Widely regarded as the hottest topic in high-tech, the IoT (Internet of Things) is attracting the attention of countless enterprises and organisations across an equally diverse array of industries.
All are looking to exploit the potential of a world in which machines as well as people enjoy 24/7 connectivity. However, as always is the case with a new innovation, security concerns are top of mind for both consumers and businesses.
Too often, protection is seen as a cost rather than an investment. As a result, many organisations could find themselves dealing with far reaching and serious repercussions that include breaches to sensitive business and customer data, fraud, disruption to services, and long-term damage to corporate and brand reputations, if the correct precautions and policies are not put in place.
The IoT opens up a world of possibilities, but the very nature of IoT applications also makes them vulnerable to cyber-attacks. Indeed, in terms of grabbing headlines, hacking is one of the few stories that can rival the IoT for media coverage across all sectors. Whatever drives these attacks, over time it is inevitable that these hackers will develop more sophisticated techniques.
In developing an effective response, risk assessment is the obvious first step. The key here is always to see IoT applications in their true context. In particular, it should be recognised that successfully hacking an apparently minor element of the infrastructure can potentially open the door to the entire network and its central data storage facility.
Take, for example, a system designed to remotely monitor the maintenance requirements of an elevator in an office block. The risk assessment should identify if it is a wholly discrete, standalone solution, or in fact linked to wider building networks that might include not just facilities management, but also the systems of any organisations resident there. If it is the latter, then clearly the potential risks are much greater. The assessment therefore needs to take into account the number and nature of the businesses concerned – and the damage that might be caused to them by a security failure.
The willingness and ability of stakeholders to address IoT security issues varies greatly from industry to industry. Inevitably, some are inherently more attuned to the potential risks arising from any new technological development, regardless of how exciting the commercial prospects are.
In the automotive industry, for example, the ‘Connected Car’ opens the door to a myriad of potential new services and revenue streams. However, it is a sector where the safety of users has long been paramount and security addressed as a key part of its successful deployment.
The domestic energy supply industry tends to represent the other end of the spectrum. The various plans for deployment of smart grids in Europe are probably the most ambitious IoT projects to date. However, most utility companies simply do not have the experience, expertise or perspective that would prepare them for securing a network of intelligent wireless sensors across virtually every household in a country.
It’s clear to see the need for case-by-case risk assessment underlines the fact that there is no ‘one size fits all’ solution. However, there are undoubtedly broad principles that need to be consistently applied.
In practice, these can be expressed in just a single word: trust.
Trust and the IoT
We live in an age when consumers are growing ever more enthusiastic about the ability of mobile devices and Internet connectivity to make life simpler, more efficient, and more fun. But willingness to share sensitive data (for example, in the form of mobile banking) is tempered by acute awareness of the threats within the digital domain. To commit to these new channels of communication, trust needs to be established and maintained.
Each element of an IoT system represents a point of vulnerability, so trust must be embedded in all of them: the device/machine, the network, the data itself, and the cloud platform on which it is stored. Equally, while security strategies should be tailored to the unique characteristics of each application, the fundamentals of an effective approach are common to all: authentication/identification, confidentiality, integrity and non-repudiation – incontrovertible proof of the validity and origin of all data transmitted.
At first glance, these broad goals may seem a daunting challenge to enterprises with little or no relevant experience. However, the principles and techniques demanded in the IoT sector are already being used as a matter of course in industries such as payments and mobile communications.
For example, in a payment card transaction, the device (card) identifies itself with data stored in a secure environment (the chip), and is verified by a PIN. Transmitted data is encrypted to protect it from fraud. As a result, the widest possible range of stakeholders – consumers, banks and merchants – has the confidence to commit to the ecosystem.
In terms of the opportunities to deliver new services, standards and revenue streams, the IoT genuinely merits the hype and headlines currently being generated. However, it is equally true that amidst this whirlwind of enthusiasm, serious pitfalls are being ignored. At its most basic level, enterprises and organisations simply need to recognise that security is an important issue. Working on the basis that whatever can be hacked, will be hacked, solutions that provide effective protection for stakeholders must be built into the DNA of every application, not bolted on as an afterthought.
As demonstrated in our infographic above, our four superheroes are proof that relevant answers are readily available.
Ultimately, in order for IoT deployments to truly fulfil their potential, those behind them need to appreciate that success ultimately rests in creating ecosystems that are as dynamic as they are trusted - and as open and accessible to new providers and end users as they are resistant to the myriad of threats that now occupy cyberspace.
Manfred Kube, Head of M2M Segment Marketing, Gemalto