As IoT becomes more prevalent, more CIOs are asked to take the reins of IoT projects. Gartner recently found that just under a third of responding organizations expected their CIO would lead their IoT efforts, and that by 2020, more than 10% of IoT projects in traditional industries would be headed by the CIO.
This prompted Jenny Beresford, research director, to caution: ‘The IoT will expand rapidly and extensively, continually surfacing novel and unforeseen opportunities and threats.’
Among those threats — which will definitely be CIOs’ responsibility — is the woeful security of traditional IoT and IIoT networks, as well as the privacy, connectivity and transaction speed issues that frequently plague IoT implementation.
To be maximally effective such a network must somehow be both highly connected and highly secure, and currently only one technology — blockchain — can achieve this.
However, obstacles remain, including the lack of an IoT-friendly blockchain consensus protocol.
Network Security and Data Exchange
IoT and IIoT networks typically lack physical security, host-based defences, and software updates and patches. These networks typically also use less-secure wifi protocols, web apps and APIs, combining larger-than-usual attack surface with weaker-than-usual security while retaining single points of control and failure.
In IoT, hackers see a new prize: gigantic botnets which can be used to spread malware, as with the Mirai botnet. And in IIoT, the rewards of network penetration can be industrial sabotage, espionage or large-scale blackmail, like Florida’s Riviera Beach.
Yet, companies cannot afford to hold off indefinitely on deploying IoT technology, since doing so exposes the organization to risk of being outmanoeuvred by competitors. Blockchain offers CIOs a way to deliver their IoT projects with the inherent security issues of large, distributed networks essentially solved.
Blockchain for IoT inherently eliminates single points of control and failure while simultaneously offering modular encryption and auditable transaction logs, so security issues are isolated, easy to identify and cannot spread through the network. Even if they do, they can’t gain control of it.
Machine-to-machine (M2M) communications generate gigantic amounts of data in transit — and the number of connected devices is growing rapidly:
With centralized control, much of the processing power of these devices is lost to idling, while trust issues keep transaction costs high. CIOs find themselves in the position of paying for computational capacity they can’t use, and for traditional data centers that represent a ‘honeypot’ for attackers and a bottleneck for their networks.
Peer-to-peer communication across connected devices would enable dynamic transaction load balancing, enabling spare computing power to be identified and employed and potentially eliminating centralized data storage.
To do this successfully, IoT will need to become trustless as well as peer-to-peer. Blockchain offers a trustless peer-to-peer communication and transaction medium with secure, unforgeable and auditable transaction logs; smart contracts can be used to set policies, control and monitor access rights and execute actions autonomously based on pre-defined conditions.
Privacy and Autonomy
IoT systems built on traditional networks cannot prevent access by governments, service providers or criminal actors. With weak security and single points of control, trust on these networks is impossible to guarantee.
IoT and IIoT both require connectivity and modular security. The current solution, ‘security through obscurity,’ must be replaced by a systemic shift to open-source systems that achieve ‘security through transparency’ and are far less vulnerable to sophisticated, persistent institutional attacks.
Without this shift, both consumer and industrial networks will be increasingly vulnerable, and as the number of connected devices grows, radically lower-cost privacy and autonomy will be necessary to save the IoT.
IoT Connectivity Costs
In the current iteration of the IoT, costs are prohibitively high while revenues fail to meet expectations. Many existing IoT solutions are expensive because of the high infrastructure and maintenance costs associated with centralized cloud delivery and large server farms.
IoT devices violate the traditional pricing and revenue model of the IT industry too: device costs and incomes don’t line up, and maintenance costs consume substantial amounts of revenue. Inherent technical reasons make this unavoidable using the current model, but CEOs still don’t like hearing it from their CIOs.
Blockchain technology allows reliable data to be pooled and shared without trust, directly among stakeholders. This allows for a significant cost reduction, eliminating intermediaries and allowing for automatic transactions and payments across devices using smart contracts.
