Understanding IoT Security

IoT Security

BehrTech Blog

Understanding IoT Security

An Interview with Dick Wilkinson CTO, Supreme Court of New Mexico

[addtoany]

The dramatic surge of IoT devices has transformed how we interact on a day-to-day basis. From industrial sensors for environmental monitoring and asset tracking to smart home sensors for lighting and leak detection, a plethora of IoT devices connected to networks are helping drive innumerable benefits for users. While the benefits of IoT are undeniable, security remains a primary concern for individuals and businesses. This week on the blog we interview cybersecurity expert, Dick Wilkinson to provide insight on risks, prevention and predictions surrounding IoT security.

What is IoT security and what industries are most vulnerable to security threats?

I define IoT security as the process of making sure smart or connected devices only do what you want them to do, and they always work when you expect them to work. If you can achieve that, then you have secured your IoT devices. Of course, that is much easier said than done, even simple devices can harbor multiple serious threats to your overall network or environment.

Every industry is at risk from IoT threats. The highest risk of a headline grabbing catastrophic failure exists in the critical infrastructure and medical fields. The most vulnerable, meaning likely to be attacked, products are the more accessible devices like home consumer or smart city devices that sit out in the open to collect information or provide surveillance through data and sensors. The risk from smart devices exists on a fluid spectrum and each use case presents unique threats with a different risk profile, even if the device itself is not changed from scenario to scenario.

What are the biggest security challenges in an IoT deployment?

People worry about the high number of devices and assume asset identification and management will be the hardest challenge. I would argue that monitoring and inspecting the traffic from these devices to know when you have an anomaly is a much harder and more valuable to challenge to take on. Identifying anomalous, and possibly threatening, behavior from 200 devices is harder than just keeping track of them and where you put them.

What steps can companies take to better protect their IoT systems and devices?

My suggestion is to make a detailed deployment or use plan and identify all of the capabilities and possible configuration options of your new device(s). Do not take the device out of the box and immediately put it in service on your production environment. Just because the device is simple or serves a simple function does not mean that it is secure by design. Security features may exist and be disabled by default to ensure your new tech works easily the first time. Check every configuration option and disable functions or features you know you don’t need. Every input on the device is a possible attack vector, don’t leave open doors to your network, even if the doors are tiny or invisible.

How can companies better communicate their IoT security efforts to reassure stakeholders?

Right now, most stakeholders will be satisfied to know you are even thinking about security around your IoT devices. IoT security has been neglected and too much trust has been offered to these devices. Being aware that smart devices pose new risks and being able to communicate how you are assessing those risks is probably a great starting point to reassure any kind of stakeholder.

What predictions do you have for IoT security in the next 3-5 years?

IoT use is already exploding in almost every industry. I believe the trust that consumers have offered to these devices is quickly fading away. Both product consumers and government regulators are increasing scrutiny of smart devices and new cybersecurity standards will be published very soon. The market appeal of selling verified secure products and the government drive to regulate security into the production of smart devices will help drive down the risk of using IoT. Product verification for cybersecurity threats, not just functionality or safety, will become a standard requirement to enter the market with a new IoT product. Consumers will not tolerate insecure devices existing on the market 3-5 years from now.

IoT Security

Dick Wilkinson

CTO, Supreme Court of New Mexico

Dick Wilkinson is the Co-founder and CTO of Proof Labs inc. He is also a retired Army Warrant Officer with 20 years of experience in the intelligence and cyber security field. He has led diverse technical missions ranging from satellite operations, combat field digital forensics, enterprise cybersecurity as well as cyber research for the Secretary of Defense.  

[addtoany]

