Insecurity in IoT

Experts report the Internet of Everything (also known as the Internet of Things), opens the door for the hacking of everything. How companies can remove these security risks

iStock 000014388654Large 573f29d8406c0

Remember the Jetsons? The futuristic family, living in Orbit City, with completely automated homes, hover transportation and holograms for communication? In 1962, when this fictional family made its television debut, their highly mobile and interconnected life seemed unrealistic. Today, it is becoming reality.

By employing the Internet of Things (IoT) in our homes, the lights turn on and the temperature adjusts automatically when we walk through the door, our refrigerators inform us when we need milk, and high-tech washers and dryers notify us via smartphone when our clothes are done.

But the IoT is transforming more than just how we live; it’s also revolutionizing the global supply chain. Shippers are deploying active tracking devices on cargo containers to monitor shipments in real time. Manufactures are placing temperature sensors on finished products to ensure food and pharmaceuticals are always stored at the right temperatures. IoT sensors are making sure packages arrive on time, and without damage. Factories are employing IoT to automate intelligent thermostats, improve security systems, and control equipment settings and process workflow to optimize performance. And, manufacturers are adding IoT to their products so they can update and trouble check systems on the fly.

“IoT provides a completely transformational set of capabilities and business models for companies who embrace it, think creatively and understand the power of what connectivity and the resulting data can do for them,” says Neil Hampshire, chief information officer of ModusLink, a Waltham, Massachusetts’-based provider of supply chain management services.

The Jetsons shines a spotlight on the lighter side of technology, but there is also a darker side. Glen Gilmore, an attorney and author who is an instructor with Rutgers Business School-Executive Programs, where he has created instruction in digital marketing, crisis communications and supply chain management, warns “regulatory and law enforcement authorities are issuing new warnings about the vulnerabilities of such technologies to hacking.”

As the use of IoT flows throughout the supply chain, it opens up a flood of security risks; vulnerabilities many companies fail to consider beforehand. “It’s very easy to get swept up in the hype and get into IoT without really thinking it through,” stresses Hampshire.

Sean Valcamp, chief information officer for Avnet Inc., a provider of electronic component solutions based in Phoenix, Arizona, agrees, noting that incorporating IoT without considering cybersecurity is “like jumping into the deep end of the pool before learning to swim.”

As IoT devices and applications evolve, so must cybersecurity policies and practices. “We must recognize that the Internet of Everything [another term for IoT], introduces the potential for the hacking of everything,” Gilmore stresses. “IoT may be the weakest link in breaking into an enterprise digitally because businesses fail to recognize the risks of using smart devices. Every organization should be devoting resources to figuring out how to ensure IoT is not the weakest link in the cybersecurity chain.’

Risky Business

The Internet of Things is a term coined by Kevin Ashton, a British technology pioneer who cofounded the Auto-ID Center at the Massachusetts Institute of Technology. Loosely defined, it is a network of physical objects embedded with electronics, software, sensors and network connectivity, which enables these objects to collect and exchange data, often through the Internet.

According to Daniel Miessler, director of advisory services at IOActive, a Seattle, Washington-based security consultancy, the fundamental idea behind IoT is taking devices that until now operated in an analog world or offline, and enabling them to collect data and offer data about their functionality. With this technology deployed, companies have computerized tens of thousands of devices, and they are all part of an IoT talking to each other through application programming interfaces (APIs), which act as the remote control for IoT devices. The insecure backdoor to a company’s data lies in these APIs.

Hampshire explains that adding billions of data collection and transmission points across the global supply chain creates billions of backdoors that when left “unlocked” leave organizations unprotected. If cyber criminals breach just one of these backdoors, it may be possible to access the networks of multiple companies across the supply chain. “The IoT is exploding with the number of smart devices that can enable business-to-business and business-to-consumer transactions, and the volume of data attributable to an individual or a company is exploding exponentially,” Hampshire says. “Therefore the risk of unscrupulous individuals gaining access to your information is much larger and richer than it was.”

In a scenario where many companies are already swimming in the IoT sea, cybersecurity may be the life raft they need before drowning in security risks. “It will be critical as IoT applications are developed and perfected that concerns about security are properly addressed,” states author Gregory Braun, senior vice president of sales and marketing for C3 Solutions, in a white paper titled, “The Internet of Things and the Modern Supply Chain.”

“In the race to tap into IoT, some enterprises have put themselves at risk by not recognizing the responsibilities that come along with leveraging this technology,” Gilmore agrees. “IoT comes with a learning curve and a new host of risks. It’s not simply about understanding new technologies, it’s about keeping pace with new regulatory responsibilities as well.”

Shut the Door

The first step toward minimizing IOT-related cybersecurity risks is closing backdoor access by understanding every device’s inherent vulnerabilities and their outgoing and incoming links to other systems.

IoT has four major building blocks, according a white paper titled “IoT Platforms: The Central Backbone for the Internet of Things.” These include: Hardware (physical devices with IoT installed); communication (where the data are transported); the software backend (where data are managed); and applications (where data are turned into value). “Security is a must-have element for all of these building blocks,” states the white paper sponsored by IoT Analytics, a Hamburg, Germany-based provider of market insights for the IoT.

A security breach can happen in any of these areas. “It can happen at the device level if the device hasn’t locked it down; in the software itself; as the device is transmitting data into the cloud; and as the device receives data, so every connection that comes in and out of that platform needs to be secure,” Hampshire says.

