vulnerable to attack. Most organisations today need to send and receive data across both internal and external networks – locations which are immune to anti-intrusion and anti-virus protection. So as data travels across networks – internally and externally – it carries its own degree of risk exposure.
From the moment data is in motion, organisations are no longer in control. Data can be easily and cheaply intercepted by cyber-criminals for a number of reasons – ranging from corporate espionage to data theft to cyber-blackmail. In this environment, encryption of data is essential.
Whereas in the past encryption data in motion was deemed to be uneconomic and add an overhead to data networks, today’s high speed encryption technologies mean cost and speed need no longer be an issue. So there really is no excuse for any data to be transmitted in plain text. Only by unlinking their encryption strategy from their network architecture can organisations be safe in the knowledge that their data is protected, whether or not a security breach occurs.
By using a framework that is centred on the data itself and providing a protection that stays with it no matter where it is being sent, such as encryption, organisations can ensure that information remains secure even after the perimeter is breached. With encryption, businesses move security controls as close as possible to the data and can maintain control of their information, even when it is deployed in the cloud or in their datacentre.
The importance of trust
Driven by broad adoption of cloud and mobility and the advent of the IoT, IT decision-makers face increasing pressure from within the business to accommodate new ways of working and business transformation.
Experts are realising that simply putting up a wall around the data stored in network connected devices and standing watch is no longer enough. The data security perimeter hasn’t existed for a long time – data moves and is stored in many environments with varying degrees of security. As more individuals have access to that data from multiple access points, organisations must take a multi-layered, dynamic approach to securing it.
From electric meters and heart monitors, to communications going back to utility organisations and even prisons, trust must be established at every link. This ensures devices are identified and authentic, software updates in the field are authorised, and access to the systems monitoring and managing the grid are controlled and authenticated. This infrastructure is only as secure as the private keys and certificates used to protect it—this is where a solid environment becomes critical to avoiding IoT nightmares.
Sourced from Ameneh Zaher, SafeNet