Blockchain-IoT Integration Challenges: Lack of an IoT-centric consensus protocol
The current consensus protocols available for blockchains — PoW, PoS, PoET, and IOTA — are all designed for permissionless blockchains focusing on financial value transfer. PoS and PoET can also be used in permissioned blockchains, but their consensus is probabilistic and does not end in a permanently-committed block, resulting in an unacceptably high ‘hard fork’ rate.
PoET requires specialist hardware and the enclave allocating wait time is a trusted entity; it has also proven vulnerable to node compromise.
What’s needed is a consensus that can keep the benefits of the distributed, auditable, trustless environment blockchain provides, but deliver it in real time and at scale — without mining or excessing transaction costs, and without multiple hard forks.
There is no overstatement in the saying that that Internet of Things (IoT) is reshaping business processes and workplaces in a never-before way. Connected devices are increasingly pushing the boundary of innovation for the enterprises and industries of all niches. Thanks to these connected devices and a huge upsurge of IOT mobile app development, consumers are being benefited most through frictionless user experience.
No wonder in the fact that the IoT software development is exploding with all possibilities and promises. Just like ever before, the market is brimming with a whole array of scalable, feature-rich, secure and user-optimized connected solutions that are transforming the way we interact with devices and use software solutions at the workplace.
In spite of such huge promise and possibilities, IOT software and app development faces some hefty and crucial challenges that developers of the present-day need to be aware of. Here we are going to explain some of these challenges in brief.
- Operating System (OS) Considerations
The first technical challenge and pulling factor that IOT app development companies need to deal with is the consideration of the operating system of the devices. Since IOT devices have mostly shorter memory capacity and a single track operational capacity, developers need to approach the development challenges for such devices in a different way than with the desktop solutions. The developers need to pick an OS that perfectly fits the device capability and the objective of the application.
As of now, most of the IOT developers surveyed for their OS preferences have clearly chosen Linux. Linux according to most IOT developers, offers the perfect OS for IOT devices with a lot of memory constraints, microcontrollers, and IOT gateways.
- Selecting the Gateways
The gateways in the IOT landscape plays the most critical role by connecting almost all the constituent elements ranging from connectivity protocols like Wi-Fi or Bluetooth, ports, IOT sensors, cloud systems, etc. Naturally, for the whole IOT ecosystem gateways really play the mission-critical role.
When it comes to the choice of appropriate gateways for your IOT application, you have several well-known choices from renowned technology companies like Dell, Nexcom, Intel, etc. These gateway providers as if now are proved to be highly effective for end number of applications. Some of the key aspects that you need to consider in gateways include the particular specifications for the network, supporting development environment, power rating, memory capacity, etc.
- Security & Privacy
One of the key aspects that IOT app developers should give utmost priority is the app security and privacy. The security here not just refers to the network security but practically security of every different component. As IOT devices penetrate the personal spaces of the users, they are often vulnerable to misuse and breaching of data security through cyber-attacks.
Maintaining optimum data security and safeguarding privacy are two aspects that always remained to be the contentious areas for the IOT app developers worldwide. Let us have a closer look at various security aspects of an IOT app.
- Data Exchange Security: The data generated through an IOT app through the IoT sensors and devices pass through the gateway and is finally stored at the cloud server. To ensure optimum security to this data it is important to use encryption for safeguarding the data.
- Physical Security: The IoT devices unlike other computing devices are normally used in private and remain unattended most of the times. This is why they remain vulnerable to a lot of security threats from hackers at the device level.
- Cloud Storage Security: A cloud storage solution normally remains secure from threats and intrusions. Even then, the developers of the IOT apps need to make sure that the data in cloud storage remain safe and secure.
- Privacy Updates: To protect the privacy of the user data processed and fetched by IoT devices, there need to be certain compliance rules. For instance, all fitness tracker devices collect user data on the basis of HIPAA guidelines. Such regulations and compliance standards basically safeguard the privacy of the user data.
