Threats, Solutions, and Way Ahead

An Introduction

“IoT – An evolving Internet Phenomenon”

The Internet arrived, sustained and grew over the years as an amazing phenomenon even as it bridged various entities and brought the world closer. It will continue to grow and play a pivotal role as the connect between people and internet based devices get stronger. Over the years, the internet has become an essential medium for both corporate and personal communication. And now, it is set to become ubiquitous with the advent of ‘Internet of Things’ (IoT) and a promise of greater connectivity of internet based devices.

What exactly is the Internet of Things?

In simple words, internet-of-things or IoT is the ability of multiple devices to connect and communicate with each other via the internet which serves as the medium. This, in turn, creates the web or a network of innumerable devices that are in constant touch and ‘speak’ to each other even as they perform their respective functions.

 

Additionally, these connected devices also relay loads of information or data which is used for various business purposes.

As per a Gartner report –

• 4 million Connected devices will be in use worldwide in 2017
• North America, China, and Western Europe will account for 67% of the installed devices
• The total spend on endpoints and services will be about $ 2 trillion in 2017

While these statistics Herald the humongous growth of IoT and might encourage potential investors, the road to IoT deployment has its own set of hurdles; primary among them—IoT security.

Hence, the glaring question –

When a standalone personal computer is susceptible to a host of cyber-attacks, what about a vast network of IoT connected devices? 

The question raises concern about IoT security, and even as IoT becomes prevalent there are two major areas of IoT security concerns – device and data. IoT popularity coupled with big data revolution will result in a large number of device installations and a subsequent exploding amount of data that is stored and transferred through these devices. While on the upside this will create a vast ecosystem of connected devices, on the downside it will open up to a higher number of cyber-attacks making the ecosystem even more vulnerable.

 

Threats, damages, and danger

“Multiple operating devices susceptible to multiple attacks”

20^th September 2016: Late evening that Tuesday the world stood witness to a heavy attack on the website of popular cyber crime investigative journalist—Brian Krebs. The attack was so heavy that security service provider, the company rendered in to protect the website spent 3 days and a high number of resources to bring down the intensity of the attack, and yet the defensive attempt could not yield the desired results.

The attack was of a DDOS (Distributed Denial-of-Service) type that prevented Krebs from accessing his site. The Mirai botnet or malware that was responsible for the attack was surprising, not made up of infected laptops or desktops but instead was made of a huge number of low powered “internet devices”, devices that constitute IoT ecosystem.

   Frequent attacks – a major concern

 

21^st October 2016: Early morning that Friday, the world witnessed another DDOS cyber-attack which targeted systems operated by Dyn, an internet infrastructure organization. This attack affected the services of many companies some which included—Airbnb, Netflix, Amazon, and Reddit. The attack is believed to be executed through again, Mirai botnet, which consisted of a large number of IoT devices such as—Cameras, Residential gateways, Printers and even Baby monitors.

A survey of nearly 400 IT executives from across 19 industries by Cyber security firm, McAfee revealed that 48% of the organizations experienced at least one IoT security breach leading to significant financial losses not to mention the impending threat thereafter.

Nearly half of the businesses with the turnover of $2 billion and above estimated the potential cost of one IoT security breach at $20 million. This speaks of a huge loss not just in terms of money but also time. Unfortunately, such incidents are getting common even as services of major companies stand affected.

Welcome to the world of IoT and its innumerable number of imminent threats!

 

Connected devices will lead to compounding problems

The number of devices connected to the internet has seen an upward trend over the last five years. According to a report by research firm Gartner, 26 billion units would be installed and connected to the internet by the year 2020. While this might sound music to some it does come with its set of problems—too many devices mean too many pathways and vulnerabilities, and that spells more threats and security breaches. As the web of connected devices expands in an exponential manner, the threat to such an enormous network increases multi-fold; hackers and cyber criminals will now have a larger attack surface to target.

A growing network of devices only compounds the vulnerabilities of such a network unless there is a strong mechanism to shield it from attacks. Each connected device might raise a potential privacy and security threat. These concerns range from corporations and governments having absolute access to private data to hackers breaching networks to steal and misuse data.

Another Gartner report states that by the year 2020, more than 25% of identified enterprise attacks will involve IoT while IoT will account for only 10% of IT security budget.

IoT world – getting bigger by the day

 

Unfortunately, the rapid pace of IoT deployment has not been complimented by the developments on IoT security; it is still in the infancy stage. As in the case of most business ecosystems, where innovations happen first and security measures follow later (due to a mishap or a threat)—the IoT ecosystem has been no exception to this norm.

