The Internet of Things is here and is now on your wrist, in your pocket, in your car, and maybe even in your socks. From smart watches and self-driving cars to smart toothbrushes and digital socks that track your steps, we are living in a world where no device is an island.
It’s important to remember that the nature of the Internet’s design – easy accessibility and instant connectivity first, security second – has exposed us to a multitude of potential cyber security vulnerabilities.
By 2020, according to IDC, there will be more than 30 billion connected devices – more than triple the current number, which already dwarfs digitally linked people. IoT will mean connected cars with an array of alerts about hazards on the road, and roadways providing data about traffic jams. Hospitals will be highly systematized, coordinating insights from healthcare providers across the country, and even from different continents, in the course of surgery.
Intelligent buildings will create new layers of security, and their heating and air conditioning systems will adjust automatically to the latest weather conditions and forecasts. This is the Internet universalized, embedded more deeply into every aspect of our lives, using volumes of data to automate what we humans don’t always get right.
But it won’t be possible to take human nature completely out of the mix. Recent IBM X-Force research on security issues claims that the IoT can drag in its wake a host of unknown security threats as hackers, fraudsters, and data thieves follow the scent of the immense volumes of data flowing through the IoT. In 2014 alone, 1 billion records of personally identifiable information (PII) were leaked, an increase of 20% from the previous year, when 800 million records were leaked. In addition, more than 9,200 new security vulnerabilities affecting over 2,600 unique vendors were discovered in 2014 – the highest single year total in the 18-year history of X-Force reporting and a growth trend that may likely continue as the Internet of Things expands.
Attacks on the IoT can sound like the stuff of a movie thriller, but they are very real. The highly skilled and organized cybercriminals of today have the potential to tamper with a car’s firmware to kill its brakes. Or to unlock a digital backdoor to a building’s security, shutting down lighting and HVAC systems, an entire manufacturing plant, or even a whole industry. If left unchecked, they have the power to control and shut down an entire city’s power grid. Or disrupting an implantable medical device someone’s life depends on.
The challenge of preventing these attacks lies in the sheer scope of the IoT as it rapidly evolves. Many of today’s manufacturers of “things” are new and small, with limited resources to invest in IoT security and protection.
In the absence of a shared worldwide vision to confront the IoT privacy and security challenge, every organization – regardless of industry, size, or mission – should found its IoT device and technology program on the following five building blocks:
1. Secure operating systems, which tap into the power of the cloud to securely update “over-the-air” and across untrusted connections (such as public Wi-Fi networks).
2. Unique identifiers for each device. Because “things” don’t directly interact with their users like traditional computers do, how we normally authenticate and verify a user doesn’t apply (i.e. passwords and security questions). Especially when devices are interacting in a machine-to-machine (M2M) environment, they must be able to trust each other.
3. Strong authentication and access control, ensuring the user of the device is who he or she claims to be. As the number of devices we can connect to via the IoT expands, making sure that our passwords and authentication is as strong as possible is absolutely critical. For example, you wouldn’t want a thief unlocking your car with your weak “123456” password, and then driving it off.
4. Data privacy protection. Data traveling to and from devices in the IoT is often highly sensitive. If not properly protected, everything from financial and billing data to heath biometrics could be exposed. Protecting data in transit and at rest with encryption is a critical part of the solution.
5. Strong application security. The market and product opportunities for the IoT is enormous, and manufacturers are rapidly moving new products and apps forward to both meet and create user demand. In this rush to market, however, fully building in security is an afterthought. We must not forget that a secure-by-design approach that includes thorough security testing and development is an absolute necessity – especially considering the data the IoT carries.
IoT devices will add convenience, save money, and even save lives; in fact, they are already doing both. But, if the rise of cybercrime in the last year is any indicator of the future, security should be treated as an indispensable pillar of the IoT, lest this trend continue. The accelerating importance of our increasingly connected world should also be an incentive to take a hard look at its vulnerabilities.