Subscribe to Our Monthly Blog Roundup

[vcv_posts_grid source=”%7B%22tag%22%3A%22postsGridDataSourcePost%22%2C%22value%22%3A%22post_type%3Dpost%26amp%3Bpost_status%3Dpublish%26amp%3Bposts_per_page%3D5%26amp%3Boffset%3D0%22%7D” unique_id=”5e147370″ pagination=”0″ pagination_color=”#ffce00″ pagination_per_page=”10″]PGRpdiBjbGFzcz0idmNlLXBvc3RzLWdyaWQtaXRlbSI%2BPGFydGljbGUgY2xhc3M9InZjZS1wb3N0cy1ncmlkLWl0ZW0taW5uZXJ7e2N1c3RvbV9mZWF0dXJlZF9pbWFnZV9oYXNpbWFnZV9jbGFzc19uZXdzX3Bvc3RfZ3JpZF9pdGVtfX0iPjxkaXYgY2xhc3M9InZjZS1wb3N0LWRlc2NyaXB0aW9uIHZjZS1wb3N0LWRlc2NyaXB0aW9uLS10aXRsZS1jb2xvci1iLTQ3LTQ3LTQ3IHZjZS1wb3N0LWRlc2NyaXB0aW9uLS1leGNlcnB0LWNvbG9yLWItNDctNDctNDcgdmNlLXBvc3QtZGVzY3JpcHRpb24tLWF1dGhvci1jb2xvci1mZmNlMDAgdmNlLXBvc3QtZGVzY3JpcHRpb24tLW1ldGEtY29sb3ItZDdkZmU0Ij48ZGl2IGNsYXNzPSJ2Y2UtcG9zdC1kZXNjcmlwdGlvbi0taW1hZ2UiIHN0eWxlPSJiYWNrZ3JvdW5kLWltYWdlOnVybCh7e2ZlYXR1cmVkX2ltYWdlX3VybH19KSI%2BPGEgaHJlZj0ie3twb3N0X3Blcm1hbGlua319Ij48L2E%2BPC9kaXY%2BPGRpdiBjbGFzcz0idmNlLXBvc3QtZGVzY3JpcHRpb24tLWNvbnRlbnQiPjxwIGNsYXNzPSJ2Y2UtcG9zdC1kZXNjcmlwdGlvbi0tbWV0YSI%2BPHNwYW4%2BUG9zdGVkIDwvc3Bhbj48c3BhbiBjbGFzcz0idmNlLXBvc3QtZGVzY3JpcHRpb24tLW1ldGEtZGF0ZSI%2Bb24gPHRpbWUgZGF0ZXRpbWU9Int7cG9zdF9kYXRlX2dtdH19Ij57e3Bvc3RfZGF0ZX19IDwvdGltZT48L3NwYW4%2BPC9wPjxoMyBjbGFzcz0idmNlLXBvc3QtZGVzY3JpcHRpb24tLXRpdGxlIj48YSBocmVmPSJ7e3Bvc3RfcGVybWFsaW5rfX0iPnt7cG9zdF90aXRsZX19PC9hPjwvaDM%2Be3tzaW1wbGVfcG9zdF9kZXNjcmlwdGlvbl9leGNlcnB0fX08L2Rpdj48L2Rpdj48L2FydGljbGU%2BPC9kaXY%2B[/vcv_posts_grid]

Build Scalable and Flexible Networks with the mioty BLE Dual Stack

The Evolution of IoT Device Security and Privacy

IoT Device Security

BehrTech Blog

The Evolution of IoT Device Security and Privacy

[addtoany]

As the world starts to look beyond the COVID-pandemic and a “return to business normal”, whatever that may entail, one thing that is certain is that businesses will continue to accelerate towards digital transformation. At the heart of many organisations push towards large scale digitisation will be a continued acceleration to the deployment of Internet of Things (IoT) devices. With ever-increasing connectivity and volume of devices, we are fast approaching a world that will have between 70-80 billion IoT devices by 2025.

Whilst this growth brings numerous benefits across several business sectors and wider society, it will also inevitably change the way people carry out everyday tasks and potentially transform the world.  Undoubtedly IoT will play an important part in individual lives as well as corporate initiatives going forward and whilst having the latest smart phone controlling a smart home is undoubtedly fashionable, smart lighting can actually reduce overall energy consumption and lower consumer and industrial electric bills and carbon footprints and is therefore much more than a technological gimmick.

Technological advancements in the automotive sector will allow connected and increasingly smart vehicles to create a hyper-connected smart city where vehicles can connect to and “speak” to smart city infrastructures to create an entirely new operational ecosystem for the driver and town planner, as they plan how to move from point A to point B.

Indeed, at its fullest extent the ecosystem of connected smart cities will naturally evolve into connected healthcare. As Internet of Medical Things (IoMT) evolves to remove the constraints of hospital and medical capacity through the creation of elasticity in the medical system, connected healthcare devices will provide society a deeper and fuller point of view of their own health, or lack thereof, than ever before.

However, as is the case in many areas of societal progress, there are trade-offs. With all of these benefits comes risk, as the increase in connected devices gives hackers and cyber criminals more entry points, and to the majority of society, the trade-off or risk to privacy is the greatest concern.

Over the past 2-3 years, there have been numerous reports of hacking groups attacking critical infrastructure, including a power grid in a region of western Ukraine, and hospitals in both Europe and the US, not to mention water plants in Israel amongst others. Unfortunately, these attacks are likely to only represent the beginning, as hackers seek to exploit the ever-increasing connectivity between connected business and connected consumers. As a result, the average consumer is becoming ever more concerned about their privacy, and whilst increasing regulation has sought to address this, placing a fundamental expectation of security and privacy by design into IoT device manufacturing and operations is critical.

So, what issues are businesses, society and consumers concerned about in relation to IoT device security and privacy as we move towards a truly connected world?

