News emerged recently that BT is launching a new ethical hacking service for road vehicles designed to help industry players better secure systems against attack. It’s another sign of how far the Internet of Things has come.
But before we go any further, the technology industry needs to establish some ground rules, international norms and common standards to help IT buyers and manufacturers.
What are the risks?
The Internet of Things is still developing. IDC predicts the market for IoT will be worth over $7 trillion by 2020. We’ve no idea what it might look like in five or even ten years’ time. But what we do know is its almost limitless potential – from transforming healthcare, to creating smarter cities and driverless vehicle systems, to even making sure we never run out of milk. It promises to make our lives easier and our jobs more productive.
>See also: Is the Internet of Things already getting ahead of enterprise security?
But the elephant in the room, as with all technological advances, is what happens when the bad guys get hold of it?
If we’re talking about smart, driverless car systems, there are numerous catastrophic scenarios involving cyber criminals stealing cars to order, kidnapping their owners for ransom or even driving vehicles into pre-assigned targets.
But aside from sabotage of the IoT objects themselves, the biggest risk comes from the hacking of back-end systems and the data flowing through them. That’s why it’s good to see that the new BT Assure Ethical Hacking for Vehicles programme will focus on testing systems that interact with the cars themselves, like engineers’ laptops, power plugs and USB ports.
On their own, the data generated by an IoT device might not provide much of interest to a hacker. But taken at a macro level, the usage patterns that can be deduced via analytics tools could be a valuable commodity. That’s why businesses need to start drawing up guidelines now to protect consumer privacy in this new era.
From an enterprise perspective too, corporations keen to maximise the value of this data without destroying their trusted relationship with customers need a better steer on where to look for advice.
IoT sensors are also starting to creep into offices where they can be used for everything from monitoring and altering the ambient room temperature and air conditioning, to more invasive tasks such as creating usage profiles for individual members of staff.
There are also certain industries in which IoT data could become incredibly valuable to competitors. Think of energy companies monitoring the output of oil and gas fields, for example. This is high stakes stuff with billion dollar decisions hinging on the data these devices collect.
In general though, there’s probably more talk of IoT out there than actual enterprise installations. Why? Because users still feel like the security and privacy concerns outweigh any benefits.
That’s why organisations need to design security into the Internet of Things from the ground up. They need transnational frameworks and standards led by the likes of the IEEE, NIST and the EU that they can all unite behind. A globally recognised kitemark indicating an IoT system has passed a basic standard of security and privacy testing would be a great start.
In the meantime, there are things IT buyers and manufacturers can do to minimise the risk of products falling foul of security gaps. OWASP has a ‘Top 10’ specifically focused on IoT, which can be a valuable resource for developers and consumers of the technology alike.
>See also: Securing the Internet of Things – what have you forgotten?
For enterprise IT managers, the focus has to be around taking a risk management approach to IoT projects, working out what data is being captured and what might the implications be if it’s hacked or used as a stepping stone to target more sensitive assets.
Think about whether staff may have already brought in IoT systems without telling IT. It’s still early days, but the Internet of Things has the potential to be far more damaging and disruptive than BYOD.
So, revisit those policies and update them to specify exactly what is and is not permitted in the workplace. A little effort now could help prevent a lot of pain further on down the road.
Sourced from Bharat Mistry, Trend Micro