Securing the Internet of Things – what have you forgotten?

Smartphones are increasingly being used in businesses to enable employees to quickly collaborate, share information, and most importantly, gain access to customised data analysis.

Organisations across many sectors are recognising the benefits of providing decision-making teams — no matter where they are located — with the ability to make proactive decisions based on insight derived from their source systems.

The goal of M2M is simple data access and connectivity, while IoT’s objectives go further to monetise data collected. The value and long-term potential of IoT therefore resides not only in the device, its use and the subsequent data analysis, but also in stakeholder trust in the entire ecosystem’s security. Without this trust, the devices will not be used to influence outcomes – which would render the IoT strategy impotent.

>See also: Is the Internet of Things already getting ahead of enterprise security?

Today, creating and maintaining an IoT deployment of various sensors, devices, communications and locations across a business is complex to say the very least, although there are already millions of devices in IoT deployments that offer highly customised use cases.

But despite this volume of devices, IoT is in its infancy, as evidenced by the lack of API standards for disparate device management across multiple ecosystems. A typical device OS does not include robust APIs to prevent unauthorised device access, secure data at rest or in transit, track device location (outside of logistics or transportation use cases), or utilise the SIM.

But is the enterprise even aware of all the security problems inherent in IoT, let alone tackling them appropriately?

Over the next 12 months, IoT will become a key component and differentiator in the offerings of enterprise mobility management (EMM) providers. According to a 2014 HP IoT report, 70% of the most commonly used IoT devices contain vulnerabilities such as password security, access permissions and encryption.

Most IT departments would consider an EMM suite to be the obvious solution to these issues, but while such tools can set security policies, provision device identities and application deployment rules, these capabilities are only respective to the operating system, such as iOS and Android, with growing support for Windows devices.

Most connected devices have an IP address. To protect against unauthorised access, device passwords should be changed during provisioning, from the default to a unique, strong password (numeric, upper and lower case alpha, and symbols) and updated periodically each year.

But just like any connected device, IoT devices with integrated network connectivity can be exploited. IT departments must therefore monitor for when new devices request network access and be able to authenticate or refuse authorised access.

This may mean monitoring a device’s location via a geo-fence. For instance, if a dialysis machine dials into the hospital network at noon to upload data, that’s likely to be an authenticated and authorised use case. But if it’s trying to dial into finance systems or patient data from another hospital, IT departments need to quickly recognise the discrepancy and respond accordingly.

But what about the data itself? Access to devices and networks is just one level of security. The data on the device is also at risk.

For many of today’s M2M and IoT deployments, the system on chip (SoC) is fairly low-cost, customised and has minimal RAM. The data may not be encrypted either at-rest or in-transit. Worse, there may not be a governance strategy – a responsibility that goes beyond just the IT department.

The somewhat good news, at this point, is that the data on an individual device is likely to be very limited and by itself not that useful. For instance, cooled tanks with liquified gases that must be monitored in industrial production applications.

>See also: Device security must be at the heart of Internet of Things development

However, a data breach in a larger number of devices could not only be quite serious to potentially disrupt production, but also may not be discovered for some time. In an IoT ecosystem, the data provides actionable insight for multiple stakeholders, including vendors and the end-customer.

A breach by a data broker, competitor or curious budding computing scientist could disrupt the ecosystem’s data exchange interdependencies, cause a breach of trust among stakeholders and provide a competitive replacement opportunity.

IoT’s potential is undoubted, as almost every analyst and industry commentator will agree. But this potential will never manifest in enterprises unless users and IT departments alike can have confidence in the security of the devices, the data they hold and the networks that bind them together. And achieving this relies on a full knowledge of the threats and risks at every point in the connection lifecycle.


Sourced from Troy Fulton, Tangoe

Avatar photo

Ben Rossi

Ben was Vitesse Media's editorial director, leading content creation and editorial strategy across all Vitesse products, including its market-leading B2B and consumer magazines, websites, research and...

Related Topics