The first key issue to address is public perception and public confidence. Whilst technological advancement will inevitably continue unabated, this needs to be the first problem addressed. Regulatory statutes such as EU GDPR, SB 327, and SB 734 represent major steps forward, however there remains a long way to go to address consumer concern. In 2015, Icontrol’s “State of the Smart Home Study” found that 44% of all Americans were “very concerned” about the possibility of their information getting stolen from their smart home, and 27% were “somewhat concerned.” With that level of worry, consumers would hesitate to purchase connected devices.  Whilst progress has been made, it is unlikely that these figures will have drastically changed today, and if anything, the key trend is that security and privacy has become a fundamental buying consideration for many consumers and businesses that remains unresolved.

The reason for this continued reticence is that so many IoT devices remain vulnerable to hacking as researchers have been able, with relative ease to hack into devices readily available on the market, with relatively simple tools and limited time and energy.  This is often because these devices have been manufactured with simple consumer connectivity and usability at the forefront of development – enshrining the principle of security by design.

Security by design, an often used, but not so often understood phrase describes a methodology that ensures IoT security, and indeed privacy, is a crucial objective at all stages of product creation and deployment. It addresses the challenge that, in many historic hardware deployments and instances of IoT design, security considerations were often included late in the design and prototyping phase. By prioritizing speed to market or other design considerations, security requirements can end up being added on. This approach has led to serious security breaches in the past, as IoT device security cannot be easily retrofitted.

The response can be summarised into 3 key steps required to establish a successful IoT device security and privacy strategy:

  • Security by design approach at the beginning of IoT projects
  • Trusted devices IDs and credentials embedded during manufacturing
  • Lock IDs and credentials in secure hardware containers

However, this drive for consumer usability has inevitably left devices open to exploitation by hacker’s intent in breaching business ecosystems which are now extended to the devices installed in people’s homes. The question is, who is liable for any resultant security and privacy breaches, the manufacturer, or the consumer?  My guidance to manufacturers is that “caveat emptor” – buyer beware – is unlikely to be acceptable for legal consideration when such an event is tested in the courts through a somewhat inevitable future class action law suit for a global privacy breach as so few companies themselves are confident that they have sufficiently robust defences to secure all IoT devices against hackers.

The challenge for manufacturing organisations has been the large-scale proliferation of, and demand for IoT devices, which is largely being driven by end-user organisations seeking new data analytics advantages. IoT devices enable organisations and consumers to collect and aggregate data and the sheer amount of data that can be generated is staggering.  For example, a relatively small town of 10,000 connected homes is likely to be able to generate more than 150m discrete data points every day, creates more entry points for hackers and often leaves sensitive information vulnerable.

These data volumes are created as consumers seek to leverage the simplicity of IoT, and in the very early days of IoT deployment companies have sought to collect user data willingly offered by consumers to make business decisions.  As an example, insurance companies might gather data about your driving habits through a connected car or personal fitness trackers, enticing consumers to offer these data insights through incentives, rewards or often discounts for the services.  However, at the point of purchase, did the consumer consider why there was such a willingness to offer such incentives?

Thankfully consumer awareness is changing and as individuals become ever more aware of their personal and family security and privacy, the need for manufacturers and big business to provide sufficient protection of consumer privacy will become greater. However regulatory influence remains in relative infancy and it is therefore likely that IoT device security and privacy will remain a concern of individual consumers, businesses, and society for several years to come.

IoT Data Security

Mark Brown

Global Managing Director, Cybersecurity and Information Resilience (CSIR), British Standards Institution (BSI)

Mark Brown joined BSI on 1 February 2021 in the role of Global Managing Director of the Consulting Services, Cybersecurity and Information Resilience business and has more than 25 years of expertise in cybersecurity, data privacy and business resilience. He has previously held global leadership roles across industry and professional services, including tenures as Global CISO at SABMiller plc, and Global CIO/CTO at Spectris plc, as well as leadership roles as a Senior Partner at Wipro Ltd., and was also a Partner at Ernst & Young (EY) LLP.
Mark brings a wealth of knowledge including extensive proficiency on the Internet of Things (IoT) and the expanding cybersecurity marketplace as organizations grapple with digital transformation and addressing new technology that brings new business opportunities and risks.
Mark is internationally recognized as a leading authority on information resilience with a focus on cybersecurity and data privacy, presenting a focus on the way IT can enable business strategies and currently chair’s techUK’s Industry 4.0 Cyber Security committee advising the UK Government on how businesses can be incentivized to safely adopt new technologies at minimal risk.  Mark is also an elected member of techUK’s Connected Home Group and Medical Device Innovation Consortium’s (MDIC) 5G Enabled Medical Devices working group.

