When the automobile first hit the road, it lacked some features that we take for granted today, like a reverse gear, headlights and seat belts. People were excited about how automobiles revolutionized the way humans got from point A to point B. Like any invention, features were added and shortcomings were tweaked in later versions.
Cars have come a long way since their first iterations. Today, many boast internet-connected systems and some even drive themselves. Like watches, refrigerators and thermostats, cars have become part of the Internet of Things (IoT).
Much of the national conversation about the IoT has centered around connected consumer devices. Most businesses don’t think about the cybersecurity settings of their photocopiers, yet 2016’s Mirai malware used hundreds of thousands of IoT devices to create a botnet that took down popular proxy server Dyn, and with it, nearly one third of websites globally. In security terms, this barely scratches the IoT surface.
The near-ubiquitous use of IoT devices and connected sensors in manufacturing, healthcare, transportation and utility settings means that a broad swath of the global economy’s critical infrastructure is increasingly vulnerable to these attacks. For any company that’s designing and selling internet-connected devices, it’s imperative that security is built in from the ground up.
Hang back or forge ahead?
With any new popular technology comes uncertainty. Some businesses are unsure about the extent to which they are affected by IoT security issues. As a result, many are holding off on implementing connected technologies. Forrester predicts that security concerns will choke the growth of IoT adoption in 2017.
What is clear is the fact that the IoT is here to stay, and it has the potential to deliver significant benefits. The federal government has created multiple IoT-based initiatives, including the General Services Administration’s (GSA) Smart Buildings initiative. Its goal is to modernize federal government buildings via connected technologies to improve their energy efficiency. This initiative is estimated to save $15 million a year in energy costs.
Virgin Atlantic provides an example of how IoT devices are being integrated into business for safety purposes. The airline’s new planes have internet connections in almost every part, from the engine to the flaps to the landing gear. Each plane will produce more than half a terabyte per flight, and that data will be used to detect mechanical problems before they occur.
Neither government buildings nor an airline will tolerate insecure IoT devices; there’s just too much at stake. However, a secure IoT solution lets businesses gain valuable new insights and efficiencies while protecting their data and infrastructure assets.
For any IoT device manufacturer, security must be part of the design from the start. While it is (relatively) easy to design and ship an IP camera, for example, the ease at which one can be hacked from factory settings makes installing one an unacceptable risk factor to the network – and a customer’s business. Of the 5,000-plus enterprises surveyed for AT&T's Cybersecurity Insights Report, 85 percent are in the process of or intend to deploy IoT devices, yet only 10 percent of that number feel confident that they could secure those devices against hackers.
The reality of IoT security-related issues has not gone unnoticed by regulators. In January, the Federal Trade Commission filed a complaint against router giant D-Link, charging that the company had deceived users on the security of its products and failed to take steps to secure those products appropriately. This case has become a bellwether because the complaint was brought in response to the vulnerabilities themselves, not because of a breach exploiting those vulnerabilities. This is a sign that regulators are taking a more aggressive stance in demanding that connected device manufacturers take clear and sufficient steps in securing their products.
Five steps IoT device manufacturers can take to strengthen security
Have a game plan:
Take steps to incorporate security at the onset of the design process. How does it connect to the network? Make sure encryption is involved. Is it booting securely? Are you building security into any embedded applications? It’s easier to make security part of the design process rather than bolting it on later.
Don’t ship connected devices with factory settings – a mistake that so many others have made. Give each device a unique password, and print that password on a sticker that’s included on the device itself. This significantly reduces the chances of compromise.
Consider the context:
One method does not fit all. WiFi is good for fast deployments. But for wide-scale installations in specialized vertical network environments, like manufacturing or healthcare, consider using one of the many specialized communications protocols that are available to your engineers. Do all functions need to be performed on the device or can some be punted back to the network? Minimizing the need for the device to perform all functions and be connected to all traffic all the time can also reduce its threat exposure.
Carefully consider open source:
Open source IoT software is easy, cheap and flexible, an attractive option for IoT startups looking to get product to market quickly. Yet security flaws can be exploited rapidly, and patches are often slow in coming. IT teams therefore should be aware of the risks in using technologies that are based on open source code.
Attract and train the right talent:
A job ad asking for an IoT professional may attract 10 people with 10 different backgrounds. Instead of using the confusing buzzword “IoT,” think about what your company does with connected devices and the specific skills it needs to design, manage and deploy those applications, systems and devices securely. Looking for and training people with IoT certifications is a way to validate those skills.
Securing all the things
The IoT has irrevocably changed how we interact with technology and how we do business. Yes, security risks abound, but this genie can’t be put back in its bottle. Instead, take a sober-minded approach that incorporates security with all business processes so that your customers can feel confident in their digital transformation. When they win, you win – and would-be hackers lose.
By Cara Sloman, executive vice president, Nadel Phelan, Inc.
Image Credit: Chesky / Shutterstock