We’re probably all familiar with Gartner’s much-quoted forecast that, by 2020, there will be 20 billion connected devices in operation globally. As this prediction looks set to become a reality, it’s clear that the connections between people, places and things have never been closer, faster or more numerous than they are today. The expanding landscape of IoT is fuelling the growth of smart-powered services in both public and enterprise arenas, creating benefits for consumers and society, as well as significant opportunities for businesses operating in today’s digital economy. However, a pressing question remains which affects all parties involved in the IoT: are we applying the appropriate technology to safeguard the future of the connected world?
Security has traditionally, and to a great extent still remains an afterthought rather than being integrated at the point of design in many of today’s smart or connected devices. Organisations can no longer afford to neglect their responsibility to establish the levels of digital trust needed to safeguard the IoT. Examples of cyber criminals exploiting lax security have become a media staple over the past 12 months. One example last year was Dyn, a company that controls much of the internet’s domain name system (DNS) infrastructure. It suffered an attack that bought down sites like Netflix, Twitter, Reddit in Europe and the US – the largest of its kind in history. Another high profile story was the reported surveillance plans by the CIA which target smart TVs. Safety measures can be implemented to mitigate hacks, but cyber criminals are always one step ahead, adjusting their tactics continually. For instance, reports emerged in March of this year that a new variant of Mirai malware had been identified by researchers at a US college, which suffered a 54-hour DDoS attack. Again, it was weak IoT devices that were to blame, with hackers infiltrating the college network through poorly-secured CCTV cameras, routers and DVRs.
Security breaches of this type will only increase going forward as more – similarly vulnerable – devices enter the market place. The US college in question will likely have to deal with data privacy issues as a result of the recent attack. However, as this ecosystem develops to encompass industries like healthcare, agriculture and energy, we’ll be looking at more far-reaching and serious consequences of insufficient security practice. For example in healthcare, doctors can use IoT devices that are wearable, temporarily ingested, or even embedded in the human body for medical treatment, medication, or even general health and wellness. Unfortunately, cybercriminals could potentially exploit vulnerabilities in these devices to steal sensitive patient data or even worse cause physical harm. Although targeted attacks on individuals are unlikely, only last year Johnson & Johnson warned patients over a security vulnerability in one of its insulin pumps. Lack of adequate security for the IoT could also lead to compromised food production, critical infrastructure, failure in global financial systems or even power outages.
Digital trust is key to IoT success
The IoT has the potential to drastically change the lives of both consumers and business alike. However, it also introduces significant challenges in ensuring secure provisioning, management, and monitoring of those devices and services at scale. Therefore, it’s now vital to address security and life cycle management in order for the IoT to reach its full potential. The industry must employ more focus, commitment and resources to tackle this challenge and must actively collaborate to ensure that trust is established at silicon level through to the service and every stage in between to stop threats which can otherwise spread and compromise the entire IoT chain.
Fortunately, a number of industry bodies and companies have joined forces to lay the groundwork necessary to make this a reality. For example, the prpl Foundation’s Trust Continuum Working Group (TCWG) is striving to establish digital trust at the point of a device’s design, ensuring security and ‘trust readiness’ from the silicon chips embedded within devices through to service provisioning.
This ‘Trust Ready’ approach to security, underpinned by open protocols such as OTrP (Open Trust Protocol), enables mutual authentication between a device and the server or service it is communicating with. The working concept, recently demonstrated by the TCWG, ensures a connected device is on a trusted path, running authentic manufacturer-installed software and operating in its intended state, so a server can ‘trust’ the device and the device can trust it is accessing appropriate services. In short, this exposes any vulnerabilities and strengthens the ramparts of the wider IoT against malicious attack.
The lifecycle of a connected device is a complex ecosystem of numerous components, parties, entities and locations, all of which must commit to implementing and enforcing digital trust. This includes initial device design and silicon chip manufacture, operating systems and programming, apps and services a device connects to, hardware and virtual infrastructure, physical locations like data centres and finally more nebulous ones like the cloud. As with any chain, it is as weak as its weakest link and that is why it is critical that all parties at each stage of the lifecycle collaborate to ensure digital trust is established across the entire chain.
An effective chain of digital trust will encompass building and maintaining relationships and visibility between technologies, services, products, policies, regulations and standards. Security and trust must be inherent, easily added and managed further down the line. In addition to using the inbuilt security features and functionality of connected devices, more must be done to make it easier for developers to integrate security into their products and allow insights and updates in real time, while at the same time simplifying and fortifying the user experience.
The time is now
Digital connections support and fuel modern life and enterprise. The IoT has facilitated a rocketing digital economy, yet it could also prove to be its downfall. We’ve already seen the damage wrought by IoT compromises; a situation which will continue and worsen as the IoT continues to affect more critical industries and many aspects of everyday life. Whilst unsecure smart devices have highlighted easy access points for malicious actors, they have also simply revealed the weakness of the wider IoT landscape. We’ve reached a critical stage in the IoT and it is now fundamental that all industry players, from device manufacturers to consumer-facing companies, are dedicated to ensuring collaboration across the board so end-to-end digital trust can be established. Creating a solid and impenetrable IoT will support the introduction of new services, drive revenues and ensure a connected future safe from harm.
Richard Parris, CEO, Intercede
Image Credit: Melpomene / Shutterstock