technology risks

IoT security: what to look for and how to move forward

The proliferation of Internet of Things (IoT) devices seems unstoppable. But what about security? Are we putting our businesses and societies at risk?

Personally, I am a fan of the Internet of Things and the opportunities it offers. Both from a private and from a professional point of view. Doesn’t it make life easier if you can control devices remotely and analyze all kinds of related data? Isn’t there a huge potential for attractive business models, customer-centric services, savings, and new sources of revenue?

But at the same time, I find myself a bit reluctant to actually use it. I’m not 100% comfortable sharing private data with service providers. And even if I felt safe about sharing my data, I would still be concerned about uninvited third parties getting access to the data, the devices processing it, and maybe even about effects on my private network.

The question now is: if my personal concerns as a true fan are justified, then how much should businesses worry about deploying this technology?

IoT: latest business risk assessments

“Cyber incidents” ranked 3rd in the list of global business threats – as per the 2017 Risk Barometer published by the global insurance firm Allianz. This reflects an impressive and continuous incline from the 2013 study, when this risk was first listed and ranked 15th.

Of course, cyber incidents involve more than just the risks of hacking IoT devices. Nevertheless: “A single cyber incident, be it a technical glitch, human error, or cyber-attack, can lead to a severe business interruption, loss of customers and market share, as well as mid to long-term reputational and brand damage”.

The World Economic Forum also emphasizes the same issue in their “Global Risk Report 2017” – in particular Part 3.1 “Emerging Technologies – Understanding the Risk Landscape”.

IoT on the risk map
IoT on the risk map

Basically, there are two major threats:

  • Hackers can seize power over an armada of IoT devices. This enables them to attack corporate networks through, for example, high volumes of futile inquiries. There are several examples of most recent cases where this happened.
  • IoT devices form major gateways to corporate networks. The level of threat this represents significantly increases when operating systems are not sufficiently protected by security updates. In office environments, this can be fairly easily safeguarded. But in production facilities, systems are often operated for decades even though designated updates from the provider are not available.

What makes IoT devices unsafe?

There are many IoT devices that only come with one standard user name and one standard password. In many cases, this password cannot even be changed. This makes things unnecessarily easy for hackers. Many users are not aware of this and once the technology is deployed, it’s too late to remedy this issue. It should be a key aspect when sourcing new equipment and negotiating with providers.

Manufacturers of IoT devices should be expected to eliminate at least the easiest access options. It’s also crucial for devices to be able to handle system updates – all of which should be controlled through independent certificates. It’s up to the user, or the company looking to deploy such devices, to carefully scrutinize what a particular device can do and which security measures the manufacturer provides.

For established manufacturers of IoT devices, security ranks high on priority agendas. But for others, winning market share is the only driver and key priority. On the user side, it’s clear that the awareness for security concerns around IoT devices must increase: some show a complete lack of concern and others have no transparency over the IoT devices connected to their corporate network, their security settings, and the overall technical state. This also includes for example, television sets in meeting rooms.

What can companies do to make IoT devices safe?

Companies need so called “next generation firewalls” with additional functions such as intrusion prevention. This makes intrusion much more difficult and the system can check data packets that are exchanged between internal and external parties. Similar to anti-virus software, these systems look for patterns of malicious software.

In addition, application recognition allows to ensure that only authorized employees can work with certain applications. Involved IP addresses must be restricted to prevent devices from communicating with IP addresses of hackers. Devices from different manufacturers deployed within a corporate network can be consolidated in company-own sub-networks. This prevents comprehensive malicious invasions. By default, IoT devices should only communicate via HTTPS.

These are all basic security precautions and in addition, due diligence is required by companies to ascertain the best possible security levels: businesses should run daily penetration tests to check the security and vulnerability levels of their own infrastructure. There are external providers offering hacking services: following all rules of the art, such providers try to hack into corporate networks, identify weaknesses, and recommend improvement measures.

So, there is really a lot companies can – and should – do. But they also need to realize: there is only best-possible security – absolute security cannot be achieved.

More than just a business concern: impact on infrastructure

With advancing digitization, IT security will play an increasingly important role – both for businesses and society as a whole. The internet forms an essential part of the infrastructure that is used by companies and private parties alike.

This infrastructure is highly security-critical and in case of a breakdown, the respective region or economy comes to a standstill. Security around physical infrastructures in the area of, for example, road systems, is governed by the authorities of the respective state or country.

This makes it clear that government involvement is also required in the area of IT security. In Germany, for example, there is a IT security law in place. It sets a framework for companies involved in critical infrastructure and calls for compliance with certain provisions. This mitigates certain risks – but, overall, it’s only a first step in the right direction. Much more is needed.

The role of governments for a sustainable future

Every internet user represents a potential risk – be it passively or actively. Who certifies IoT devices and ensures that minimum security standards for the internet – as an infrastructure – are met? Let’s compare it to the launch of power plants, for example: operational safety certification is required before operation can start.

What about IoT devices? No such thing exists. And if there were many unsafe devices in circulation that, for example, could potentially attack our energy networks, we would end up in a highly critical security situation.

It should be a precondition for manufacturers looking to bring new devices to market to certify new equipment: requesting and receiving an independent certification that confirms security standards. But, unfortunately, global governments are not agile enough and are struggling to keep up with the pace of technological developments and advances. We need much more involvement in this area.

Let’s get it right from start!

I suspect that we will experience a major incident caused by a cyber-attack one of these days – maybe even this year or next. It doesn’t even matter where it will happen – for example in Europe, the US, or China. Such a massive incident will make major global headlines and as it so often happens, it may also bring about the required involvement and sustainable improvements that we’re in dire need of.

The Internet of Things truly harbors massive opportunities to advance both businesses and societies. Like many others, I am extremely keen to tap the full potential. But we certainly have much to do to establish the right frameworks. It’s crucial to get it right from the onset and now is the time to engage, raise awareness, and drive developments in the right direction.

How do you manage IoT devices in your organization? What is your view on this topic? I very much look forward to your views and comments on LinkedIn.