IoT and Security Boon or a Bane?
Govciooutlook

IoT and Security Boon or a Bane?

By Darren Bennett, Chief Information Security Officer (CISO), City of San Diego

Darren Bennett, Chief Information Security Officer (CISO), City of San Diego

Businesses rely on technology. Having secure systems is key to protecting business data and reputation. The reliance on electronic devices today goes beyond laptops and mobile phones to include data from a wide array of smart devices, known collectively as the Internet of Things (IoT).

IoT encompasses anything with an on/off switch that connects to the internet or another device—everything from smart water meters to advanced pacemakers. Inventions such as mobile phones and smartwatches blur the line on what constitutes the computer versus IoT.

Securing an increasing number of these IoT devices is a growing challenge. Gartner Inc. took note that by the end of 2019 there will be more than 14 billion connected IoT devices, and more than 25 billion by 2021.

The IoT is comprised of four key components, and each one is a potential point of vulnerability. Organizations and IT teams should be aware of each of these core components, as well as how to secure them.

Physical Device

Physical access is a huge issue since it doesn’t require the knowledge or technical skills of a hacker. Unsecured devices can be accessed by a household screwdriver, exposing the wires (and possibly the network). Open or unprotected USB maintenance ports allow anyone to connect to the device without a password.

Controlling physical access to IoT devices is the first and most basic security precaution. IT teams should perform physical security audits of all IoT devices in the network regularly, so human eyeballs can check for tampering.

Connectivity

IoT devices connect to a network via hardwire, ethernet, LTE, Bluetooth or a combination of these, and securing these connections is as important as securing the physical device itself.

Without an encrypted channel or proper authentication, wireless devices leave an inviting door wide open to anyone with knowledge and a laptop to intercept the data. Weak, default or hard-coded network passwords are number one on the Open Web Application Security Projects (OWASP) top 10 list of cybersecurity vulnerabilities and IoT devices are subject to threats posed by improperly secured Wi-Fi as well.

Proper planning and periodic testing will help protect and ensure optimum security of network connections Ensure all IoT devices use proper security protocols and communications. Encrypt the data and make sure the encryption keys are securely managed.

Data Processing

Many IoT devices utilize cloud server storage technology and software as a service, offering an unprecedented amount of redundancy, mobility and reliability. Once data leaves the IoT device and it is stored within the cloud, proper security continues to be important.

"The IoT is comprised of four key components, and each one is a potential point of vulnerability. Organizations and IT teams should be aware of each of these core components, as well as how to secure them"

The best means of ensuring the security of your organization’s IoT data—with respect to the cloud—is the wise selection of a hosting provider. Perform due diligence when selecting a cloud hosting partner. Are they reputable? Do they follow security best practices? Are they accredited? Choosing a secure cloud provider is paramount because your organization is still responsible for the security of the data once it leaves your IoT devices.

Proper encryption of data in transit and at rest (as well as secure management of your encryption keys) helps protect your organization should there be a security issue with your provider.

User Interface

IoT devices gather petabytes of information: Temperatures, traffic patterns, addresses, pulse rates, credit card numbers and so on. Without a secure user interface for accessing this data, all of it can be exposed.

User interface (UI) vulnerabilities range from guessable passwords to outdated components and insecure code. While some organizations have staff with the technical ability and tenacity to review UI security, many do not. (If your staff lacks this skill, hire a third party to perform an assessment of the environment.)

Almost every organization can take basic precautions, including creating randomized passwords that are difficult to guess, limiting UI access based on need, enabling two-factor security and monitoring use. Before bringing new IoT devices onto your network, talk to the manufacturer to learn how the user interface is developed, secured, supported and updated.

Securing the Internet of Things

In a world where IT continues to struggle with securing technologies that have been around for decades (OS hardening and patching, network transport security, etc.), can we hope to keep up with the increasing number of new vulnerable devices, networks and access points that IoT adds? The short answer is yes—if we remember the basics.

When devices or accounts are compromised, it’s usually not a genius hacker that breaches the security measures. Often, it’s a failure to adhere to the basic hygiene practices of cybersecurity. The infamous Miria botnet that left millions without internet access in 2016 did so using default passwords on IoT devices—a disaster easily avoided by choosing something other than Password123 to sign in.

This article is a primer in the fundamentals of securing IoT devices. Keeping up with the complexities of the ever-changing IoT landscape will be a challenging and moving target for years to come. While securing the Internet of Things can be overwhelming, having a good understanding of the basic components, knowing key security risks and focusing on good security basics should help your organization’s IoT data stay safe and secure.

Weekly Brief

Top 10 Security Solution Companies - 2020

Read Also

Digital Accessibility in e-Government Projects

Digital Accessibility in e-Government Projects

Jim Loter, Director of Frontline Digital Services, City of Seattle
Some Key Points for an Effective Cyber Risks Management

Some Key Points for an Effective Cyber Risks Management

Manuele Cavallari, Head of IT Risk Management, Banca Monte Dei Paschi Di Siena [BIT: BMPS]
The surprisingly wide reach of GDPR

The surprisingly wide reach of GDPR

Sarah Laws, Data Protection Officer, London Borough of Camden
Security in the Golden Era of AI and IoT

Security in the Golden Era of AI and IoT

Carlos Sousa, CISO & IT Risk Manager, Affidea
Trust: The key to Achieving Security Goals

Trust: The key to Achieving Security Goals

Erik Blomberg, Senior Vice President, CISO, Handelsbanken [STO: SHB-A]
An Integrated Approach to Security

An Integrated Approach to Security

Campbell McCafferty, Chief Security Officer, DWP Digital