It may come as a surprise to some that, at this moment in time there are probably more ‘things’ connected to the Internet than people. In 2016 there were an estimated 6.4 billion connected devices in use worldwide – a figure that is projected to hit 20.8 billion by 2020. What’s more, as users we’re more connected than ever, with figures showing that the average internet user today owns 3.64 devices, uses 26.7 apps, and has an online presence on seven different platforms.
While this ubiquitous global connectivity enabled by the Internet of Things (IoT) opens great possibilities for personal and organisational growth, it also exposes us to security vulnerabilities that can cause financial loss, endanger personal and public safety, and cause varying degrees of damage to business and reputation. Anything that is connected to the Internet is a potential attack surface for cybercriminals.
A new landscape for hackers
IoT brings with it a host of new possibilities, from smart city advancements to transforming how industries produce goods. The Industrial Internet of Things (IIoT) has seen significant advancement in recent years, for example by connecting assets in a factory, organisations can have better insight into the health of their machinery, and predict any major problems with their hardware before it happens – allowing them to stay one step ahead of their systems and keep costly outages to a minimum.
However in the rush to connect every ‘thing’ in sight, from lampposts, to factory machinery, to the wearable fitness monitor on your wrist, security has ranked low down on the priority list. Despite most manufacturers taking steps to build-in security, it doesn’t count for much if the end-user implementing the technology doesn’t properly configure the devices. What’s even more disconcerting is a recent study that suggests that 70 percent of all IoT devices have serious vulnerabilities.
For example, an organisation may roll out a series of sensors across their factories, but fail to set up a passwords. Those same sensors are subsequently left vulnerable to be used for malicious functions they were never designed for.
Security is also a concern for governments who are investing in smart city infrastructure. IoT has the potential to create a wealth of new services and improve existing public services. Without adequate security, innocuous items which generally pose no threat, can be transformed into something far more sinister. For example, traffic lights that tell cars and pedestrians to go at the same time, or changing tracks to put a commuter train on the wrong course. A real life example of this kind of disruption came to light in late 2016, when San Francisco’s public transit system was hacked – forcing the city to allow commuters to travel for free, and causing wide-spread disruption across the city.
The insecurity of things
Another problematic insecurity is the networks that IoT data travels over. In addition to vulnerabilities in the device, malicious elements can reach you system through insecure networks. However, as technology press rapidly on, we’re not taking the appropriate steps to ensure end-to-end security is built in.
What’s worse is that this is a sin that has been committed in the past. Specifically, when the initial worldwide internet infrastructure was being built from 1990 to 2005. During this period security was an afterthought, and that enabled early hackers to grow and disrupt.
With this in mind, it’s important that organisations take time to pause and think about how they can work together to create an end-to-end infrastructure that can deal with the influx of new devices.
Know your enemy
As with any defence, the first step is to be aware of the threats and arm yourselves with the appropriate tools to minimise the risk falling into those traps. There are many effective methods of preventative and reactive security, but each approach will differ depending on the devices in your ecosystem.
An overall understanding of the end-to-end journey of your data, and the threats it faces at each leg of the journey will be beneficial, and organisations who work with partners to create a secure network for their devices will be rewarded in the long run. Unfortunately there’s no ‘one-size-fits-all’ approach to securing the IoT infrastructure, and it will take a considered, group effort to ensure this beneficial technology evolves in a secure, and effective way.
Read one of my previous blogs on the evolution of ransomware.