Employing the Internet of Things (IoT) without a cybersecurity plan is a lot like playing the trust fall game without a person to catch you. The one thing that has been a constant since the first computer went online is that almost any technology, including the IoT, can be hacked.
The case of a possessed baby monitor shouting obscenities at a Texas tot provides a terrifying view into the IoT’s inherent security risks. Here, a hacker bypassed a firewalled and password-protected wireless network to gain access to the unit, and control its camera and voice mechanisms to terrorize the end user.
Understanding how the IoT works provides insight into how the above situation and others are possible. With the IoT, an object-for example, a sensor in a baby monitor, on the engine of a delivery truck, on a pallet of fresh food stored in a cold-chain warehouse or on equipment in a manufacturing plant-becomes part of a networked environment. These sensors collect information, then transmit it through a host of devices and networks to data centers located in the cloud. Later, users can retrieve data from the cloud for analysis. This process introduces security vulnerabilities that must be addressed at every step of the data journey.
Ryder System Inc., a commercial fleet management, dedicated transportation and supply chain solutions company, is broadening its technology roadmap to leverage IoT sensors across the full spectrum of its logistics services. The company is expanding its use of IoT sensors on fleet vehicles to pinpoint preventive maintenance needs, locate a truck at any given time and provide real-time information, including customer order data. Though this information is extremely valuable to company operations, Mel Kirk, Ryder senior vice president and CIO, emphasizes that using the IoT in this way also introduces cybersecurity risks.
“The supply chain business is becoming an order management business in which an order encompasses information regarding the point of sale, the person’s name and address, and possibly even credit card number,” he says. “There are more insights about individuals than ever before, casting an even greater spotlight on security.”
Ricardo Bonefont, director of enterprise information technology (IT) security and compliance at Ryder, says, “It’s all about the data [and] ensuring it’s protected along the way. In the old days, the data was contained within our firewalls, but now it’s on the Internet and in the cloud, and security is an important consideration.”
Though Ryder takes steps to protect its data, often IoT security vulnerabilities are not considered until things go awry, states Drew Cohen, president and CEO at MasterPeace Solutions of Columbia, Maryland. “The race to adopt this technology and make your devices smarter is what the marketplace is demanding. Because security can be an inhibitor to adoption, it often comes after the fact,” he says.
Gemalto is an international digital security and IoT company providing software applications, IoT connectivity modules and security solutions, including Machine Identification Modules (MIMs), secure elements, smart cards and tokens, and managed services. In this role, the firm works with enterprises to connect devices and things, and boost their IoT security.
Gemalto’s e-book, A Safer Internet of Things recommends that data be secured “not only on the [IoT] device, but on its journey through the network toward the data center and beyond. With so many links in the chain, the security framework must be interconnected and coordinated to avoid breaches, snooping, hacking or accidental leaks.”
This requires companies to think beyond the typical scope of security, says Juan Carlos Lazcano, vice president of the IoT for North America at Gemalto. He explains, “The reality is companies often only consider security from the device point of view and not as part of something that belongs to a much bigger ecosystem. They think about what they need to secure from their implementation, but not what type of access it could give to the rest of the ecosystems—this puts an enterprise at risk.”
Put Tech in Place
Zuul IoT Inc., a spinout of MasterPeace Solutions’ LaunchPad accelerator, helps companies secure the IoT. It’s a capability Cohen views as essential as the IoT becomes commonplace within the supply chain. “With the IoT, the price points are low, the software is readily available and the capabilities are high. However, when you put general purpose technology into specialized devices, you’re taking the same cyber vulnerabilities and deploying them in things that were never connected before,” he says.
While many IoT companies are opting to make IoT sensors more secure by encrypting data on the device and in its communications, they are implementing the technology in a cybersecurity vacuum relative to existing network security solutions, Cohen maintains.
On the other side of the spectrum, network security employees within companies are working to enhance cybersecurity across the enterprise. However, the protections they are putting in place focus on safeguarding the general IT structure.
Both are good strategies, but Cohen says a disconnect arises because those securing the IoT are not partnering with those protecting the enterprise. “There is a real opportunity here to make them smarter about each other,” he says. “Most enterprises have security in place, but the IoT isn’t connected into it. And often, the network security group doesn’t even know what its IoT devices are doing.”
Zuul IoT helps bridge this gap through an innovative solution designed to integrate security across both the IoT and the enterprise. Zuul’s solution is based on two products, the Gatekeeper and Keymaster, that help secure IoT devices across a range of industries. The Keymaster first secures the IoT devices by checking that they are properly configured and their data transmissions are encrypted. The Gatekeeper puts alerts in place should the device access files it’s not supposed to or change data within the network. The Gatekeeper establishes network whitelists and application-to-endpoint whitelists that essentially say, “The only places these IoT devices are allowed to go is back to their known endpoints and not to anywhere on the Internet.”
“We create firewalls and lock them down so they cannot communicate beyond where they are supposed to,” Cohen says.
Get Back to Basics
Though no standard currently exists specifically for securing the IoT, Bonefont states ISO 27001:2013 and the National Institute of Standards and Technology (NIST) Cybersecurity Framework provide guidelines that can help companies bolster IoT security.
A primary consideration within these standards is mapping the devices connecting into a company’s network and performing annual audits to make sure the entire system, from the IoT sensors to the internal network, meets industry standards.
In A Safer Internet of Things, Gemalto goes beyond these steps and introduces four additional measures designed to improve IoT security
1) Evaluate risk. Developers need to understand all potential vulnerabilities. Evaluation processes should cover privacy, safety, fraud, cyberattacks and intellectual property (IP) theft.
2) Secure by design. Gemalto reports it is key that device security is considered at the development stage. This should include end-to-end points and countermeasures, including tamperproof hardware and software.
3) Secure the data. To properly secure data, companies need strong authentication, encryption and securely managed encryption keys. Lazcano says, “All too often, people say, ‘I added a key, the device is secure.’ The problem is they put it in a place that is really hackable, like memory that is not protected at all. But because they put a key in there, they feel like they have an adequate security system.”
Lazcano recommends a trusted key manager solution that generates a unique identification and authentication key for each device, so if one device is hacked, the rest of the devices on the network remain secure. He explains, “By eliminating the use of a common password and a common authentication key, you are diversifying the keys, making it much harder for anyone to get mass access to your devices.”
4) Engage lifecycle management. Security is ongoing; a company cannot set it up and forget about it. Gemalto’s guide states it’s “imperative that IoT devices are protected for the lifecycle of the device.” Lazcano adds, “Many pieces are used for decades, so you have to think about the lifecycle of your devices, and how security might be improved and enhanced over time.”
When technology, processes and policy are protecting the IoT, it is possible for companies to play the IT trust fall game with a cybersecurity safety net, thus keeping their systems safe and their information secure.