Securing the Internet of Things: A Public Safety Issue

Phillimon Zongo

Phillimon Zongo, Cyber Security Consultant

The explosion of intelligent connected devices – the Internet of Things (IoT) – is presenting fascinating possibilities for businesses and consumers.

Heart monitoring devices, glucose monitors and other health-related IoT devices are enabling patients to proactively monitor their health and take corrective steps. Mining companies are attaching tracking devices to underground workers to promptly locate them in the event of a disaster, dramatically cutting down evacuation time and improving safety. Meanwhile, farmers are equipping cows with intelligent devices to reduce livestock losses, improve breeding success, maximize pastures and increase milk production—a concept referred to as connected cows.

McKinsey Global Institute, a leading think tank, estimates that IoT-related applications could have US $11 trillion economic impact by 2025, with one-third of that coming from manufacturing.

IoT is virtually transforming every industry sector, but securing these billions of smart devices is complex and daunting. The threats posed to the public are growing by the year. Here are three key reasons why.

The vast amount of personal data generated by IoT devices is generating significant privacy concerns. Take insurance firms, for example, which are considering offering discounts to policy holders who volunteer to wear devices that monitor their health, eating habits, sleeping patterns or other intimate information. While such initiatives can motivate customers to pursue healthy habits, the same consumers also believe companies are getting more intrusive into their lives. Furthermore, these companies could share sensitive information about consumers’ health, activities and location with unauthorized third parties or retain sensitive data way past policy termination. This risk has caught the attention of regulators. In 2016, multiple fitness wearable-makers faced a formal complaint from Norway's consumer watchdog for allegedly breaking European privacy laws and exploiting their users’ information.

Most devices are fundamentally flawed in their security design. In addition, the same devices have limited processing power to run modern security capabilities. Further complicating matters, most manufacturers prioritize device functionality over security. Their motivations are clear: Minimum capital investments, rapid time to market and higher profits.

The 2016 DDoS attack against Internet performance management company Dyn provided a sobering insight into the implications of interconnecting millions of insecure things. Hackers exploited easy-to-guess default passwords in approximately 100,000 webcams, baby monitors, camcorders and other devices; turned them into bots (zombies); and commandeered them to launch a debilitating attack against Dyn, crippling many notable websites, including Twitter and Netflix.

This incident is not isolated. In September 2016, OVH, a well-known web hosting provider, claimed to have resisted a simultaneous enormous DDoS attack of 990Gbps, launched by a botnet consisting of more than 145,000 compromised IoT devices (IP cameras and DVRs).

Industry standards providing cyber security guidance to IoT device manufactures are scarce to non-existent. This also creates a significant challenge for consumers, as they lack baseline IoT device security prior to purchase. But this is slowly changing. For example, on 28 December, 2016, the U.S. Department of Health and Human Services Food and Drug Administration (FDA) issued draft guidance for managing post-market cyber security vulnerabilities for marketed and distributed medical devices. However, given the pervasiveness of these devices across many industries and geographies, more work is required.

The risk posed by vulnerable IoT devices will invariably rise as more of these devices permeate homes, businesses and vital sectors such as healthcare, aviation, manufacturing and transportation. The prospect of online predators taking control of Wi-Fi-connected baby monitors unsettles any parent. Likewise, attacks exploiting security flaws in heart monitoring devices, elevators or web-connected cars could result in dire consequences.

Given the dangers are so significant, it’s critical that industry bodies, regulators and device manufacturers work together toward unified, long-term goals. Device manufacturers have a significant role to play, particularly building tight security into new devices during design and establishing clear product road maps to ensure these controls keep up with the rapidly changing threat landscape. Equally important, businesses should ensure that sensitive data collected by these devices are only used for originally intended purposes, and not passed on to unauthorized entities without customer permissions. Absent these fundamental controls, IoT’s full potential may not be realized.

Original blog sourced from ISACA Now Blog

Tags: ISACA, Internet of Things (IoT)

Show Comments