- Network Connectivity
The quintessential aspect of IOT app development is the fast and real-time data transmission between the device and the IOT gateway and the gateway to the cloud server. Poor connectivity will only render most of the critical app features to be ineffective. The connectivity issues and server breakdown still remain to be the major problems for too many IOT devices.
Actually, connectivity remains to be the first and foremost area of importance for connected devices that work hand in hand with gateways and cloud platforms. For meeting this challenge corresponding to connectivity with appropriate measures, the app design and device app environment play an important role. The connectivity solution should be considered as per the device constraints and capacities.
- User-Optimized App Design
Another major focus area for IOT app development should be on the app design. The app design should be thoroughly intuitive and user-focused so that the users do not need to study manuals for using an IOT device. Even for industrial IOT devices, simple and clean design is extremely important to ensure faster decision making and visualization of the data. In this respect, close and mutually reciprocating cooperation between the developers and designers is a must for building IOT apps. Some of the key attributes that design inputs should ensure include the following.
- Safe and secure user authentication
- Frictionless transition across devices and applications
- Personalized user experience based on user behavior and preferences
- A consolidated IOT environment comprising all the elements in the pipeline.
- Cross-Platform Deployment
Last but not least of all the major challenges that IOT app developers must deal with is deploying the app across multiple OS platforms. Since the IOT ecosystem comprises of a variety of device architectures, protocols, and operating systems, the app should be built to fit with all these variables for a seamless and efficient performance. This is why experts of international organizations such as the Engineering Task Force (IETF) and the Institute for Electrical and Electronic Engineers (IEEE) have already come up with explicit cross-platform development standards and architecture models to help smooth deployment across multiple OS platforms.
In spite of the overwhelming growth of the IOT applications and the ecosystem of connected devices, there is a multitude of challenges that the IOT app developers need to encounter regularly. By focusing on these challenges beforehand, they can at least take appropriate precautionary steps to ensure optimum quality and efficient output.
Your home security system. Air condition system. Your car. Why, even your coffee maker. Almost every imagine digital appliance is now connected to the Internet. The era of connected things has arrived.
IoT is no longer a science project that businesses are putting off for the future. It is a promise to a future that must be leveraged now. In fact, today, it is more difficult to find a coffee-maker or any home appliance without Wifi or Bluetooth connectivity. Not just at homes, even at corporations, connected devices has become a serious boardroom topic. According to DigiCert’s State of IoT Security survey 2018, 83% of organizations say the Internet of Things (IoT) is important to business today, and 92% say it will be in two years.
IoT can bring to businesses several benefits like improved operational efficiency, new revenue channels, business agility, and enhanced customer experience.
However, there are enterprise concerns that dwarf the possibility of gaining these benefits.
Among the top 4 enterprise concerns for IoT are security and privacy.
How the Internet of Things can become the Internet of ‘Threats’
If not controlled, secured and monitored, the Internet of Things can go from smart connected things to a web of connected threats. Here are some ways how connected devices can go rogue.
#1 The connected risk of BYOD
Global corporations are losing no time in enabling their employees with BYOD (Bring Your Own Device) and WFH Work From Home working models. Although these working models amplify productivity, they also carry with them the risk of IoT.
For instance, an insecure connected device at an employee’s home can be hacked into by a hacker thereby gaining access to the office system. If the employee has failed to take adequate security measures for the office gadgetry, then it leaves the ground open for the hacker to seed an infectious malware, virus or anything malicious into the office network. That is the connected risk of BYOD which IoT creates.
#2 DDoS attacks
Source: DigiCert’s IoT Security Infographic
Do you know that insecure IoT devices can take down cities? IoT botnets combined with DDoS attacks can bring connected urban infrastructure to a grinding halt. This is not any sci-fi or fictional scenario. Hackers can track down IoT sensors, hack into their weak interfaces and run commands to shut down services or to hijack their functioning.
