Each day, thousands of new devices are connected to the IoT (Internet of Things) including cars, home thermostats, smart meters, medical devices, and much more. These connected devices are transforming and improving our lives, and at the same time, opening potential access points for a variety of cyber security threats. Gemalto’s vice president of M2M Solutions & Services, Laetitia Jay, recently discussed the company’s M2M and IoT security strategy and approach with Connected World magazine’s Editorial Director, Peggy Smedley.
SMEDLEY: Can you give me an overview of Gemalto’s position on security as it relates to M2M and IoT businesses?
JAY: As more and more industries and individuals are adopting M2M and IoT technologies, security concerns are growing. A recent VDC Research survey revealed that almost 70% of OEMs (original-equipment manufacturers) indicate security is important to their designs. However, only about 30% of those respondents indicated that they made changes in people, process or tools to improve security. Unfortunately, security remains an afterthought exposing implementers to enormous risks—both financial and to brand reputation. It’s much more expensive to fix a security breach after the fact versus planning for it in advance and designing systems that mitigate risk. And the damage done to a brand’s reputation is long lasting and extremely costly in terms of lost profits, customers, and new business opportunities.
It’s never been more important to consider and plan security architecture at the very beginning of design and development, identifying risks specific to individual use cases and mitigating those risks through secure product design and best practices. The goal in planning overall architecture is to secure what needs to be secured at the right level and price point for each individual business case. The good news is we are beginning to see this dynamic in motion, especially in highly regulated industries where the public and private sectors are working together to lay a foundation for a more secure IoT.
For instance, the energy market is moving to smart metering gateways that tie into next generation home automation systems, and down the road, these will tie into smart grids. Some consumers fear utilities are intruding into their private lives. The big question for the end user is one of data privacy and how personal information about energy consumption is being guaranteed. They want to know how data is being used by the smart energy manager. And utilities and smart energy managers want to ensure the infrastructure is secure and protected against system intrusion that could lead to fraud by consumers or damage to the overall smart energy infrastructure.
The automotive industry is also facing unique security concerns with regard to connected vehicle systems. For decades, vehicle telematics were closed systems exchanging data between the vehicle and the OEM or automaker. But in today’s connected car environment, infotainment, mobile Wi-Fi and other features are opening connections to the outside world. OEMs and car manufacturers need to ensure that new features don’t become open back doors to the connected car infrastructure. The future of the transportation industry will rely on communication and security between cars and traffic light systems, road signs, navigation applications and even other vehicles. Infrastructure must be designed to protect and secure the vehicle, its systems and backend IT server from end users, and at the same time, protect end users from the vehicle’s backend system and other stakeholders and ecosystem players.
The healthcare industry also needs to address data privacy for a variety of different stakeholders. For instance, doctors need to have access to all of the medical information gathered by devices such as connected heart monitors or glucometers. The administration staff only needs information for records and compliance reporting. Meanwhile, the insurance company only needs data that ensures devices are being used properly for patient safety. The challenge is in ensuring each group has access to only the data needed and that patient safety and privacy is maintained at all levels.
SMEDLEY: How does all of the cybercrime that we’ve been talking about damage our trade, our competitiveness, innovation, and global economic growth in general?
JAY: The consequences of cybercrime are enormous and often very difficult to calculate. When breaches occur, the damage to trade, competitiveness and growth are far reaching. For the companies and people involved, there are always hard costs for repairs, new computers, advanced security updates, plus legal and communications expenses. There are also secondary costs for lost or slowed productivity, lost revenue from stolen assets and/or leaked intellectual property such as music, books and movies. The cost of damaged brand reputation is impossible to pinpoint and just as difficult to recoup. When people lose trust in a brand they often abandon the brand and decide to “shop elsewhere.” Perhaps the greatest damage cybercrime causes is the loss of faith in using technology, in brands and in the growing IoT.
SMEDLEY: How has the Sony hack and others finally awakened corporations? Or do we still have a lot of work ahead of us when it comes to understanding our security needs?