Kevin Bromber, CEO of myDevices, a connected device, IoT platform company based in Los Angeles, stresses companies should be aware of all IoT entry points and touchpoints in their systems. “You need to look at anywhere data enters and leaves your system, and map out these locations,” he says. A thorough security audit can identify IoT on the network. This assessment will show where devices are and how they communicate with the network to pinpoint potential security vulnerabilities. But Bromber cautions this map must be updated regularly; as often as once a month. “It will change as you add new devices and services,” he says. “You could take a snapshot in time and say ‘oh yeah we are secure’ but a month from now it’s going to look different and your system may be open again.”

Avnet, which has had a security awareness program in place for more than six years, regularly scans its entire network for vulnerabilities. This assessment returns two main results: Managed devices (all of those devices the company knows about) and unmanaged devices (those devices they didn’t know existed). “If someone went in and deployed an IoT device on our network [without authorization], we would see that and be able to respond,” Valcamp says.   

Securing IoT requires companies to employ good security patching and monitoring practices. Valcamp sites Blu-ray players as an example. Consumers connect these devices to their home Wi-Fi networks, but how many consumers regularly update the security patches for them? Most don’t, he claims. “Corporations and companies need to make sure they have a way of keeping IoT devices current in terms of identified vulnerabilities and make sure they are monitoring the activity on those devices to identify and close backdoors,” he says.

People, Processes and Tools

“Businesses using IoT to automate processes or collect real-time data from customers must have strong cybersecurity policies and procedures in place so that the processes being automated or the data being shared is not hacked,” says Gilmore, who is recognized as a top influencer on the Internet of Things by Inc. and Onalytica and is designated as a futurist by IBM. Before Avnet deploys new IoT, its information technology professionals make sure its security platforms, networking tools and software can see it. “Then we have processes and response plans in place if we start to see malicious activity at any of those endpoints,” Valcamp says.

It’s also important to assign an employee or team of employees to track IoT cyber­security issues. This person or team should be responsible for considering the IoT cybersecurity practices of business partners as well.

Companies must designate which employees are authorized to use smart devices, and once devices on the network are known, these employees should use unique keys to access them. This helps ensure access is limited to authorized users only, and that the device itself is an approved piece of equipment on a company’s network. Using software such as ModusLink’s Poetic helps companies provide unique keys for users, control access to downloadable assets, record usage information from thousands of devices, and control and manage features and functions of thousands of devices at once. There needs to be multilevel authentication and specific data access rules.

Valcamp advises companies to then add technology to help secure their networks. At the very least, he recommends a vulnerability scanner, which continuously scans the network for potential vulnerabilities; a security risk management platform, which takes information from these scans and other sources and correlates the data to generate security intelligence; an integration platform, which can enhance the visibility part of the security practice; and technology that monitors traffic between devices inside and outside the company network.

“You need to make sure you have appropriate penetration testing and detection capabilities, intrusion detection methodologies and tools, and the management processes in placed to audit and oversee that environment,” says Hampshire. “These are basic principles that remain the same whether you have a couple points of access or millions of points of access around the globe.”

All communication with devices outside the company’s four walls or in the cloud should be encrypted. This includes the data at rest and in transmission, residing on internal and external servers. “We use TLS [Transport Security Layer] and X.509 certificates to make sure we have a secure handshake and encryption between devices,” Hampshire says. “It is important to look at device-to-device, device-to-cloud types of security and really take advantage of that.”                                                                                                                                                                                                                                                                                                     

Finally, companies should plan and rehearse their response to a significant data breach. Gilmore maintains enterprises, both large and small, must plan for a cyberattack and consider what this might encompass based on the IoT devices they are using. This crisis planning should detail the actions the organization will take if there is a breach of consumer data as well as what would occur if a cyberattack disrupts its operations and/or the operations of its consumers or partners.

At minimum, Hampshire says there needs to be tools in place that allow companies to disconnect rogue devices from the network, but it should also include internal processes that determine the extent of the breach, be it unauthorized access to data or unauthorized access to systems and servers, and what information might be compromised.

While the risks are real, keeping IoT secure isn’t rocket science. “The real key is to never lose focus or sight on good foundational security practices,” Valcamp states. “You need good visibility into what’s going on in your network to manage the growth of IoT and really leverage its value.”


IoT by the Numbers

33 percent

The percentage of businesses planning to or already conducting IoT projects.

(Source: Forrester)

26 billion

The number of connected things worldwide by 2020.

(Source: Gartner)

70 percent

Of the most commonly used IoT devices contain security vulnerabilities.

(Hewlett-Packard Co.)

$11 trillion

Business opportunity expected to be generated by IoT over the next 30 years.

(Source: McKinsey)


IoT Security for Products Too

Daniel Miessler, director of advisory services at IOActive, warns of an overlooked area of IoT security—the devices companies manufacture. Often manufacturers fail to consider where the components in their products come from, and stresses they need to consider whether their suppliers have a vested interest in purposely putting an insecure backdoor into their products.

“Manufacturers are shipping products that have backdoors in them because they didn’t look at all the software, firmware and hardware in that product, and validate that every single one of these components was trustworthy and secure,” he says.

IOActive helps manufacturers with this daunting task. The company helps its clients integrate security early on in the procurement and production cycle to avoid introducing security vulnerabilities into a product.

“We lay out a company’s entire supply chain and look at the sourcing for critical components, then we look at the source code in these systems, and assess the companies providing them to ensure backdoors are closed,” he says.