Why Businesses Can No Longer Ignore IoT Security

Print Friendly, PDF & Email

In this special guest feature, Srikant Menon, Practice Director of Internet of Things (IoT) at Happiest Minds Technologies, discusses how it is imperative for businesses to balance the massive benefits of IoT along with the security risks it poses. While millions of “things” are simple in nature, IoT security is an absolute must and should require an end-to-end approach. Srikant has over 15 years of experience in IoT Practice Development, Strategy, Consultancy, Product Development in Digital Technologies with strong Project Management, Team Leadership & Customer Interaction skills. He is passionate about combining design and technology to execute business goals with energetic start-up attitude and entrepreneurial drive. His goal is to help Enterprises use the power of design and technology to create a positive impact in their operations, customer engagement and business model innovation. Srikant has experience in applying IoT in industries like manufacturing, supply chain management, healthcare etc. globally.

The Digital Age has ushered in a new way of thinking in economies around the world and Internet of Things (IoT) is one of the fastest emerging ecosystems that delivers significant business benefits valued at trillions of dollars across industries. IoT is already impacting how goods are produced and distributed, how products are refined and serviced etc. due to the explosion of data generated by millions of devices, the growth of cloud and the access of integrated real-time information in the palm of the consumers. According to McKinsey, IoT has a total potential economic impact of $3.9 trillion to $11.1 trillion a year by 2025.

As more businesses undergo digital transformations and increasingly see value in IoT, the number of “things” too has increased dramatically. This year alone, Gartner forecasts, that nearly 8.4 billion connected “things” will be in use worldwide. The rise of IoT has also put a lot of focus on security. With businesses on target to employ 3.1 billion connected things in 2017, IoT networks are vulnerable to attacks by hackers. Even as companies are moving from demos and prototypes to undertaking large-scale deployments, they have not thought about end-to-end security when it comes to IoT.

Data breaches in an IoT network can have two major impacts: firstly, it can result in injury or lead to loss of human life. Ransomware attacks in healthcare are a perfect example of how hackers can control the access to medical records, putting the patient’s life at risk. Ransomware attacks more than quadrupled to 200 in 2016, with nearly half happening in the healthcare sector, according to Beazley Breach Insights.  One of the major ransomware attack this year was WannaCry which affected major organizations including hospitals and public amenities.

Secondly, sensitive data could be disclosed as unsecured IoT devices can act as pathways to penetrate business network defenses as well as become slave nodes themselves. In October 2016, DNS provider Dyn was struck by malware known as Mirai in two large and complex Distributed Denial of Service (DDoS) attacks, the largest of DDoS attacks in history. A significant volume of attack traffic originated from Mirai-based botnets and it infected 100,000 devices including cameras and DVRs, affecting access to many websites. Other major attacks include Target, Sony Pictures Entertainment, Anthem, JPMorgan, OPM and Sears. No doubt, DDoS attacks are on the rise and will cost enterprises a minimum of $2.5 million each every time an attack takes place.

The aftermath of a data breach can include long-lasting damage to brand equity and reputation. Apart from that, economic losses stemming from the breach, destruction of operational infrastructure and damage to critical systems can also affect the company. According to a recent Forbes Insight Report, 46% of organizations suffered damage to their reputations and brand value as a result of a cyber-security breach. Preparing for a breach beforehand, instead of waiting until it happens, is a best practice that all organizations should adopt. Incident Response Plans can significantly help as it will allow the employees to familiarize themselves with the process so that when a breach occurs, the tasks can be completed in a timely fashion. IoT security has to be in-built and not be treated like an afterthought.

As innovations increase, the chances of a large-scale IoT security breach are also increasing. According to Forrester, the trend of hackers using IoT devices to promulgate DDoS attacks will continue in 2017 and the scale of IoT breaches is likely to become bigger. Industrial Internet of Things (IIoT) has been affecting the manufacturing industry and about 96% of security professionals expect to see an increase in security attacks on IIoT in 2017 even as 90% expect IIoT deployments to rise, forecasts Tripwire and Dimensional Research.