www.bsigroup.com

Subscribe to Our Monthly Blog Roundup

[vcv_posts_grid source=”%7B%22tag%22%3A%22postsGridDataSourcePost%22%2C%22value%22%3A%22post_type%3Dpost%26amp%3Bpost_status%3Dpublish%26amp%3Bposts_per_page%3D5%22%7D” unique_id=”5e147370″ pagination=”0″ pagination_color=”#ffce00″ pagination_per_page=”10″]PGRpdiBjbGFzcz0idmNlLXBvc3RzLWdyaWQtaXRlbSI%2BPGFydGljbGUgY2xhc3M9InZjZS1wb3N0cy1ncmlkLWl0ZW0taW5uZXJ7e2N1c3RvbV9mZWF0dXJlZF9pbWFnZV9oYXNpbWFnZV9jbGFzc19uZXdzX3Bvc3RfZ3JpZF9pdGVtfX0iPjxkaXYgY2xhc3M9InZjZS1wb3N0LWRlc2NyaXB0aW9uIHZjZS1wb3N0LWRlc2NyaXB0aW9uLS10aXRsZS1jb2xvci1iLTQ3LTQ3LTQ3IHZjZS1wb3N0LWRlc2NyaXB0aW9uLS1leGNlcnB0LWNvbG9yLWItNDctNDctNDcgdmNlLXBvc3QtZGVzY3JpcHRpb24tLWF1dGhvci1jb2xvci1mZmNlMDAgdmNlLXBvc3QtZGVzY3JpcHRpb24tLW1ldGEtY29sb3ItZDdkZmU0Ij48ZGl2IGNsYXNzPSJ2Y2UtcG9zdC1kZXNjcmlwdGlvbi0taW1hZ2UiIHN0eWxlPSJiYWNrZ3JvdW5kLWltYWdlOnVybCh7e2ZlYXR1cmVkX2ltYWdlX3VybH19KSI%2BPGEgaHJlZj0ie3twb3N0X3Blcm1hbGlua319Ij48L2E%2BPC9kaXY%2BPGRpdiBjbGFzcz0idmNlLXBvc3QtZGVzY3JpcHRpb24tLWNvbnRlbnQiPjxwIGNsYXNzPSJ2Y2UtcG9zdC1kZXNjcmlwdGlvbi0tbWV0YSI%2BPHNwYW4%2BUG9zdGVkIDwvc3Bhbj48c3BhbiBjbGFzcz0idmNlLXBvc3QtZGVzY3JpcHRpb24tLW1ldGEtZGF0ZSI%2Bb24gPHRpbWUgZGF0ZXRpbWU9Int7cG9zdF9kYXRlX2dtdH19Ij57e3Bvc3RfZGF0ZX19IDwvdGltZT48L3NwYW4%2BPC9wPjxoMyBjbGFzcz0idmNlLXBvc3QtZGVzY3JpcHRpb24tLXRpdGxlIj48YSBocmVmPSJ7e3Bvc3RfcGVybWFsaW5rfX0iPnt7cG9zdF90aXRsZX19PC9hPjwvaDM%2Be3tzaW1wbGVfcG9zdF9kZXNjcmlwdGlvbl9leGNlcnB0fX08L2Rpdj48L2Rpdj48L2FydGljbGU%2BPC9kaXY%2B[/vcv_posts_grid]

Get the latest IoT insights, trends and news delivered to your inbox

[Infographic] 10 Must-Know IoT Cybersecurity Stats

IoT Cybersecurity

BehrTech Blog

10 Must-Know IoT Cybersecurity Stats

The Internet of Things (IoT) is taking the world by storm. From home thermostats and appliances, to city lights and waste bins, to industrial equipment and heavy machinery, more and more devices are now connected to the Internet. While the potential benefits of IoT are enormous, IoT cybersecurity continues to rise as a major threat.

Compared to the consumer sector, the industrial and commercial sectors are much more prone to cyberattacks. While the IT world is evolving faster than ever before, many legacy industrial systems are still in place without adequate security updates. On top of that, the lack of IT and cybersecurity experts, as well as a coordinated security strategy within the organization contribute to security vulnerability.

To give you an overview of the state of IoT cybersecurity, this week we’re highlighting the 10 must-know security stats for 2019 and where businesses stand in the fight against cybercrime. Rather than being discouraged by some of these numbers, it is important that businesses take proactive measures to better prepare themselves against cyberattacks. For example, adopting solutions with robust, built-in encryption and security features is critical and regular monitoring and continuous security patches to protect your IoT networks and systems throughout their lifecycle.

 

IoT cybersecurity

Subscribe to Our Monthly Blog Roundup



Protect Your IoT Architecture with Secure Wireless Connectivity

Contact a MYTHINGS™ Platform Expert for more information or to book a demo.