The Internet of Things (IoT) and emerging security concerns
Despite organisations increasing their cybersecurity budgets, the variety and number of cyber-attacks have continued to grow, with the most recent example of ransomware attacks ‘WannaCry’ and ‘Petya’ rattling both private and government organisations in over 150 countries.
The advent of the Internet of Things (IoT), in less than a decade, has added to the complexity of cybersecurity due to the heterogeneous nature of IoT devices and a lack of unified standards.
Our networks are expected to grow to a staggering 50 billion[1] connected devices, mostly IoT, with $7.1 trillion[2] worth of spending by 2020. The addition of billions of devices into our existing networks has triggered a push for private and government organisations to develop, deploy and manage IoT. We are therefore seeing the increasing deployment of IoT towards industrial and smart city applications such as services, transport, healthcare, environmental protection, and emergency services.
In the research community there is a lot of attention about the interoperability and connectivity standards for IoT, as well as some focus on IoT security, privacy, availability and robustness, yet security remains an open problem.
The tremendous amount and value of data generated by IoT systems attracts a variety of attacks. As IoT security is still evolving there is the high likelihood of breaches along with residual risks associated with IoT, due to wireless communication being the primary media, and also the fact that IoT devices have inherent limitations in computational processing, power and storage. Complex security techniques are not viable.
However, users are encouraged to adopt IoT applications with a wrong sense of security. Many IoT devices are not manufactured with security in mind. For example, a router installed in a smart home will have some level of security in place but a climate control unit or a smart gaming console in a child’s hand may not have been secured. In this example, if we hand over security settings to a child they may innocently reveal them to the wrong person, the security of the entire home may then be compromised.
The vulnerability comes from the weakest link in the network, most often people and weak processes. Even if all devices are secure, there is some possibility that secure practices will not be followed, such as setting easy to guess passwords, lack of controls or lack of awareness about security issues on apparently simple devices.
The internet was not invented to be a controlled system, yet it is a backbone for every device capable of connectivity, making it open to global attacks from both skilful individuals and organised groups. The benefits of a globally connected system are enormous, but it also comes with a dark and ugly side too. This provides anonymity to those with skills and capabilities and allows for the indefinite time to break/hack into our secure systems, whether for thrill, financial gain, industrial espionage, narcotics, child pornography, harassment, financial scams, spying, terrorism, leakage of classified information. We cannot imagine a crime these days where some sort of technology is not used. Globally connected systems such as the IoT has made it easy. In fact, connected systems have introduced even greater sophisticated white-collar crimes, such as financial frauds, information and identity theft, and infiltration of corporate data.
This realises the need for a holistic security approach, both at the individual and corporate level, starting at access control. Multiple layers of access, to reduce the exposure of data to an acceptable level, would improve security. At the individual level IoT security risks should be addressed at the same level as physical security. For example, if we ensure our doors and windows are locked, CCTV is turned on and intrusion detection alarm is activated, we need to ensure that a connected device in our child’s hand has comparable security. Similarly at corporate level, senior executives need to weigh risks of IoT threats by answering questions such as: What are the IoT security risks to their organisation and customers? How effectively are those risks managed? How regularly are the risk management plans tested? How efficiently can we respond to a threat?
[1] D. Evans. 2011. The Internet of Things: How the Next Evolution of the Internet is Changing Everything.
[2] C. MacGillivray, M. Torchia, M. Kalal, M. Kumar, R. Membrilla, A. Siviero, Y. Torisu, N. Wallis, and S. Chaturvedi. 2016. Worldwide Internet of Things Forecast Update, 2016-2020. IDC Research.
Dr Tanveer Zia is Associate Head of CSU’s School of Computing and Mathematics in Wagga Wagga and has research interests in biometric security, cyber security, cloud computing security, information assurance, protection against identity theft, trust management, and forensic computing.
Alan Douglas
September 7, 2017 at 3:48 pm
Dr Zia states quite correctly that security can be improved with multiple layers. The US military introduced this concept right at the beginning with a concept I think was referred to as the Onion. The idea was that the military could use one layer whilst business and the general public used another one. Whilst the idea was good, it has been taken over by criminal organisations and forms what we now refer to as the dark web where anything is available to those with the correct passwords. Even our police find it very difficult to search this area which is closed to, I think, all search engines. In order to gain entry one must know someone with an entry code. It seems that anything can be twisted to evil intent.