Consider this:

A decade ago hacking of computers was a major concern, few years later it was hacking of smartphones and now, it is hacking of every single device that is part of our professional and personal lives that has become a major cause for worry. IoT security solutions, owing to hyper connectivity and subsequent vulnerability of devices, have a daunting task to achieve.

What compounds to problems on IoT device security is that an increasing number of devices operate beyond an established network and its firewall leaving them vulnerable for attacks. Too many devices mean, too many ‘exposed areas for an attack’ making it easy for hackers or cyber-criminals to breach the networks and cause irreparable damage.

Let’s take an example on how connected devices, can be breached to create a larger damage.

Some luxury homes have embedded smart electricity meters that directly ‘communicate’ with the server at the power utility centre for the purposes of dynamic billing or in the case of power issues. This information on power consumption can be accessed by hackers.

A hacker can breach through and detect low power consumption in a particular home indicating the absence of inhabitants making it easily susceptible for burglary. Connected devices like smart meters need to be better protected to avoid data loss and prevent bigger damages.  

High volume data poses security challenges

Big data revolution has influenced several companies to aggregate, view and analyses data in a much more emphasized manner. Data generation and collection is an automatic sub-set of IoT operations and herein lies the problem— as more devices get connected, more data is created and the same will need to be processed, analyzed and protected, live!

Processing such large quantities of data is not easy and will lead to challenges on operations and on capacity; it will also lead to tougher challenges on IoT security. As an amount of data (stored, transferred and utilized) increases exponentially and becomes even more critical to businesses, IoT data security needs to be further strengthened. Within the data subset, two major areas of security concerns prevail—a) Consumer Data and b) Enterprise Data.

 

Data everywhere – Is it Safe?

 

Consumer data security concerns: Vast amounts of consumer data is stored on devices in the name of convenience and an offer of better services by corporates, a breach of this data would spell doom not only for these corporates but also for the poor consumers who would have no clue about the misuse of their private information.

Enterprise data security concerns: Data theft and misuse under such circumstances become even more dangerous for enterprises. Data theft in IoT is a huge and an impending risk, more so because the number of connected devices is huge and their security aspects are not exactly well cared for. Theft or misuse of enterprise data leads to irreparable damage and to a loss of clients, business, and money.

 

“Why IoT is under attack?’’

IoT has been around for some time now, in fact, it was always there albeit in a different form. We had devices like a photo copier and a smartphone that operated on their own. All we are doing now is—to bridge these two devices in the name of convenience; to switch on or off the copier machine via the smartphone. Of course, all of this is done with the help of software application via the internet as the medium. The manufacturers of photo copier, smartphone, and the software application provider are different entities, each not concerned or connected to one another (at least as of now). This disconnect between the stakeholders gives rise to IoT security threats. Device manufacturers of photo copiers or smartphones are not particularly focused on building devices that are IoT compatible or comply (at least not as of now) with IoT security standards. Unfortunately, some of these manufacturers are not even aware of IoT security risks and IoT framework.

How can manufacturers and application providers solve the problem?

Constant up-gradation: An IoT device has to be fool proof in terms of security and the firmware within needs to be upgraded constantly to prevent damage and ward off threats from hackers and cyber-criminals. Another major issue with manufacturers is that in the race to accomplish more with less, these firms compromise on quality and subsequently on security. Sometimes these firms fail to or choose not to upgrade the firmware.  This increases the vulnerability even as an outdated firmware helps a device become an easy prey to hackers and cyber-criminals.

To cite an example, relatively cheaper and tiny IoT devices can cause high damage to costlier items, such as smartphones, desktops, laptops, etc., and with the least of efforts. What will ultimately help counter threats or avoid them altogether is the healthy collaboration between the device manufacturers, the firmware developers, and the end users—this awareness and collaboration is a must if we are to gain any mileage on IoT security front.

 

Complexity and Risks involved in IoT

‘’Complexity and risks increase with increasing device numbers’’

IoT, by virtue of interconnectivity of innumerable devices across networks, gives rise to complexity and eventually increases risk at three different levels—Operational, Technical, and Business.

Operational Risks: Under this category, there are two entities—People and Process. The complex network of a huge number of connected devices sans proper security will hinder the performance efficiencies of resources which in turn, will lead to inefficient processes having a direct impact on productivity levels. The operational risks are a direct result of complexity at a process and people end.