To cite a real-world example, cities like New York, Singapore, Barcelona, etc. are already running extensive public utilities with the help of IoT. IBM’s white paper - The Dangers of Smart City Hacking found more than 17 security vulnerabilities that make it “painfully easy” to take down large IoT-based urban networks. The security vulnerabilities included public default passwords, SQL injection, authentication bypass and so on.
#3 Premise Intrusion
Home security device shipments worldwide is expected to touch 700 Millions by 2019. According to Alarms.org, three-fourth of homeowners buy security systems that can be monitored through their mobile devices. While these systems saves time and provide convenience, they also become easy targets that hackers can infiltrate easily.
By hacking into the smartphone or a weak smart device, the hacker can take down the home security system thereby gaining access to the entire household. The same scenario applies to corporate offices as well, which makes IoT a certain Internet of Threats.
So, do these security threats mean that it is the end of the road for IoT app development? Not so. There are best practices that enterprises can embrace to insulate their IoT networks from vulnerabilities.
Best practices to establish security in IoT app development
IoT is a relatively new concept. The IT industry as a whole is yet to attain widespread knowledge and authority on its usage, maintenance and security. Here are some best practices that can help thwart the security risks involved in IoT app development.
#1 Review the risk involved
Having a brief idea of the risk landscape will help device a strategic security policy specifically for IoT devices. Penetration testing can be carried out to identify key vulnerabilities that should be addressed on high priority. For example, default public passwords is a vulnerability that can be resolved quickly without much ado.
#2 Setup device identity
Each device in the IoT network must be identified and tagged to grant secure access. Use secure over-the-air updates to keep the device security intact and in tune with the latest development.
More than the connected device, it is the data that it creates and exchanges that is of value. Every data exchange by the devices in the network should be secured with end-to-end encryption, code signing or with SSL certificates.
#4 Public Key Infrastructure
Public Key Infrastructure (PKI) can help create the basic framework required for authenticating device identities and for establishing the integrity of security patches. It also facilitates easier management of public-key encryption thus making it a perfect choice for establishing IoT security.
#5 Plan long-term
IoT is going to be here for the long-term. It is not any short-term fad that can be easily replaced. It is got a strong hardware presence which cannot be removed easily. Hence, any security measures made for IoT networks should be planned for the long-term.
With the promise of IoT comes several perils as well. IoT botnets can take down large-scale and sensitive connected networks, including urban infrastructure, home security systems, etc. McKinsey Global Institute estimates the economic impact that IoT can create to be in the range of $3.9 trillion to $11.1 trillion worldwide by 2025. But, the true economic benefit of IoT can be attained only if it is secured and insulated from security threats. To sum it up, security should be the bottom line of IoT app development. Without security, IoT can create more damage than the benefits that it can provide.
In 2016, the Industrial Internet Consortium gained agreement upon an understanding of the term “trustworthiness” and its effect on design and operation of an industrial system. At the core of that understanding was a definition of trustworthiness and the designation of five characteristics that define trustworthiness.
As defined by the IIC in its recently released Industrial Internet of Things Vocabulary v2.1 document: “Trustworthiness is the degree of confidence one has that the system performs as expected. Characteristics include safety, security, privacy, reliability and resilience in the face of environmental disturbances, human errors, system faults and attacks.”
Let’s take a deeper look at the 5 foundational characteristics at the core of trustworthiness:
- Safety ensures that a system operates without causing unacceptable risk of physical injury or damage to the health of people. This protection of humans is focused either directly or indirectly, as the result of damage to property or to the environment.
- Security protects a system from unintended or unauthorized access, change or destruction while Information Technology (IT) security ensures availability, integrity and confidentiality (AIC model) of data at rest, in motion or in use.
- Reliability describes the ability of a system or component to perform its required functions under stated conditions for a specified period of time.
- Resilience describes the ability of a system or component to prevent or at least reduce any serious impact of a disruption while maintaining an acceptable level of service.
- Privacy protects the right of individuals to control or influence what information related to them may be collected and stored and by whom and to whom that information may be disclosed.