In order to improve security, businesses must consider the following areas:

  1. Design of IoT Systems IoT Architecture – The complexity of IoT security is much more than IT security. Enterprises will have to develop end-to-end solutions that will fuse together the different features of an IoT architecture, including sensors, devices, network, Cloud & on-premise infrastructure and encryption of data. Effective and secure connectivity must be established only through a smart device that can handle encryption, authentication, firewalls etc. Data must be encrypted while at transit or at rest to prevent misuse, and such architectures should also have firewalls and intrusion prevention & detection system to prevent malicious activities on the network. One of the factors to consider is to build API security that will help to authenticate & authorize applications, systems and devices.
  2. IoT Identity & Access Management: For the new-age IoT networks, the age-old static username and passwords won’t work. As increasing number of devices communicate with each other on an IoT network, they will need to be authenticated either by digital certificates, biometrics, two-factor authentication or M2M authentication. When connected, IoT/M2M devices will be granted access to the IoT infrastructure based on the identity of the device, post which it is authorized to share appropriate information without human intervention. The big challenge will be to build an architecture that can handle billions of IoT devices with varying security relationships in the network. Another factor to consider is that the devices won’t have enough memory to store the certificates or have the processing power to authenticate itself or other devices. There will be a need for identity and access management solutions that will provide full life-cycle capabilities to provision, register, and de-provision IoT devices and associated identities and to provide policy-based access to those devices over time. IoT devices, once removed from the IoT infrastructure, should not be able to register on it. Since standardization of IoT is still a long way away, the current way forward would be to develop partnerships and ecosystems for proper authentication & authorization of devices & systems, especially due to heterogeneity of the devices & systems in the network.
  3. IoT Encryption: As sensitive data travels through the Cloud and IoT environment, it should be encrypted to prevent interception. Since IoT devices will be sending data at sub-second intervals, there cannot be any latency. Hence, the encryption mechanism should be fast, robust and reliable and be able to keep up with the data speeds. In order to maintain data integrity, encryption must be end-to-end. There are several algorithms that can be used to protect your IoT infrastructure such as Triple DES, RSA, Blowfish, Twofish and Advanced Encryption Standard (AES).
  4. Security Monitoring & Analysis: Prevention is better than cure. This adage rings true for IoT dependent businesses who should use technology with analytics to pick out anomalies in the data through continuous monitoring, provide reconnaissance and threat detection to pre-empt any attacks and ultimately threat mitigation. Increasingly, IoT security monitoring & analysis will be required to detect IoT-specific attacks not identified by firewalls. Analytics combined with actionable reporting will help identify and neutralize the threat.

As IoT is progressing from proof of value stage to the productize stage, organizations will need to increasingly focus on operationalizing IoT and securing its assets & people. For a smooth and seamless enterprise-wide IoT rollout and ongoing business attention, a dedicated IoT Operations Center will be critical. IoT Operations Center, in addition to being a Security Monitoring Services Platform, should ensure up-time of the core infrastructure of IoT, including connectivity management between the sensors, the gateway and the Cloud, increased control over devices, effective Cloud and infrastructure management, authentication of data throughout the infrastructure and help in on-boarding different systems and applications, while ensuring high levels of security and customer support.

Real time Security Monitoring and Analytics should be an integral component of the IoT Operations Center. This is essential to protect data integrity and detect potential threats and attacks. Predictive security analytics ensures proactive responses to threats.

In conclusion, it is imperative for businesses to balance the massive benefits of IoT along with the security risks it poses. While millions of “things” are simple in nature, IoT security is an absolute must and should require an end-to-end approach. Considering security during designing of IoT systems and monitoring these systems & other critical business assets through an Operations Center becomes critical in preventing attacks and ensuring business continuity to operations.


Sign up for the free insideAI News newsletter.

Speak Your Mind