Security Risks and IoT

Tero Tapanainen

The Internet of Things and the new security risks it brings.

IoT, or The Internet of Things brings new security risks. How will you solve security questions for thousands of IoT sensors, tracking equipment, and control units that are perpetually running and distributed far and wide?

The Internet of Things (IoT) brings with it huge benefits. Intelligent tracking, metrics, and sensor data will make services much more efficient. It will make remote diagnostics and error corrections possible, and it will reduce the amount of physical logistics and open up possibilities for completely new services. 

It also brings with it safety. Sensors will be able to foresee problem situations so that help can quickly be brought to the scene, for example before a harbour crane brakes down, or a freezer stops working. 

On the flip side, devices which are perpetually running, connected to the internet, and spread out far and wide bring with them a computer security problem. They provide an eventual attacker or assailant with an easy target that is, for the most part, very sparsely protected. 

This will soon become a problem when IoT devices are running in buildings, ships, trucks, hospitals and airports.

Where do the IoT data security risks come from? 

In reality risks can be found in every part of the system. One risk is the IoT device itself. The second is cloud services used by the device. And the third is hidden in the usage and business processes themselves. 

The devices are new, and their security features may not always be thoroughly tested. There is a large array of different types of devices. Devices are brought to market under high pressure and rushed time tables. The target for an attack can be, for example, a kitchen appliance or a smart watch

On the other hand, some of the IoT devices are already outmoded. Nowadays devices are not always produced according to modern computer security principles. It’s not always possible to update devices to be more secure once they’ve been taken into use. And updating them is something you don’t do as long as your own system isn’t the target for an attack. When you haven’t observed the problem yourself, it feels like it doesn’t exist. 

It’s a question about attitude. Some of the players on the IoT market are convinced that the risks are primarily fear mongering. However, in an article published in Talouselämä it was found that there are many aspects of IoT security that need a lot of improvement. Computer security attacks are growing in frequency overall, and the Internet of Things is of special interest to miscreants.

The attacker and the defender are locked in an asymmetrical struggle. 

The situation for data security will always be imbalanced in the IoT. The attacker and the defender are not playing with the same deck of cards. 

Attackers can do and will do whatever they want. They have at their disposal all the illegal methods and tricks available. Meanwhile, those responsible for data security have a significant amount of laws and regulations limiting their actions. 

Attackers can concentrate all their strength and time in one place. Meanwhile, computer security specialists need to spread their resources wide and thin. All possible targets have to be simultaneously secured. Additional security comes with a cost in the shape of time and money and these you simply don’t usually have. According to a report by McKinsey customers are quite unwilling to pay for better data security. 

Attackers have the element of surprise on their side. Furthermore, they only need to succeed once. The defender needs to succeed every time in order for their defense to hold up.

How can you create a working data security defense? 

The most important thing is to recognize and admit to the threat. Unsolicited usage, break-ins, wanton destruction and system hijacking bring with them, in addition to the loss of money, dissatisfied customers and a widespread risk to your reputation and brand. 

It is worth paying for data security. Preventative measures are always tens of times cheaper than cleaning up an incident after it occurs. 

Apply the following principles when you create IoT solutions:

  • Apply the Security by Design -philosophy. Data security has to be built into the device and system from the beginning. You cannot glue it on as an additional layer on top when everything else is done.
  • Your security solution needs to cover all sub-areas of the system: in the case of the Internet of Things that includes devices, connections, cloud services and software.
  • Limit and encrypt: you have to encrypt information, and access has to be limited to the people who actually need it. This includes authentication, user verification, and assigning access rights solely to those who really need it.
  • Monitor the system constantly.

I recommend that everyone, and managers in particular, read the article JD Meier published on the Microsoft blog already ten years ago, called Security Principles

Even though Meier’s text dates from before the widespread use of Internet of Things, and even if you don’t understand the details of all the techniques mentioned, when scrolling through the list it becomes apparent to anyone that how many different things you have to take into account to achieve good data security. 

By definition the Internet of Things is a question of the data security of connected devices and the larger systems they form. Therefore, it is only natural that general data security questions and principles also apply to IoT solutions.