These days, it seems unusual when a device is unable to connect to the Internet. TVs, wristwatches and factory infrastructure are just a few examples of things that have, in the last few years, become part of the emerging Internet of Things. The IoT is projected to encompass tens of billions of connections and have a multi-trillion dollar economic impact by the end of this decade.
The scope of the IoT, alternatively called the Internet of Everything, makes it a pressing cyber security concern for enterprise CIOs and their teams. Organizations adding more connections to their infrastructures and making their devices increasingly interdependent must extend their security measures beyond traditional PCs, smartphones and tablets.
FTC spotlights risks and rewards of the Internet of Things
Last month, the U.S. Federal Trade Commission released a report, “Internet of Things: Security & Privacy in a Connected World.” The study highlighted the simultaneous growth of worldwide Internet connection and associated security risks, acknowledging the possible convenience the IoT could add while pointing out its vulnerabilities.
For example, while less than 10 percent of consumer vehicles shipped with an embedded modem in 2013, more than 90 percent could do so by 2020. Connectivity opens the door for new in-vehicle experiences, such as richer navigation and infotainment systems, but also makes cars more susceptible to hacking and surveillance.
The security issues that the IoT brings to the foreground – e.g., the vulnerability of Web accounts and endpoints that are not sufficiently hardened against cyber attacks – are not novel. However, the size of the IoT means that many of the manual processes that once sufficed for containing threats like viruses are less viable, since they do not scale well.
By 2018, mobile data traffic, driven by the plethora of new devices connecting to the IoT, could exceed 15 exabytes a month. For context, one exabyte represents enough storage for approximately 50,000 years of DVD-quality video. A Cisco report estimated that individual monthly mobile data consumption could rise from 2 GB to more than 11 GB between 2014 and 2019, in part due to the introduction of so many new wearables, home automation systems and other hardware that currently constitutes only a small sliver of the connected device pie.
Overall, such massive scale means that the IoT presents unique challenges. The FTC distilled them into a few broad categories:
- Unauthorized access to, and misuse of, sensitive information. The IoT could draw unprecedented data from personal devices such as health and fitness trackers, as well as industrial automation and control systems, making it a prime target for cyber crime. E-commerce transactions made on a TV, for instance, would now require just as much attention as ones made on a PC.
- Putting other systems at risk. Integrating IP networking with a previously offline infrastructure can open up critical assets to threats such as distributed denial-of-service attacks or malware infections that have long been an issue for PCs et al.
- Safety issues. Some of the most anticipated use cases for IoT devices are in fields such as medicine or physical security, in which the margin of error is very slim. Pacemakers, condition trackers and other devices that made some day rely more extensively on wireless networking could put users at risk without the proper security precautions.
- Privacy problems. Thanks to advanced sensors and a potential presence spanning the home and workplace, the IoT could become a massive surveillance network, the exploitation of which could put tons of personally identifiable information at risk of theft and resale.
The FTC’s report also noted that wrangling with security issues with the IoT may be a lot different than it has been with traditional desktop and mobile devices. Security must be taken into account all the way from device manufacturing to regular updating and patching.
First off, the IoT is relatively new and many of the firms entering it with software and hardware solutions may have little to no experience in cyber security. Just as importantly, finding and fixing security issues in IoT infrastructure could be complicated by the wide range of device types – i.e., some are sophisticated like PCs, but others are low-tech and disposable and not easily patched – out there, in tandem with the IoT’s massive total size and number of machine-to-machine communications.
Buying smart and taking precautions: Ensuring the best possible security for the Internet of Things
Given the possible risks in unsecured IoT devices (much like how routers have long been prime attack surfaces), minimizing risk across the IoT starts with smart procurement. Adding new devices to the enterprise network has always merited careful oversight, and hardware associated with the IoT is no exception.
Consumer smartphones and tablets took a while to make their way into the enterprise as organizations figured out how to add protective measures and implement bring your own device policies. A similarly measured approach would benefit the worldwide rollout of the IoT for businesses by making their investments worthwhile
“Users and IT departments should bias their buying decisions towards IoT vendors who are accountable and proactive about security,” Bugcrowd CEO Casey Ellis told Forbes. “This protects them directly, and sends a clear message to the vendors to take it seriously.”
Being proactive is a good general strategy toward IoT security. The reactive processes that start with installing antivirus software on a machine and then leaving it alone until something goes wrong are not ideal for the IoT, in light of how much traffic and how many endpoints have to be accounted for.
Deep discovery tools can provide the automated network security that the IoT virtually demands. Security teams can actually use large amounts of data to their advantage as a way to identify and isolate potential issues before they get out of hand. Keeping tabs on network activity and finding anomalies early and often can put IoT efforts on the right track, despite the considerable challenges in scope and diversity of risk.
