Security Concerns Plague Internet of Things Development

The Internet of Things (IoT) is poised to become the largest network of networks the world has ever seen (both in terms of connected devices and data generated). The IoT will primarily be a machine-to-machine internet generating exponentially more data than the World Wide Web, which is principally a human-to-human internet. Nigel Fenwick (@NigelFenwick), a Vice president and principal analyst at Forrester Research, explains, “Based on the sheer volume of internet connected devices coming on the market, … we’re going to see an explosion in the Internet Of Things. Everything — from wearables that track everything from your health and fitness to the temperature of a newborn child, and in-home appliances that interconnect to create a home environment tailored to your preferences — everything is now designed with sensors that collect data that’s used to deliver better customer outcomes. Or at least that’s the promise. Sensors can and will improve our lives — giving us more data and insight about our environment and allowing us to tailor experiences to be more finely tuned to our personal desires. The data provided by the sensors in the Internet Of Things is the fuel for further digital transformation.”[1] But it’s not the home and consumer device market that will drive Internet of Things growth. The IoT will be driven by the commercial sector.

The Internet of Things is Going to be Big

Brian Buntz (@brian_buntz), writes, “There is a ton of hype surrounding the Internet of Things. But the common assumption that the IoT is progressing at a linear rate is wrong.”[2] He asserts, “The IoT is about shift into ludicrous mode.” Buntz reports that Cisco’s Rowan Trollope (@rowantrollope) told participants at the 2016 Cisco Live conference, “One of the biggest mistakes you could make now is to underestimate the Internet of Things.” David Booth, CEO at BackOffice Associates, adds, “We are at the tipping point of the Internet of Things (IoT) — where physical devices across the globe are consuming and creating data to drive a continuously connected world.”[3] The IoT will be particularly important for commercial supply chains. Kaitlyn McAvoy (@KMcAvoySM) reports, “Supply chain organizations are increasingly leveraging the internet of things to improve operations and improve customer service. A recent survey of 600 supply chain decision-makers shows a majority of organizations either have or plan to have an IoT strategy in place.”[4]

The study to which McAvoy refers was published by eft, a business intelligence company serving the logistics and supply chain industry. The report concluded, “As supply chains are strained under competition, technology is proving to be a valuable differentiator and competitive advantage. … We’re seeing a clear shift in preference towards IoT and away from some of the more traditional visibility tools — bar codes, RFID, etc. This trend is only going to be further entrenched as companies continue to see ROI from their IoT investments.” McAvoy indicates the report found IoT security was a major concern. She explains, “While organizations realize the benefits of the IoT, many still feel that cybersecurity is a threat to their IoT strategy. Nearly half, 47%, of eft survey respondents said cybersecurity was a ‘moderate’ threat. About a third identified it as a minor threat, while 17% said cybersecurity was a major threat to their organization’s IoT strategy. Just 5% said it was not considered a threat.”

Security is the Largest IoT Concern

Although the eft study found about half of the respondents believed cybersecurity was only a moderate threat, the study was conducted early last year. Events unfolding late last year might have pushed their concerns from the moderate to the major category. Jane Goh, Senior Product Marketing Manager at Elementum, explains, “Massive DDoS attacks on Dyn, an Internet infrastructure company, caused massive disruption of services for Twitter, Spotify, Reddit, Amazon, Netflix, Paypal, and a host of other well-known sites. With attacks like this, hackers have shown they can now harness the collective firepower of Internet connected devices, such as CCTV video cameras and DVRs, to launch sophisticated, highly distributed attacks involving tens of millions of IP addresses. With the proliferation of these so-called Internet of Things devices, the potential impact is sobering.”[5] She continues:

Internet of Things Security“With the fast pace of growth in the IoT industry, security has not been a priority, much less a requirement, for IoT devices. And in the rush to bring devices to market, some manufacturers have taken short cuts such as hard coding default passwords into firmware, making it impossible to guard these devices against malware intrusion. Even with changeable default passwords, the end user would not be concerned with the security of his DVR or camera as long as it is functioning properly. As these large-scale DDoS attacks become more mainstream, there will be negative impact on IoT manufacturers and retailers. Worse, it will negatively impact their supply chains.”

