IoT can create serious security vulnerabilities, so what should you do?
Interconnected homes, smart refrigerators and digital assistants — all promising technologies that have come to fruition in the last 10 years. With the exception of the flying car, many devices that were once science fiction have become reality.
It’s easy to see why IoT is so appealing. Consumers have become accustomed to information at the tips of their fingers, in real time. As organizations across all industries embrace digital transformation as the means to deliver new benefits and competitive advantage, the danger exists of creating security vulnerabilities that could erase those benefits and worse yet jeopardize their business.
An open window to the internet
When shopping for a home appliance — like a toaster or TV — it is getting harder to find one without a Wi-Fi connection or Bluetooth. Despite the quickening embrace of technologies that provide modern convenience, there are in many cases lurking security vulnerabilities to consider.
This isn’t to say that adopters of these devices should halt in fear, but consumers must educate themselves and understand basic protection. The easiest way to think of these devices is as windows into the internet. When people go on vacation, they don’t leave the windows of their home open; they close and lock them to protect against intruders. The same considerations should be made when connecting new devices in your home. If one of these new devices is compromised, everything else that it touches is at risk.
Evolving risk
The risk of connected devices doesn’t end in the home. The U.S. and global population are seeing a rise in the remote workforce, people working entirely or partially from home. This connected workforce poses more risks to both homes and employers. Imagine a hacker exploiting an unchanged default password on your latest connected IoT gizmo and eventually nesting some malware onto your company-issued laptop. Because this laptop travels with you and connects to multiple networks, the malware can travel and spread with relative ease.
Today’s enterprise IT and OT teams are scrambling to make sure they know what devices are connected and to adjust their defenses appropriately. Even the most innocuous connected device can provide a path into a valuable resource, as the operators of a casino in Nevada found out when their high-roller database was compromised through a connected thermometer in a lobby fish tank.
PKI can, and will, help
So how can we address these issues with IoT connectivity and security? Well, you can’t manage what you don’t know about, so device discovery is an important first step. Once you know a device is on the network, a few of the important fundamentals are authenticating it (i.e., proving its identity), keeping it updated with security patches and updates throughout its lifecycle, protecting data it collects and transmits, and monitoring its behavior. Existing, proven technology like public key infrastructure (PKI) is ready and able to play a key role in authentication by issuing unique identities and digital certificates to devices. It also is the linchpin of secure code signing systems that can ensure the authenticity and integrity of security patches and other updates that devices need — which is important because unsecured update mechanisms are a quick and easy path in for malware. Finally, PKI techniques enable negotiation and creation of encryption keys to protect IoT data, both at rest on devices, in motion on networks and in their ultimate storage location.
PKI, specifically the creation and injection of keys and digital certificates into devices, helps device makers guard against counterfeiting and provide eventual device buyers assurance that they’ve received the device in an initial, verified state. Although its role is typically “behind the scenes,” the majority of enterprises deploy PKI to help secure their most important enterprise applications — sometimes 10 or more different applications. A recent report found that IoT is the fastest-growing influence on PKI planning, indicating the pivotal role it will soon play.
So, where do we go from here?
PKI is well positioned to address some of the fundamental issues of security and trust in IoT — not all of them, but some of the pretty important ones. If you can’t trust the devices and the data they produce, all those benefits that you charted out for your IoT projects might never come to fruition. The best approach is to understand the risks an IoT project poses to your business and choose proven security protections of a strength that matches the risk. And don’t get caught in the trap of thinking your IoT device isn’t a threat just because of what it does; it can simply be the entry point to a more interesting — and dangerous — destination.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.