A Deep Dive into the Security Aspects Around IOT

IOT security

The very essence of connectivity across devices and sensors in IOT makes it prone to security vulnerabilities. The increasing trend to add layers of intelligence by augmenting edge data through endpoints and sensors augments the privacy and data confidentiality risks.

Key security concerns
The Internet of Hackable Things is considered a deeply intensive study that looked at the various issues plaguing IOT security. The problem is especially pronounced in smart homes and buildings and in connected healthcare infrastructures.

Some of the interesting insights that came out of the study are –
1 – 9 out of 10 devices on an average collected some form of information through the device
2 – 8 out of 10 devices and cloud components didn’t come with a strong password
3 – 7 out of 10 devices had poor security set up, which enabled a hacker to employ enumeration and identify valid user account details.

In addition to these worrying stats, the study found that 70% of devices used unencrypted network services.  

The study pointed out to dangerous vulnerabilities in smart equipment like CT scanners and Implantable Cardioverter Defibrillators (ICDs). Even with smart homes, there have been cases where parents were shocked to discover that intruders hacked into connected baby monitors to speak to their children.

Potential reasons for security risks

1 – Pressure to perform
Shortening time to market and increased pressure to cater to a fast-growing sector means that security is often an overlooked aspect. This is similar to the early days of Android or iPhone app development where security used to take a backseat till KRAs like user engagement or user base started dropping.

2 – Disparate players in the ecosystem
The problem becomes magnified when there are third-party touchpoints that are needed to build and deploy an impactful IOT ecosystem. The range of device OEMs that add connectivity, sensors, and data transmission protocols to a host of devices ranging from CT scanner to smart TVs (all of which are in turn, manufactured by different companies). So unlike, Android or Windows, there is no single company like Google and Microsoft that can adopt and implement high-performance security standards into the entire ecosystem.

3 – Security Maturity
Some of the key IOT devices that a 2015 Capgemini study found most vulnerable to cybersecurity threats include  
1 – Wearables – 50% of respondents rate it high on resilience to cyber attacks
2 – Smart Metering – 50%
3 – Industrial Manufacturing – 47%
4 – Automotive – 35%
5 – Home automation – 18%
This clearly shows that respondents don’t believe that the existing security implementation is adequate. A mature security framework is needed to bring down this worrying figure.

4 – Large landscape to be protected
IOT, in general, tends to bring a large number of disparate systems into play. This leads to multiple points of vulnerability. These include IoT product, the software, and data being transmitted or stored. It also includes data centers where analytics happen and endpoint devices. Securing all these systems together under a common IOT security protocol might be challenging.

Recommended redressal mechanisms

1 – Secure boot
This IOT security solution uses cryptographic code signing mechanism. This makes certain that a device only executes by scripts generated by the authentic OEM device. This step prevents an unauthorized breach and attempts to replace OEM firmware with malicious versions.

2 – Authentication
Every step in the data transmission or connection of IOT device to the sensor or network needs to be authenticated before sending or receiving data. With edge devices especially vulnerable to hacks, this step can go a long way in protecting the overall IOT set up. Popular techniques involve Secure Hash Algorithm (SHA-x) or Elliptic Curve Digital Signature Algorithm (ECDSA). Using data encryption, this IOT security measure can be further strengthened.

3 – Lifecycle management
Smart lifecycle management ensures real-time security for connected devices when the data is in transmission between sensors, edges, and networks. Even in case of downtime, OTA device key replacement can ensure business connectivity. Further, if a device is depleted or sensors are scrapped, then device decommissioning protocols must be applied swiftly to prevent threats of exploits.   

To sign off – An emphasis on security as a culture rather than an instance

A key missing piece in enhancing IOT security is the security culture. This culture is nearly non-existent in current IOT configurations. An integration of human behavior and data and algorithms can help build a profitable security culture. This way, security is not considered as an after-thought but becomes a vital factor in every stage of the IOT architecture design, development, deployment, monitoring, and analytics. 

Post a Comment