Achieving trustworthiness in industrial IoT systems requires recognition that a complex IoT system is comprised of subsystems and the integral components of the subsystems. The trustworthiness of the overall system depends upon the trustworthiness of each of the subsystems and each of the components, how they are integrated, and how they interact with each other. Trustworthiness must be pervasive in IoT systems, which means there must be trustworthiness by design and a means to achieve assurance that the trustworthiness aspects have been addressed properly. Permeation of trust is the flow of trust within a system from its overall usage down to its smallest components and requires trustworthiness of all aspects of the system. Trustworthiness requires ongoing effort over time as systems and circumstances change.
As such, the IIC Trustworthiness Task Group, in close cooperation with the IIC Security Working Group, is tasked to frequently enhance and redefine the definition and role of trustworthiness in industrial systems as the IIoT continues to evolve. Ultimately, their goal is to moves system designers from traditional safety thought processes into a new paradigm for system design that takes into consideration all 5 of the trustworthiness characteristics and their interactions within the system.
By Marcellus Buchheit, Co-founder of Wibu-Systems AG and President and CEO of Wibu-Systems USA
This blog originally appeared as a Wibu-Systems Blog
Supply chain managers know better than anybody how many things can go wrong between point A and point B. Damage from mishandling and the elements, contamination, and product and IP theft are all very real threats. So how can you use technology to secure yourself against known and unknown threats in your industry? Just as importantly, how can you keep that technology sufficiently secure?
An ounce of prevention is worth a pound of cure — and IoT technologies for the supply chain boast a lot of potential cures. Luckily, with the right approach, you can have all the benefits and still minimize the risks.
What Kinds of Supply Chain Challenges Do IoT Technologies Cater To?
The most obvious advantage of bringing IoT technologies aboard is that you grant yourself true visibility of all your operations. You might justifiably feel a little intimidated at the prospect of newfound access to real-time data at a truly granular level. However, depending on the type of work you do, there are many IoT solutions that might add to your value and help you work more intelligently — without a crippling learning curve.
For example, some elements in your industrial IoT might be as large as pallet trucks and order pickers. Major companies are already deploying warehouse and supply chain equipment with self-driving functionality to achieve higher levels of vehicular safety and productivity throughout their operations.
Other times, bringing IoT to your supply chain provides far quieter, but equally impressive, results. The cost of RFID tags and near-field communication has been dropping reliably for years. What this means is that even large quantities of shipped products and components can receive per-unit identification through trackable, sensor-equipped tags. The right technology can feed you real-time information about the condition of your shipments and details about the environment in which your remote vehicles, personnel and teams are operating.
Of course, gathering all this information is one thing. Sifting through it and actually arriving at efficiency-boosting action items requires the right data analysis talent. In some cases, you'll need a reliable third party who can help you make sense of it with a dashboard or cloud business tool that's tailored to the work you do.
As you've probably been able to gather, the rest of the challenge centers on keeping all these devices — and the vital data they carry — safe from prying eyes. It also has to be accessible and useful to your team and partners.
The IoT Comes With Challenges of Its Own
With few exceptions, the major challenges that accompany a supply chain's integration of emerging IoT technologies fall along these lines:
- Ensuring continued connectivity throughout networks with virtually no downtime
- Safeguarding vital data, such as shipment locations, and making proprietary information, source code and other IP resistant to theft and tampering
- Making sure new hardware and software integrates well with existing platforms and IT solutions
You won't be surprised to hear this, but a majority of IT specialists in the corporate world cite increasingly complicated networks as the source of most of their security concerns. Think about the complexity of the IoT — and all its satellite devices, beaming information to each other and to you. You'll start to get a sense of the challenge awaiting you when your facility or supply chain operation performs its own digital upfit.
Using the IoT to augment your abilities as a market leader and add transparency to your organization doesn't have to come at the expense of security-mindedness, however. In fact, in making strategic IoT purchases, you're very likely to find yourself better prepared than ever for some of the general and industry-specific compliance and quality standards you might be expected to uphold, such as HIPAA, PCI-DSS and Sarbanes-Oxley.
