IoT and Security: what you need to know

Warren Buffet says that cyber security is the biggest threat facing mankind, even more dangerous than nuclear weapons. That may sound a bit over-the-top but safeguarding connected devices and networks – and understanding how to do that effectively – will be of paramount importance as IoT continues to become a critical part of your business strategy.

Companies continue to say that addressing security issues is important to them and remains high on their agendas – yet not enough is being done despite increased risks and vulnerabilities and the implications of not addressing security potentially having a detrimental effect on not just their own businesses but also on society at large.

IoT security is not just about being secure technically but also about informing users what is happening with their information and devices so that they can make informed decisions on how they want that information to be managed. It’s also about educating employees on how to handle data and devices.

Data acts as a window into our lives – and when it comes to your company it can act as a window into not just your business but into your customer’s businesses. Sensitive data is extremely valuable and in the wrong hands can pose a serious threat.

The implications of not addressing security risks are wide-ranging. Until all three layers of IoT security are managed and under control your business and customers will continue to be vulnerable.

IoT & Security: the background

Many companies have traditionally assumed any IoT solution is secure, and although they have had skilled IT departments working with digital security overall, they often have not focused on developing an implementation plan specifically for their IoT solutions. At the same time, security experts have long pointed to the potential risk of large numbers of unsecured connected devices, with some saying there will have to be several major global attacks before security is taken seriously – once that happens everyone will realize just how important it is for any company deploying IoT to have a strategy regarding security.

As awareness increases the quality of security measures has also improved. This means that most IoT components have some level of security, but it is still up to whoever develops or designs the solution to make sure those components work well together. In other words, there is no magic bullet – you still have to develop and implement your own strategy for security.

Three Layers of IoT Security You Should Consider:

• Physical technology – everything from hardware to software to infrastructure
• Rights management system – who has access to what
• Information – how you communicate with customers and end users – and what happens to your information

IoT & Security: attacks, risks & protecting yourself

Attacks and protection are two sides of the same coin. And attacks or issues (risks) can come from both within and without, so the implications of not addressing security risks are wide-ranging.

Top 3 IoT Security Risks According to Tele2 IoT:

• Data & device theft
• Data & device manipulation
• Data storage compliance

Additionally, it can be very difficult to detect security breaches. If you don’t have the insight or the knowledge of IT and security, you might not even notice it happening until it’s too late.

When we talk about security we’re talking about the attack ‘surface’ – basically how much exposure you have. It’s as simple as knowing that when you go outside during winter the more skin you have exposed the quicker you’ll get cold. Addressing security is the same thing: the less exposure you have the less risk there is. You won’t get hypothermia if you have the appropriate covering.

Most devices are shipped with default passwords, and the use of default passwords is at the root of the majority of vulnerabilities. It’s quick and easy for someone to check if you’re not properly password protected, so changing default passwords is critical. And if your device is on the public Internet it will quickly get indexed by search engines, which will then create a list of devices that have the door wide open and then boom! You’ve got a security problem.

Not updating is as big an issue for companies deploying IoT as it is for lay people who don’t bother updating their browser or operating systems. Updating is a simple, easy way to increase security – yet it’s a step that is often overlooked.

Not having a verified update cycle is also a risk and can result in someone getting access to your devices and manipulating them – in other words, remotely controlling them.

Another scenario is someone gaining access to your devices not to modify or manipulate anything, but to use your devices as a means of attacking other devices. In other words, they create an army of devices that can be used to attack your company. Take the MIRAI Botnet: insecure IoT devices brought down much of the US’s core Internet infrastructure, including Twitter, Netflix, CNN, etc., and havoc ensued.

The MIRAI Botnet might be a rather extreme example but look at your own company and ask yourself where the risks are. Where in your setup can you spot vulnerabilities and what can you do to address them?

Changing default passwords and updating regularly are two steps you should be implementing right away.

As lay people, when we think about security, we worry about whether our social media accounts have been hacked or our bank information compromised, but hacking is a big issue within IoT as well.

If you are hacked any data could be modified – and any data that is modified cannot be trusted.

For example, if your nuclear power plant is reporting specific behaviors to authorities a hacker could modify that data during transit, resulting in decisions being made based on incorrect facts. The hacker could modify audit trails and make it very difficult and costly to be able to identify which information is correct and which isn’t.

Of course, not all hacks have the theoretical potential for such drastic consequences. Take fictional Farmer John, who has placed small sensors across his vast fields. You might not think knowing how wet his soil is or when he will harvest would have value to anyone but him, but if the harvest window is just three or four days and his devices are sending compromised information or they aren’t working and he doesn’t know they aren’t working, he might lose his whole crop. This would not just impact his bottom line but also the food supply chain.

