When IoT means Internet of Threats

Advances in digital technology are delivering new applications at a rapid pace. The use of sensors and wireless communications is enabling information to be captured, transmitted and processed to solve problems and create opportunities in healthcare, utilities, manufacturing, insurance, transportation and many other sectors.

This new world of the Internet of Things (IoT) is transforming organizations as well as personal homes and even individual consumers into “data centers” where information technology is used for numerous applications.

While it is easy to see the benefits as new IoT solutions are brought to market, it is also important to stop and consider the security of the data in these devices and the impact of an inadvertent or malicious attack on them.

When it comes to IoT in the consumer world, the stakes for cyber-attacks are high, and there are a whole new set of consequences to understand and address. For example:

• An attack against a medical device could result in physical harm or loss of life.
• Jamming a sensor used for smart metering could result in loss of power and related damages from not having electricity.
• Hacking into a self-driving car could potentially result in the loss of control of a vehicle on a crowded highway.
• Exploiting an IoT device weakness could allow access to high-risk banking and personal health data.

Key considerations in securing IoT

IoT device manufacturers should be looking at these threats, but currently there is no certification organization—such as UL (Underwriters Laboratories), which certifies products to industry-wide standards—to test the trustworthiness of IoT devices. Furthermore, all of the many elements of IoT—including sensors, networks, applications and hosting—each need to be assessed from a security perspective and then protected, while the integration of the different components also must be considered.

Another key issue when securing IoT is whether the data transmitted can be intercepted and/or altered by an attacker. An IoT device should be uniquely identifiable to enable communications and security status updates for the related application. For example, manufacturers could use physical unclonable functions (PUFs) to generate unique certificates for each device so that no two have the same certificate. Even if a certificate or device is compromised for an IoT system with hundreds of devices, this approach makes sure that a second device is a new challenge for the adversary.

In addition to technical controls, other assurance elements should be provided to the IoT users themselves. For example, the intended use of the device should be clearly outlined for the consumer along with the potential risks associated with using the device in a manner other than intended. A user’s awareness and understanding is an important element that often is overlooked.

While the opportunities for IoT are unlimited, the technology needs to be implemented at a managed pace with security in mind. I invite you to read previous blogs on related topics by my colleagues Daina Warren on next-generation connected cars require a solid security foundation and Mike Corby on the connected healthcare system requiring a new security approach.