Why the Internet of Things needs security by design

A concept visualising IoT security
IoT security

Whether it’s analysing consumer trends, streamlining operations or increasing productivity, the Internet of Things (IoT) and smart technology are gaining traction across all verticals. But the IoT also presents a unique security challenge, with cyber criminals frequently targeting this category of devices and sensors.

This new potential security hole isn’t something many businesses are prepared for. In fact, according to research from Gemalto, less than half of organisations have the resources to detect cyber attacks on IoT devices. As a result, there are increasing calls for technology firms to take appropriate steps to secure their devices by default. How can they do that?

IoT security is lacklustre

As the IoT ecosystem expands, there’s increasing pressure on manufacturers to include security in the design process of products. Liviu Arsene, global cybersecurity researcher at software firm Bitdefender, says every IoT device should start with security by design.

“This means that while manufacturers plan for rolling out a new internet-connected device, they should also include security mechanisms that enable devices to receive security updates once vulnerabilities are found and also protect the user data those devices operate,” he says. “While there is currently no enforceable legislation that manufacturers need to abide by in terms of security practices for IoTs, some manufacturers are more security conscious than others.”

If a cyber criminal hacks into an IoT device, there can be massive repercussions for users. Arsene gives some examples of what they may look like in real-life. “Most smart devices may collect, process, and broadcast sensitive user information. If an attacker were to exploit an unpatched vulnerability in these devices, they could tap into that information and, potentially, spy on and extort victims,” he says. “For instance, think of smart home surveillance cameras. If attackers get easy remote access to them, users can be spied upon and then become potential victims of extortion.”

Despite such risks, he says security by design for connected devices is currently lacking and encourages users to educate themselves on the security vulnerabilities of IoT devices. “User privacy and data security for smart devices is something that still needs to be addressed, especially on a legislation level, with manufacturers at least bundling security best practices into IoT.

“Making informed decisions regarding how often manufacturers update and patch IoT devices, before purchasing the actual smart device, is highly recommended. It’s also recommended that users deploy home network security solutions that can warn them if vulnerabilities are found in smart devices, if attackers are attempting to remotely dial into their IoT units, and if patches are available and need to be installed.”

Organisations deploying IoT devices need to factor in a security by design architecture when plugging them into their networks, Arsene adds. “Since most IoTs cannot be managed the way traditional endpoints can, IT and security teams need to think about network segregation and perimeter firewalls in order to secure them at the network layer,” he says.

Ensuring security by design

According to 451 Research analyst Ian Hughes, the distributed and diverse nature of endpoints and architecture patterns within the IoT ecosystem has presented a significant challenge to security and privacy.

“The benefits of IoT are often amplified by insights gained from data that crosses silos and organisations. In industrial IoT, a manufacturing plant machine may be instrumented directly to help understand how it individually is performing, but the processes feeding it raw materials, the quality of results coming out of it and the workforce engaging with it are all highly relevant as a combined source of data,” he says.

“While digital transformation and integration offers significant benefits, at the same time 43% of those running this Operational Technology (OT) cite security as a primary inhibitor for IoT and 32% of those on the IT side of the business likewise.”

RELATED RESOURCE

Report: The State of Software Security

This annual report explores important trends in software security

FREE DOWNLOAD

Hughes points out that while ensuring solid security in a relatively controllable environment is difficult, it becomes even trickier when different devices and systems start interacting beyond the bounds of the business and consumers start to get involved.

“Samples of privacy implications with voice operated devices or home security cameras breaching trust by capturing and transmitting data unbeknownst to the owner, to IoT devices being able to be reverse engineered or have flaws exploited to control other systems have all come to light.”

Like Arsene, Hughes says security should be designed into any system from its inception and not bolted on. He tells IT Pro: “External applications and appliances, such as those using machine learning, need to be used to help flag or see off aberrant behaviour. Companies also need to ensure they have a way to gather and act on any holes in their security with bounty programs and proactively help customers with patches and solutions to known problems. This applies to the creators of the core IoT products, with system integrators who combine them and the enterprises that sell services related to them equally, across all sectors.”

While making something secure by design may sound challenging, Andrew Rogoyski, innovation director at Roke Manor Research, explains that it doesn’t have to be. “You have to consider the behaviours of human beings as they’re always the weakest link, whether it’s how they use the product, their natural propensity to circumvent tiresome security measures and their vulnerability to attacks like social engineering,” he says.

“The other human dimension is the adversary – who is interested in attacking your product, and why? Understanding how a criminal might subvert your product and monetise the process is really important in order to best understand how you defend it.”

It’s important to remember that no system is perfect, though, he says, adding: “There is no silver bullet that keeps the system secure. So an important part of security by design is to understand how you respond to an attack, a breach or a vulnerability. It’s often the companies that respond the best – they communicate well, are well organised in a crisis and have plans for such eventualities – that weather the storm the best.”

Over the coming decade, the number of IoT devices used by businesses and consumers will increase exponentially and the attack surface will widen as a result. While users need to be aware of the security risks that come with IoT, manufacturers need to do more to design and build secure devices.

Nicholas Fearn is a freelance technology journalist and copywriter from the Welsh valleys. His work has appeared in publications such as the FT, the Independent, the Daily Telegraph, the Next Web, T3, Android Central, Computer Weekly, and many others. He also happens to be a diehard Mariah Carey fan. You can follow Nicholas on Twitter.