Internet of Things definition: The vast network of devices connected to the Internet, including smart phones and tablets and almost anything with a sensor on it – cars, machines in production plants, jet engines, oil drills, wearable devices, and more. These “things” collect and exchange data.
IoT – and the machine-to-machine (M2M) technology behind it – are bringing a kind of “super visibility” to nearly every industry. Imagine utilities and telcos that can predict and prevent service outages, airlines that can remotely monitor and optimize plane performance, and healthcare organizations that can base treatment on real-time genome analysis. The business possibilities are endless.
What is the current state of security in IoT products on the consumer scale, such as household appliances, wearables, smart-home systems, etc.?
Smart watches: A recent HP study revealed security and privacy issues in all of the top 10 smart watch brands. Issues include lack of transport encryption, automatic connectivity to any Bluetooth device within range, and problems with lock down screens.
Smart home systems: These systems show many problems, including not encrypting data and having weak password policies.
Smart TVs: Some brands leave data vulnerable in transit. For example, in 2015, researchers discovered some Samsung smart TVs were sending unencrypted voice recognition data and text information.
All of these connected devices share data with mobile phones and tablets, and are often programmed to automatically connect to any Bluetooth or Wi-Fi network. And, anytime a device is connected to a "public" network, there are risks involved (e.g., data theft and sabotage). This automatic connection feature makes these devices vulnerable when connecting to any "public" network.
Why are there such poor security practices in IoT products?
Lack of understanding and devotion to good security protocols.
Manufacturing engineers and developers are usually more interested in making sure the product works and is launched on schedule, rather than making sure these devices are secure.
In order to compete in the market, many of these products are designed with an emphasis on keeping the cost as low as possible. Stronger security implementation isn't prioritized properly, because it typically doesn't reduce the cost of producing a product.
Many IoT devices lack the computing power of a desktop or laptop computer, or other higher-end devices, which makes it difficult to implement strong security.
A cultural divide exists between InfoSec professionals (those concerned with keeping the communications between devices secure), and mechanical and electrical engineers (those concerned with the switches, motors, etc., making sure the devices operate). InfoSec as an industry needs to do a better job of reaching out to build relationships with the engineers, and better demonstrate the value of security more effectively to bridge that cultural divide.
How do we best address the technical challenges impacting security for the IoT?
The security industry can do this in several ways, but it starts with recognizing the problems and then providing better education about the solutions.
In most cases, the technology is available and just needs to be implemented. For example, SSL/TLS provides strong and scalable encryption at the scale that the IoT demands. Sophisticated, managed PKI systems can handle strong identity vetting and provide reliable data encryption across all objects and devices within IoT deployments. A PKI solution should be the standard for IoT.
The security industry needs to help vendors understand the risks associate with poor IoT security. First, we need to present information from the point-of-view of an end-user. Second, organizations need to be made aware of the financial impact of poor security: lowered sales, diminished trust in their brand, or even health and safety risks when healthcare devices, critical infrastructure, and national defense are included in the conversation.
Simple protections can be put in place that notify end-users to set up controls over Wi-Fi and Bluetooth connectivity, enabling lock screens, and other basic security functions.
How can an organization implement a trusted IoT security framework?
First, an organization needs to choose a Certificate Authority partner that is trusted and can scale effectively to meet their IoT requirements.
Second, manufacturers need to embed identity in devices during OEM rollout process. Third, they need to utilize regulated Attribute Authorities.
Finally, they shouldn't rely on established technology alone; they should integrate technology and tokens, adopt policies and procedures for accountability purposes, and review relationships and responsibilities regularly.
IoT – and the machine-to-machine (M2M) technology behind it – are bringing a kind of “super visibility” to nearly every industry. Imagine utilities and telcos that can predict and prevent service outages, airlines that can remotely monitor and optimize plane performance, and healthcare organizations that can base treatment on real-time genome analysis. The business possibilities are endless.
What is the current state of security in IoT products on the consumer scale, such as household appliances, wearables, smart-home systems, etc.?
Smart watches: A recent HP study revealed security and privacy issues in all of the top 10 smart watch brands. Issues include lack of transport encryption, automatic connectivity to any Bluetooth device within range, and problems with lock down screens.
Smart home systems: These systems show many problems, including not encrypting data and having weak password policies.
Smart TVs: Some brands leave data vulnerable in transit. For example, in 2015, researchers discovered some Samsung smart TVs were sending unencrypted voice recognition data and text information.
All of these connected devices share data with mobile phones and tablets, and are often programmed to automatically connect to any Bluetooth or Wi-Fi network. And, anytime a device is connected to a "public" network, there are risks involved (e.g., data theft and sabotage). This automatic connection feature makes these devices vulnerable when connecting to any "public" network.
Why are there such poor security practices in IoT products?
Lack of understanding and devotion to good security protocols.
Manufacturing engineers and developers are usually more interested in making sure the product works and is launched on schedule, rather than making sure these devices are secure.
In order to compete in the market, many of these products are designed with an emphasis on keeping the cost as low as possible. Stronger security implementation isn't prioritized properly, because it typically doesn't reduce the cost of producing a product.
Many IoT devices lack the computing power of a desktop or laptop computer, or other higher-end devices, which makes it difficult to implement strong security.
A cultural divide exists between InfoSec professionals (those concerned with keeping the communications between devices secure), and mechanical and electrical engineers (those concerned with the switches, motors, etc., making sure the devices operate). InfoSec as an industry needs to do a better job of reaching out to build relationships with the engineers, and better demonstrate the value of security more effectively to bridge that cultural divide.
How do we best address the technical challenges impacting security for the IoT?
The security industry can do this in several ways, but it starts with recognizing the problems and then providing better education about the solutions.
In most cases, the technology is available and just needs to be implemented. For example, SSL/TLS provides strong and scalable encryption at the scale that the IoT demands. Sophisticated, managed PKI systems can handle strong identity vetting and provide reliable data encryption across all objects and devices within IoT deployments. A PKI solution should be the standard for IoT.
The security industry needs to help vendors understand the risks associate with poor IoT security. First, we need to present information from the point-of-view of an end-user. Second, organizations need to be made aware of the financial impact of poor security: lowered sales, diminished trust in their brand, or even health and safety risks when healthcare devices, critical infrastructure, and national defense are included in the conversation.
Simple protections can be put in place that notify end-users to set up controls over Wi-Fi and Bluetooth connectivity, enabling lock screens, and other basic security functions.
How can an organization implement a trusted IoT security framework?
First, an organization needs to choose a Certificate Authority partner that is trusted and can scale effectively to meet their IoT requirements.
Second, manufacturers need to embed identity in devices during OEM rollout process. Third, they need to utilize regulated Attribute Authorities.
Finally, they shouldn't rely on established technology alone; they should integrate technology and tokens, adopt policies and procedures for accountability purposes, and review relationships and responsibilities regularly.
No comments:
Post a Comment