Why is IoT security important?
As we wrote in a previous blog, security issues need to be taken seriously by organisations considering implementing an IoT strategy. People like to be in control, especially when it comes to their personal data, and it is your responsibility to make them feel that way.
In 2018 some 21% of companies reported a data breach or cyberattack due to unsecured IoT devices. Ensuring security in the face of this trend should be a significant concern but some businesses still have their head in the sand that it won't happen to them. IoT devices can be extremely hard to patch. In many cases they don’t have a physical user interface or a screen and it can be hard for users to understand how updates are to be made.
How do you make IoT devices more secure?
Ultimately there are 4 main areas of security that you should focus on for IoT:
Data Protection – IoT enabled devices gather, transmit and store sensitive data. This data needs to be secured for both business and regulatory reasons.
Attacks – there are going to be more entry points for attackers to get in to. Most IoT devices are permanently connected to the internet making them prime targets for unwanted attacks.
IoT Enabled Processes – there is a wider infrastructure and many more devices and applications for a hacker target if they want to disrupt your business activities. These types of attacks can compromise or disable devices.
Botnets – if your IoT devices are poorly protected then they may be recruited to botnets which will degrade their performance and could lead to longer-term reputational damage.
These types of security threats rely on the potential weakness of the IoT device. All IoT devices should be deployed and managed with security at the forefront of the mind.
How to design for security?
Like any aspect of technology and information security IoT security isn't something that you reach and stop. It can never be guaranteed – it is a journey, not a destination with new vulnerabilities being discovered all the time.
IoT devices often tend to be used in locations that can be accessed easily or are monitored only remotely, for example an asset that is monitored but not staffed. As a result you need to consider the physical design of your IoT assets and put in place inspection and condone assessment and security monitoring resumes to ensure that the IoT devices haven't undergone physical damage, tampering or attempted third party connections.
Your IoT device should use the latest software with all unnecessary access rights and functions removed. The integrity of a device also depends on executing a trusted staged boot sequence. Security must be designed in from the outset for any software, applications or services that run on your IoT device.
You should always use the strongest encryption algorithms available and make sure that your software is updated to keep pace with future changes. Network connections also need to be limited and thoroughly protected, only making the minimum connections needed for the device to function.
Your devices should ideally be able to have software updates remotely applied. Processes and mechanisms for updating software on the device need to be robust and reliable and maintained. It is not enough to develop strong initial procedures and then forget about the devices! Device security will typically decrease over time as new vulnerabilities are exposed.
Where your device makes use of third party software be sure that any software installed is from a trusted source and has not been altered maliciously. Make sure that a cryptographic signature is attached to the software.
How to build security into your IoT strategy
When it comes to IoT security adopting a hub-and-spoke design approach is key. IoT deployments should be managed as a series of hubs or gateways that interoperate with spokes on closed networks. This makes both network configuration and management as well as scalability and security easier.
All of this should be backed up with rigorous software and firmware updating – something that your organisation should (hopefully!) already have in place.
Take a second to think about the reality of a connected world. IoT will (and already is) fundamentally transforming the world as we know it – we just need to make sure we are ready for it.
Working with many field service organisations, at Leadent we have helped organisations design, develop and pilot and implement IoT in the right way.
Talk to us if you need some help and fresh ideas.