JAY: The recent wave of cyberattacks from Target to Home Depot and Sony Pictures have moved awareness of hacks into the mainstream. People are beginning to understand that breaches are inevitable and it is not a question of “if” an attack occurs, but when. And more importantly, what happens when an attack occurs? OEMs, businesses, and consumers alike must accept cybercrimes as a fact of life and move on to planning how to secure and protect data even when breaches occur. Recent attacks have become more invasive and personal with documents like consumer credit cards and social security numbers being leaked. There is increasing demand from consumers that developers and businesses get serious about data security. People are beginning to consider corporate security policy when making purchasing decisions and before they hand over their credit cards. The companies with a security strategy and architecture in place give consumers the confidence and trust needed in today’s increasingly digital world.
SMEDLEY: Who’s really the target of all these hacker attacks and who should be properly prepared to prevent them?
JAY: The target of cyberattacks differs from case-to-case and ranges from corporations, to individuals to governments and social groups. There is no need to live in fear of cyberattacks because we have the security technology to mitigate today’s most sophisticated attacks. However, everyone needs to take part in prevention – OEMs and developers, multinational conglomerates and small business and even individuals. OEMs and businesses must consider and plan an evolving security architecture from the onset of solution design. Implementers need to seek security consulting from trusted partners that evaluate risk and security architecture from every angle and endpoint. And individuals need to educate themselves about risks and use mobile networks and digital technology wisely taking proper precaution when shopping online and using social networks.
SMEDLEY: Are there certain best security practices companies should be following?
JAY: All companies should consider end-to-end security architecture at very beginning of any new project or implementation and design systems that can evolve over time. If new threats crop up, security architecture must be robust enough to address issues as they arise. For businesses with systems already in operation, security architecture consulting is a key best practice for mitigating risks and reducing threats.
Best practices for security consulting includes a thorough risk evaluation that examines the impact of a security breach for each business asset, M2M device, and IoT end point. From there, businesses need to understand the security impact and likelihood of an attack at each level. Security consultants should provide visibility and probability of financial or reputation damage on a case-by-case basis. Businesses need trusted security experts to provide a list of recommendations to increase security to the proper level for the business case. When it comes to digital security architecture, there is no such thing as one size fits all. Each business case must be considered uniquely and a solution designed that secures only what needs to be secured and to the right level.
SMEDLEY: How do you balance the risk and the rewards of a connected society when there are always bad guys trying to do harm to our systems, infrastructure?
JAY: Balancing the risk and rewards of a connected society is Gemalto’s precise value proposition! The key is in applying trusted expertise and experience to anticipate the risk of each and every potential threat, and then designing an infrastructure that is tailored to fit the risk.
Security is always a matter of balancing investment and threats; that is why security strategy has to start with assessment of those threats and the overall security infrastructure. It’s about risk evaluation and assessing the appropriate countermeasures and elements of trust and security that must be included in the infrastructure. Gemalto addresses varying levels of security with a wide variety of solutions, from our software-based security, to IT-based security to our tamper-resistant secure element.
SMEDLEY: What should the security discussion be focused on now? Data, infrastructure? All of it?
JAY: The security discussion should encompass all if it. But there is no need to focus on fear of breaches. The security discussion needs to be focused on expert risk assessment and security architecture that protects solutions, businesses, and individuals at the right level to the risk of threat.
SMEDLEY: Is there anything we haven’t talked about that we should be thinking about and examining?
JAY: There is always more to think about with security! One thing is certain, tomorrow, a new treat will arise. This is why security infrastructure must be able to evolve over the long life span of connected objects. Gemalto offers this capability allowing stakeholders to be ready today for the hacks of tomorrow.[button link="https://connectedworld.com/subscribe-connected-world/" color="default" size="small" target="_self" title="" gradient_colors="," gradient_hover_colors="," border_width="1px" border_color="" text_color="" shadow="yes" animation_type="0" animation_direction="down" animation_speed="0.1"]Subscribe Now[/button] Gain access to Connected World magazine departments, features, and this month’s cover story!