Within the EU a big risk is being non-compliant with GDPR, the EU’s General Data Protection Regulation. Not being compliant is not just bad for you – you’ll face huge fines, which will have an enormous impact on your bottom line – it’s also bad for your customers and end-users.

Transmitting sensitive data between your devices and your operations center could lead to eavesdropping, with someone getting information about your company or one of your customers that you don’t want them to have – and that they shouldn’t be allowed to have.

A simple example would be a connected pacemaker: under GDPR the patient/customer has a right to have any sensitive information transmitted private and protected. If that information is compromised, just say because someone was able to hack into your system, you’re facing big problems.

Not all security risks involve data breaches, but any attack that stops you from selling products or services – or even stops you from being able to invoice your customers – could cause you a host of unwanted issues.

Being aware of any vulnerabilities while taking the right steps to protect yourself will decrease any potential security risks.

Protecting yourself

Most vulnerabilities that are exploited by the hacker/hacking community have been known for more than six months. While vulnerabilities usually have a patch and there’s an update available, if you wait a year to update you have huge exposure because the longer you wait to update the more common scans become. As a result, more and more attackers will know about your vulnerability, making it that much easier to breach your system.

There Are Two Types of Attackers to Keep in Mind:

1. Opportunistic

2. Targeted

Opportunistic hackers are continually scanning and taking advantage of every vulnerability. Think of it as a burglar going through a neighborhood trying every door to see which one is unlocked. It’s low cost and they know that they can get lucky any time, hitting a mother lode of information. What they do with that information is anyone’s guess.

On the other hand, hackers carrying out targeted attacks aren’t playing the odds. They want access to specific systems and are working on a much higher level of engagement. A targeted attack requires more work to get into a specific system: hackers have to find it and know what to do with it. It’s much more difficult to protect from a targeted attack simply because these types of attackers are going to be much more persistent.

If you’re using a tracking device you would ideally be prompted to update the software, but while your phone, your tablet, or your laptop will give you push notifications to update, most IoT devices aren’t clever enough to self-update, so you may have to do this manually.

Sometimes, though, it isn’t possible to update your IoT devices, which means you’ll have to switch them out to upgrade your system. This is an important aspect to consider when choosing your IoT solution.

A mobile network system makes it difficult to go from one device to another, so someone who compromises one device will have a tough time accessing the rest. This reduces the ability of attacks/infections spreading.

Of course, there’s nothing saying you have to put your devices on the public Internet. With a private APN your devices are never exposed to the (public) Internet, so they will never show up in a search engine. But note that even if you take a compromised device off the Internet and put it on a private network it might still be compromised – but the damage it can do and the risk of exposure will be reduced. Additionally, your devices will be isolated not just from one another but also from other customers, which really raises the bar when it comes to security.

How to Protect Yourself: The IoT Security Checklist

• Update your software regularly & on time.
• Change your default passwords.
• Secure access credentials.
• Limit exposure (firewalls, private networks, etc.).
• Restrict access to systems (only people and computers that need access).
• Don’t put your business-critical factory control system on the same system as your corporate office. Include strong processes for employees.
• Have a skilled IT team, educate yourself and actively search for security breaches.
• Have security as part of your IoT design and strategy process.
• Risk analysis – this will help you differentiate the different levels of risk and evaluate accordingly.

Private APN fact box

Service	Private APN	Private APN with IPSec VPN	Private APN with Private Interconnect
Transferring data securely	+	++	+++
Industry	N/A	++	+++
Scaling of data transfer capacity	+	++	+++

From a security perspective you should have zero trust, and should implement strong processes, auditing, checking, monitoring, and risk assessments. It’s not that you don’t trust your employees, it’s that you can’t rely on anything not being compromised. Someone’s laptop might be compromised without them knowing and that could be enough to get hackers into a secure system. In light of this you should not put your business-critical factory control system on the same system as your corporate office. If someone gets a virus on their laptop at home and then brings it into the office, it can not only affect other work machines, it can also infect your factory floor – and it will be very difficult to get rid of that infection.

Having a well-thought out implementation plan for your IoT security strategy is as important as having an overall IoT strategy: you will save money and lessen potential headaches.

Understanding the risks and issues that can arise while also educating yourself on how you can protect yourself is paramount. Just as you have an IT team making sure your computers are protected, you should also have a team that ensures your IoT solution is not vulnerable to attack. Choosing the right technology and then taking the steps necessary to protect it will help keep your solution secure and also your information and the information of your customers secure.

Find out more about security here.

If you would like to learn more, please get in touch.