The editorial staff at Material Handling & Logistics reports security concerns could impede IoT growth. “It is clear that many pre-requisites are not yet in place for IoT to be widely deployed,” the staff writes.[6] That conclusion was drawn from a study conducted by IDTech Ex. Peter Harrop, chairman of IDTech Ex, asserts the study concluded “the hype surrounding IoT will ‘dissipate and considerable deployment will occur but not at the scale and speed that most predict and only if security issues are solved.'” Unfortunately, the situation seems to be getting worse not better. Martyn Williams, managing director at Copa-Data UK, explains, “As the manufacturing sector moves towards industrial automation, the Internet of Things and the cloud, the number and nature of cyber threats is also growing.”[7] He adds, “Connected devices, the collapse of traditional industrial automation architecture and the move to the cloud means cyber security needs to take centre stage in any manufacturing facility. … The one thing manufacturers need to understand is that any industrial automation system today is vulnerable to cyber attacks. The only way of taking advantage of the benefits of IoT and the cloud is to stay vigilant and use industry best practice.”

A Few Steps Companies can Take

Internet of Things growth and security depends on international agreement about standards and practices. Nevertheless, Williams indicates there are three things companies can do to help protect themselves. Industrial security is no longer the IT department’s concern, but a 24/7 job for everyone, including those in the boardroom. First, he recommends companies identify and protect valuable data. He explains, “The first step is to identify … valuable data assets and restrict access to them by ‘hiding’ them behind additional layers of protection and encryption. Manufacturers can protect valuable production data using industrial automation software that has comprehensive security features, such as strong encryption, secure user administration and digital file signatures to recognise bogus programs. Software that allows you to allocate password-protected access to individual users is particularly beneficial because it empowers manufacturers to create individually configured access levels for different users. This means only authorised users gain access to valuable information.”

The second step recommended by Williams to employ best practices. He writes, “One of the biggest concerns many people have about cloud computing is that once data is in the cloud, it can be accessed by unauthorised users with malicious intentions. However, there is a significant distinction to be made. Validated software and cloud computing providers help ensure that their cloud is protected at the physical, network, application and data layers so that their services are as resilient to attack as possible and client data remains safe. The problem arises when users store or access company data through alternative devices or consumer cloud solutions. The most common ones are personal smart phones, tablets or e-mail addresses. Bring Your Own Device (BYOD) was an industry trend five years ago — today it is a reality. Employees everywhere use their own devices to access work e-mails, remote monitoring applications, CAD designs and other sensitive information. Unfortunately, this practice exponentially multiplies the risks of a cyber attack. However, manufacturers can’t afford to hide their heads in the sand and hope BYOD will go away. Your best bet is to train your employees on the best-practice use of BYOD and reduce the number of devices and applications used to access company data. BYOD is not a replacement of corporate devices; it should be a controlled strategy to enable mobility.”

The final step recommended by Williams to is to abide by industry standards. As I noted above, however, industry standards for IoT-connected devices have yet to be adopted. Williams, however, says the situation is slowly changing. He explains, “Slowly, but surely, industry is starting to outline and implement cyber security standards to make industrial networks, devices, software, processes and data more secure. For example, the NIST Cyber Security Framework published in the US compiles leading practices from several standard bodies. There is no such thing as a foolproof formula, but NIST is a good place to start.”

Footnotes
[1] Nigel Fenwick, “IoT Devices Are Exploding On the Market,” Information Management, 19 January 2016.
[2] Brian Buntz, “The IoT Is About to Shift into Ludicrous Mode,” Internet of Things Institute, 12 July 2016.
[3] David Booth, “Harnessing the Data Tipping Point of IoT,” Information Management, 18 July 2016.
[4] Kaitlyn McAvoy, “Majority of Supply Chain Organizations Plan to Increase Use of IoT,” Spend Matters, 4 August 2016.
[5] Jane Goh, “The Internet of Insecure Things,” EBN, 22 November 2016.
[6] Staff, “Some Shippers Question the Future of IoT,” Material Handling & Logistics, 2 November 2016.
[7] Sam Francis, “Protecting connected manufacturing: Three steps to industrial internet security,” Robotics & Automation News, 31 August 2016.

Follow me on Twitter