Editor's Note: This guest post was originally published by guest author, Ahmed Banafa. Ahmed is currently a lecturer at the College of Engineering at San Jose University and is a Five-time winner of instructor of the year award. Ahmed is also a contributor to LinkedIn, IBMCloud , IBM Big Data Analytics Hub, and HP Infrastructure Insights and has been published on MIT Technology Review, ComputerWorld, Livescience, Techonomy, and Openmind. Subscribe to his blog, New Trends in Hi Tech, or follow him on Twitter.
How to Secure the Internet of Things (IoT)?
The Internet of Things (IoT) as a concept is fascinating and exciting, but the key to gaining real business value from it, is effective communication between all elements of the architecture so you can deploy applications faster, process and analyze data at lightning speeds, and make decisions as soon as you can.
IoT architecture can be represented by four systems:
- Things: These are defined as uniquely identifiable nodes, primarily sensors that communicate without human interaction using IP connectivity.
- Gateways: These act as intermediaries between things and the cloud to provide the needed Internet connectivity, security and manageability.
- Network infrastructure: This is comprised of routers, aggregators, gateways, repeaters and other devices that control data flow.
- Cloud infrastructure: Cloud infrastructure contains large pools of virtualized servers and storage that are networked together.
Next-generation trends namely, Social Networks, Big Data, Cloud Computing, and Mobility, have made many things possible that weren’t just a few years ago. Add to that, the convergence of global trends and events that are fueling today’s technological advances and enabling innovation including:
- Efficiency and cost-reduction initiatives in key vertical market
- Government incentives encouraging investment in these new technology
- Lower manufacturing costs for smart devices
- Reduced connectivity costs
- More-efficient wired and wireless communications
- Expanded and affordable mobile networks
Internet of Things (IoT) is one big winner in this entire ecosystem. IoT is creating new opportunities and providing a competitive advantage for businesses in current and new markets. It touches everything—not just the data, but how, when, where and why you collect it. The technologies that have created the Internet of Things aren’t changing the internet only, but rather change the things connected to the internet—the devices and gateways on the edge of the network that are now able to request a service or start an action without human intervention at many levels.
Because the generation and analysis of data is so essential to the IoT, consideration must be given to protecting data throughout its life cycle. Managing information at this level is complex because data will flow across many administrative boundaries with different policies and intents. Generally, data is processed or stored on edge devices that have highly limited capabilities and are vulnerable to sophisticated attacks.
Given the various technological and physical components that truly make up an IoT ecosystem, it is good to consider the IoT as a system-of-systems. The architecting of these systems that provide business value to organizations will often be a complex undertaking, as enterprise architects work to design integrated solutions that include edge devices, applications, transports, protocols, and analytics capabilities that make up a fully functioning IoT system. This complexity introduces challenges to keeping the IoT secure, and ensuring that a particular instance of the IoT cannot be used as a jumping off point to attack other enterprise information technology (IT) systems.
International Data Corporation (IDC) estimates that 90% of organizations that implement the IoT will suffer an IoT-based breach of back-end IT systems by the year 2017.
Challenges to Secure IoT Deployments
Regardless of the role your business has within the Internet of Things ecosystem— device manufacturer, solution provider, cloud provider, systems integrator, or service provider—you need to know how to get the greatest benefit from this new technology that offers such highly diverse and rapidly changing opportunities.
Handling the enormous volume of existing and projected data is daunting. Managing the inevitable complexities of connecting to a seemingly unlimited list of devices is complicated. And the goal of turning the deluge of data into valuable actions seems impossible because of the many challenges. The existing security technologies will play a role in mitigating IoT risks but they are not enough. The goal is to get data securely to the right place, at the right time, in the right format, it’s easier said than done for many reasons, Cloud Security Alliance (CSA) in a recent report listed some of the challenges:
- Many IoT Systems are poorly designed and implemented, using diverse protocols and technologies that create complex configurations.
- Lack of mature IoT technologies and business processes
- Limited guidance for life cycle maintenance and management of IoT devices
- The IoT introduces unique physical security concerns
- IoT privacy concerns are complex and not always readily evident.
- Limited best practices available for IoT developers
- There is a lack of standards for authentication and authorization of IoT edge devices
- There are no best practices for IoT-based incident response activities.
- Audit and Logging standards are not defined for IoT components
- Restricted interfaces available IoT devices to interact with security devices and applications.
- No focus yet on identifying methods for achieving situational awareness of the security posture of an organization’s IoT assets.
- Security standards, for platform configurations, involving virtualized IoT platforms supporting multi-tenancy is immature.
- Customer demands and requirements change constantly.
- New uses for devices—as well as new devices—sprout and grow at breakneck speeds.
- Inventing and reintegrating must-have features and capabilities are expensive and take time and resources.
- The uses for Internet of Things technology are expanding and changing—often in uncharted waters.
- Developing the embedded software that provides Internet of Things value can be difficult and expensive.
Some real examples of threats and attack vectors that malicious actors could take advantage of are:
- Control systems, vehicles, and even the human body can be accessed and manipulated causing injury or worse.
- Health care providers can improperly diagnose and treat patients.
- Intruders can gain physical access to homes or commercial businesses
- Loss of vehicle control.
- Safety-critical information such as warnings of a broken gas line can go unnoticed
- Critical infrastructure damage.
- Malicious parties can steal identities and money.
- Unanticipated leakage of personal or sensitive information.
- Unauthorized tracking of people’s locations, behaviors and activities..
- Manipulation of financial transactions.
- Vandalism, theft or destruction of IoT assets.
- Ability to gain unauthorized access to IoT devices.
- Ability to impersonate IoT devices.
Dealing with the challenges and threats
Gartner predicted at its security and risk management summit in Mumbai, India this year, that more than 20% of businesses will have deployed security solutions for protecting their IoT devices and services by 2017, IoT devices and services will expand the surface area for cyber-attacks on businesses, by turning physical objects that used to be offline into online assets communicating with enterprise networks. Businesses will have to respond by broadening the scope of their security strategy to include these new online devices.
Businesses will have to tailor security to each IoT deployment according to the unique capabilities of the devices involved and the risks associated with the networks connected to those devices. BI Intelligence expects spending on solutions to secure IoT devices and systems to increase five fold over the next four years.
The Optimum Platform
Developing solutions for the Internet of Things requires unprecedented collaboration, coordination, and connectivity for each piece in the system, and throughout the system as a whole. All devices must work together and be integrated with all other devices, and all devices must communicate and interact seamlessly with connected systems and infrastructures. It’s possible, but it can be expensive, time consuming, and difficult.
The optimum platform for IoT can:
- Acquire and manage data to create a standards-based, scalable, and secure platform.
- Integrate and secure data to reduce cost and complexity while protecting your investment.
- Analyze data and act by extracting business value from data, and then acting on it.
Security needs to be built in as the foundation of IoT systems, with rigorous validity checks, authentication, data verification, and all the data needs to be encrypted. At the application level, software development organizations need to be better at writing code that is stable, resilient and trustworthy, with better code development standards, training, threat analysis and testing. As systems interact with each other, it's essential to have an agreed interoperability standard, which safe and valid. Without a solid bottom-top structure we will create more threats with every device added to the IoT. What we need is a secure and safe IoT with privacy protected, tough trade off but not impossible.