These probably sound like consumer-centric security regulations, and they are — but they exist to protect you and your partners, as well. They're a reminder that every piece of technology in an industry that touches human lives is an opportunity and a responsibility in equal measure.
Productivity and Security Work Hand-in-Hand
One of your first steps is to work with your partners to develop a holistic security solution for your newly connected supply chain. Anything you come up with needs to be consistent and as strong as the weakest link. Where are mistakes or security breaches most likely? In client-facing operations? In the last mile of delivery? Communication is paramount at this stage.
After that, it's a matter of gradually rolling out the hardware and software you're bringing into your operations. There will be a learning curve, after all, but ensuring buy-in from your managers and process specialists can go a long way.
Making conservative changes, one at a time, is also good for getting your team members acclimated to changes in their workflows and helping them iron out the kinks. Think about the waste you'd incur if the sensors you've deployed with your outgoing shipments aren't recovered and returned to your facility, for instance. Technology is filled with opportunities, but some of it also requires attention to detail. A deliberate approach ensures things progress smoothly.
Depending on the technologies you deploy, the granular, real-time data you gather from your logistics, sourcing, handling, shipping and returns departments can help you peer into the future and more accurately anticipate fluctuations in customer demand. You can also plan for changes in parts and material availability throughout your supply chain.
You get to think several steps ahead of the game and stay ahead of your competitors. Think about the benefits of getting ahead of something like the electronics components shortage currently gripping the market.
That level of planning ahead is useful for keeping your operation secure in many ways. One is anticipating where your products will be needed and planning ahead for potential roadblocks. Others include better preparedness and more complete contingencies for emergencies such as natural disasters, lost or stolen shipments, lost internet reception for connected devices, extended power outages and more.
In this way, technology is a bit like a snowball. As it solves one problem, it seems to elegantly solve other interrelated issues. As a consequence, if you play this right and work with the correct talent, you'll find yourself improving efficiency throughout your operations — even as you make them more resilient against outside forces and unforeseen interruptions.
Internet of Things Insights from Rob Tiffany
We often don’t compare technology to fable stories, but when it comes to the internet of things (IoT), the story of Pandora’s Box comes to mind. It’s a technology that has great potential, but where the weakness and possibilities lie are in it’s lack of basic security measures. We might even go as far as to say, what security? These are the concerns we’re thinking about at IT Security Central.
As a completely remote company, we’re taking measures to understand how the internet of things can impact our company data security. Hackers look to exploit technology vulnerabilities to access valuable information. Hacking an IoT connected fish tank, smart fridge - these aren’t far-fetched stories. These are stories that are happening now.
The lack of secured IoT devices starts in the development phase. These devices are developed on a basic linux operating system with default codes that buyers rarely change. When these devices are developed, security isn’t on the agenda; rather, developers are looking at human behaviors and outside threats. When they should be looking inwards.
An unsecured IoT device is the weak link in the connection. As one of the fundamental purposes of the technology is to provide connection and accessibility, this one weak link can bring down the entire network. And if your remote worker’s BYOD devices are in someway connected to that network, your company just became vulnerable.
Remote workers or ‘the gig economy’ is expected to increase in frequency. According to the Global Mobile Workforce Forecast Update, employees working remotely is suppose to increase to 42.5% of the working population by 2022. At that time, the world is projected to see half of its population working outside the office either full-time, or part-time.
Security vulnerabilities, remote workers and IoT - where is the connection? The scary thing, remote workers are likely to already have IoT devices in their work environment, and most likely, they are not protected. These devices can mostly be smart home devices that workers have acquired to make their daily lives easier. Common devices include Amazon Echo, Neo and GeniCan.
The first step in active prevention is to make your employees aware of the importance of data security and then aid them with the tools for success.
