Today’s enterprise understands the value of data. The ability to collect data related to performance and processes, and turn that data into meaningful business intelligence is a major driver in the adoption of technologies that connect objects to networks—the IoT or Internet of Things—in order to communicate back to an owner for the purpose of controlling, monitoring, or better understanding its operation.
The importance of the IoT is illustrated by estimates from Intel that there will be more than 200 billion connected devices by 2020 and that the value of those devices could reach $6.2 trillion by 2025. Yet even as industry plunges into IoT, concerns are rising over the security of connected devices, the networks they’re on, and the data they collect and communicate.
Those concerns were validated in October 2016 when the largest botnet attack ever recorded, made up of an estimated 100,000 compromised IoT devices, was used to cripple Dyn, a cloud-infrastructure services company, and disrupt numerous commercial Website operations for companies like Netflix, Twitter, and many others. The Dyn attack was a perfect storm of device makers rushing to capture marketshare and IoT adopters rushing to take advantage of the devices’ capabilities—and neither giving security priority. The problem is that these devices are being developed and sold with unpatched operating systems and software while users are deploying them without changing default passwords. Hackers are having a field day.
Security experts have been sounding the alarm on IoT security for years to little avail; but in the wake of the Dyn attack, enterprises are finally asking themselves, “How can we protect our IoT systems and data?” The answer starts with first understanding the four stages of IoT data and its movement, as I’ve described below.
Stage 1: The device is created
IoT data’s journey begins with the data embedded within the device. Whether the processes used to create the hardware, the sensors used to capture information, or the software developed to respond and react, the device itself needs to be protected. Because IoT devices are usually small, they have to be designed and produced at a reasonable cost. Protections built into devices on the consumer market may not be feasible at scale for commercial devices, so it’s important not to assume that security has been built-in, especially for early generation devices. And because the IoT ecosystem is in the early development, manufacturers and developers have not yet adopted common standards for security.
Stage 2: The device is activated
Once a device has been acquired, the user must install and activate it, thus beginning the process of the capture, creation, and communication of new data. This is when assumptions about security and a reliance on default settings can undermine security. It is vital that the enterprise approach installation and activation within an IT security strategy, ensuring that passwords, authentication, management, encryption, and other provisions are assigned. Once activated and connected, the flow of information can begin.
Stage 3: The device commences communication
Once the device is activated, it will create a flow of information along the IoT network based on its purpose. Some of that data may pertain to industrial controls, and some may be sensor data that requires aggregation and analysis. No matter how innocuous the purpose of the data seems on its own, the data and what it connects to should be treated as sensitive information and given appropriate security. Without proper security, hackers might be able to steal intellectual property, disrupt operations, or even weaponize data in order to sabotage equipment.
Stage 4: The device takes its place in your network
Even the addition of a single device requires interconnectedness to other components in your network, storage systems, third-party services, partners, etc. Typically, an IoT device will operate continuously. As the use of such devices proliferate, their interactions and multiple communications channels increase the security challenges involved. This interconnectedness with multiple channels takes us back to the question of how to protect the data.
There’s a very good chance that your organization’s experience with data protection in other areas (like BYOD (bring your own device) has already given you a blueprint for addressing data security in the context of IoT. It’s critical that IT administrators consider that each new device added to the network is a point of vulnerability that could be used to infiltrate the network. Here are some steps to help protect IoT data:
- Implement authentication across services;
- Avoid critical dependencies on one system or set of systems;
- Encrypt all sensitive data, to avoid it being targeted while in transit;
- Practice good security hygiene, patching systems regularly and avoiding weak passwords;
- Make sure you have ample processing power and memory capacity to run devices properly;
- Review and test all Internet-connected systems and devices to better understand your potential attack surface;
- Review product specifications and policies with third parties to understand what kinds of data they collect and how they intend to use it; and,
- Consider data management tools like secure MFT (managed file transfer) or DLP (data loss prevention) services to ensure the safe transfer of data—and to proactively watch how data flows in and out of your organization.
It’s also important to regularly remind employees of their role in maintaining security with simple habits like using smart password practices, being aware of and vigilant against common “social engineering” techniques that hackers use, and providing information only to individuals on a need-to-know basis.
As IoT becomes more common, regulations and standards will evolve to aid in protecting IoT devices and data. The best possible results in this process are achieved when there is broad involvement from interested parties at all levels—from developers to security professionals, and especially from those in industries who use and depend on IoT devices. No single organization’s or individual’s relevant perspective should be discounted.
Let’s learn from recent history and take action now to ensure security is a priority in our world of interconnected things.
Greg Hoffer, vice president of engineering, Globalscape. He leads the product development teams responsible for the design and engineering of all of Globalscape products.