An overview of IoT risks (categorized functionally)

• Technical Risks: Any attack on either hardware, software or both results in technical complications and risks. Technical risks arise due to device non-compatibility and outdated software that is non-resistant to attacks. More the technical risks higher the chances of operational inefficiencies. Secured IoT devices and software are essential to avoid risks at a technical level.
• Business Risks: IoT risks at a business level directly influence business outcomes. As was in the case of Dyn attack, business operations can be stalled for days or even weeks adversely affecting the business outcomes and worse, damaging the brand name and reputation.

Not surprisingly, all three elements are inter-connected. A hit on technical levels adversely affects the operations and inefficient operations in turn, have a direct impact on negative business outcomes. There needs to be a focussed security approach on all of them to ensure smooth operations and business continuity.

 

Solutions for safer IoT process

‘’It is all about mitigating risks and heightening security’’

Such is the level of threat that there is a dire need to study and understand various forms and channels of IoT threats and revamp IoT security standards. The IoT loop has several stakeholders from device manufacturers to software application providers to data centres to users. No one single point in the loop is less important than the other, in other words— every point needs to be absolutely secure to ensure overall security of the IoT loop. Any vulnerability across any point(s) leads to compounding risks and multiple threats.

 

  Security solution – mitigate risks and avoid threats

 

Device safety is of utmost importance

IoT devices are used across different industries—from sensors to monitor heart attacks (Healthcare) to meters which regulate usage of utilities (Utility providers) to Telemetrics devices which help save on fuel consumption (Transportation). The efforts towards IoT security need to be bottom up to the top and across all points in the loop, without compromise.

According to a report by Ponemon Institute—only 30% of the nearly 1000 company representatives said that their companies allocated sufficient budget to protect mobile apps and IoT devices—a proof that companies still have a long way to go as far as their IoT devices security is concerned. This also calls for a more concentrated effort on part of manufacturers to ensure protection for embedded devices from all sorts of attacks and mitigate risk. Security must be prevalent through the device life cycle—from design to functioning.

Let’s observe few ways to secure an IoT device and ensure a smooth IoT process bereft of attacks:

• Secure Booting of IoT Device: Every connected device requires software to function, and ensuring that the right software is loaded onto a device is the first level of security. Through secure booting, the authenticity and integrity of the device are confirmed via cryptographically generated digital signatures. A digital signature ensures that only authorised software is loaded by the authorised person.
• Absolute Authentication of Device: When any device is plugged into a network, there is a need for its authentication before it begins to receive or transmit data. Since embedded devices do not have users operating on them to authenticate, machine authentication by the device itself helps it to plug and connect to the network and carry out the functions.
• Impenetrable Access Control: Anybody can access any embedded device and control it. How can we avoid this? Role-based access control systems are built into the operating systems and these access control systems limit privileges of both device components and device applications so they access only what is allowed and not more. In situations where a component might be compromised, access control systems ensure that the intruder has minimal or nil access to other parts of the system thereby ensuring that damage caused is very minimal.
• The necessity of IPS and IDS: Heavy traffic intrusions such as the one carried out by Mirai botnet can either paralyze the system or render the system (device) useless. Intrusion prevention systems (IPS) and Intrusion Detection Systems (IDS) are required to ensure control and prevention of malicious traffic. It is important to note that embedded devices which operate under different conditions have their own set of protocols and in order to avoid a device or system crash industry specific deep packet inspection (DPS) capabilities are required to identify malicious traffic.

The IDS and IPS in the device need only to focus on that traffic or data that has been specifically designed to terminate the device even as the enterprise security systems take care of other types of malicious traffic. IoT network security is very important to ensure protection to the network connecting IoT devices and back-end systems on the internet.

• Frequent Software Updates: Software updates are common and are a must for the effective functioning of devices. Software updates or patches need to be rolled out, and devices with their capabilities should authenticate the patches before taking them in. Embedded devices are connected in huge numbers and work together to perform a function, so it’s important for operators to roll out software updates in a way that it does not compromise on functional safety and yet conserves the connectivity and bandwidth of the device.
• Robust Data Encryption: As sensitive data travels through the Cloud and IoT environment, it should be encrypted to prevent interception. Since IoT devices will be sending data at sub-second intervals, there cannot be any latency. Hence, the encryption mechanism should be fast, robust and reliable and be able to keep up with the data speeds. In order to maintain data integrity, encryption must be end-to-end. There are several algorithms that can be used to protect your IoT infrastructures such as Triple DES, RSA, Blowfish, Twofish and Advanced Encryption Standard (AES).
• Infallible Security Monitoring & Analysis: Prevention is better than cure. This adage rings true for IoT dependent businesses which should use technology with analytics to pick out anomalies in the data through continuous monitoring. Technology coupled with analytics will also provide reconnaissance and threat detection to pre-empt any attacks and ultimately help in threat mitigation. IoT security monitoring & analysis will be increasingly required to detect IoT-specific attacks not identified by firewalls. Analytics combined with actionable reporting will help identify and neutralize the threat.

     Security at all levels – a must

Integrated Security Strategy—a plausible solution

Devices numbers are set to grow exponentially in the coming years. If enterprises wish to stay ahead of the threat curve, then they need to employ an integrated security strategy that is end-to-end. Blocking threats at every stage is must, and is possible only if comprehensive security is planned at each level—from booting to authentication to software updates to monitoring. An effective security system is one which employs a comprehensive and integrated security strategy, one that provides security assurance and promotes a safer IoT process.

 

“All that begins well, ends well”

The world of business is changing at a fast pace and different technologies at different timelines have provided the necessary traction and value to enhance businesses. The internet is here to stay as it begins to pervade devices and find more takers. The number of internet connected devices will continue to see an upward trend so will the amount of data. At the end of the day, IoT is meant to provide convenience, efficiency, productivity and subsequently—business value, so it will be relied upon in a more comprehensive manner by enterprises in the time to come.

But while IoT leads to efficiency for businesses and convenience for customers it does come at a cost – of threats, problems, and vulnerabilities. Even as IoT ecosystem aspires to grow and pervade the digital space, there is trouble in the name of a feeble IoT security system, which with its current capabilities will not be able to stop the threats and mitigate risks.

For 25 plus years IT cyber security has been a focus point for enterprises on which – time, energy and efforts were spent. The concept of IoT security came up very recently and we are far away from having a fool-proof solution against IoT threats. As was in the case of IT Cyber security, time, energy and efforts need to be spent on IoT security. Unfortunately, there is no “silver bullet’’ to tackle IoT security concerns.

So, what next?

Experts and experience echo the same thing

“All stakeholders in the IoT loop need to think of security first because only secured devices help enable sound and efficient operations leading to successful business”.

In fact, security of IoT devices is like the foundation—stronger the foundation, greater the success! Enterprises which are inclined towards and investing into IoT need to tread the path carefully. The future of IoT will look more prosperous if all stakeholders are on the same page when it comes to security.

The following are some important measures or takeaways to ensure a safer and a more secure IoT ecosystem:

• IoT Security needs to be aligned with every single element of the IoT loop—from Hardware devices to Gateways to Data centres to everything in between and around
• Strict and standard regulations for device manufacturing
• Security for both devices and software needs to be an integral part of manufacturing process and should no longer be considered an add-on service
• Regulations on the IoT operations
• Higher and more focused investment on IoT security
• Quality resources as part of IoT security personnel
• User awareness on device and application operations

 

The Good News

Gartner estimates that by 2020 more than 25% of attacks in enterprises will involve IoT devices, and top management has a taken a cue from the IoT attacks last year. This, in turn, is fuelling IoT security spending across the globe. Spends are reflected in the graph below.

 

By 2018 an estimated 11.4 billion connected devices will have been deployed making it essential for higher security spends. IoT security spends for 2018 are projected at $547 million, more than double (2.35 times) that of 2014. Security spends for 2017 are projected at $434 nearly double (1.87 times) that of 2014.

The increasing pattern of IoT security spending stands as testimony for the increasing awareness and intent among enterprises on the need for IoT security solutions. Gartner report also points out that security spends post 2020 will increase at a faster rate as awareness levels increase and IoT security execution gets a shot-in-the-arm through scalable services and improved skills.

Due to attacks such as Dyn and Krebs, corporates have taken a cue and are ramping up their efforts on IoT security even as internet security firms and manufacturers are teaming up to build better and more secure devices. Even governments, after having realized the intensity of attacks and damage caused, are turning their attention towards a robust IoT security. They are in fact, contemplating on security standards—for attacks do not have a specific target, anything from a sensor to a nation is a target!

So, there is hope – If efforts, time, and money are put in the right direction i.e., at the very root of IoT process, and if all the stakeholders stand on the same page in terms of IoT security – we might well be looking at much more robust IoT security solutions in the time to come!

Read complete blog