Best Practices for Protecting Your Network (from Remote Workers)
With the wealth of internet-based security technologies, the idea of protecting your network with in-house servers and the traditional firewall is (well) old school. With cloud-based companies, you can now access and protect data in easy step-by-step processes, and the best news, most of these companies do the data management for you.
One of the most progressive approaches to remote worker security would be to adopt a monitoring service to collect data and actively look for anomalies in the network. Through data collection and analysis, a monitoring software creates a user profile of normal, everyday behavior. The administrator can set ‘alerts’ for when certain data repositories and files are accessed, or when sensitive data is moved. The longer a data breach goes undetected, the larger financial implication for the company. Requiring remote workers to download and use a remote monitoring software is one of the highest levels of protect against data loss.
But if monitoring isn’t on your agenda, these are a few basic tactics that employers can encourage remote workers to undertake.
Though the workers are remote, administration can set limits to data access. This process starts by undergoing a through analysis and understanding of each position. It’s important to understand who needs access to what information, and who doesn’t need access to information. Once this is understood, administrators can restrict information, and they can also set ‘alerts’ when information is accessed without prior approval.
Home Network Policy
Once employees leave the brick & mortar walls, the manager has little access where and on what internet network they’re accessing information. But don’t fret, this freedom and flexibility is part of what make remote work appealing. Where privacy might be a factor, we don’t suggest to go as far as asking remote workers to eliminate IoT devices on their network. Rather, we encourage to create a policy that specifically states the security requirements that the IoT must have in order for the work network to be accessed. By educating your employees, you can save them and data loss heartbreak.
Encryption, encryption, encryption. You’ve heard the importance of encryption. For remote workers, the company can never be too safe, so they should go the extra mile and set remote workers up on an encrypted network. A VPN ensures all connections and communications are encrypted when the network is accessed. Don’t worry about IoT connectivity in their home, or when remote employees connect to an unsecured public wi-fi connection. A VPN provides the next level of security through encryption, and a hacker won’t be able to access communication or data without alerting administrators to a potential breach.
IoT devices are already integrating into our at-home lives, and when remote workers access their at-home networks, suddenly the topics collide. As more workers go remote, it’s important to look inwards towards security to see how everyday IoT devices impact company data. Take the time to ensure that remote workers are protecting the network effectively.
Guest post by Isaac Kohen. Isaac Kohen is the founder and CEO of Teramind (https://www.teramind.co/), an employee monitoring and insider threat prevention platform that detects, records, and prevents, malicious user behavior in addition to helping teams to drive productivity and efficiency. Isaac can be reached at [email protected]. Connect with Isaac on social media: LinkedIn, IT Security Central and Twitter @TeramindCo.
Ever wonder what is the real cost of IOT insecurity?
Well reseachers at the University of California, Berkeley, School of Information recently published a report that attempts to lay out the costs to consumers in the context of DDoS attacks. The report focuses on exploiting vulnerable devices for their computing power and ability to use their network’s bandwidth for cyberattacks—specifically DDoS attacks on Internet domains and servers.
Researchers infected several consumer IoT devices with the Mirai malware and measured how the devices used electricity and bandwidth resources in non-infected and infected state. Their hypothesis: compromised IoT devices participating in a DDoS attack will use more resources (energy and bandwidth) and degrade the performance of a user’s network more than uninfected devices in normal daily operation.
Based on energy and bandwidth consumption they developed calculator to estimate the costs incurred by consumers when their devices are used in DDoS attacks. Two recent and well publicized attacks, and one hypothetical, were calculated:
- Krebs On Security Attack: According to their cost calculator, the total electricity and bandwidth consumption costs borne by consumers in this attack was $323,973.75.
- Dyn, Inc. Attack: They calculate the total cost borne by consumers as $115,307.91.
- "Worst-Case" Attack: This hypothetical “Worst-Case” scenario approximates the costs that could result if the Mirai botnet operated at its peak power using a UDP DDoS attack. The projected cost to consumers of this attack is $68,146,558.13.
Commenting on the study, Bob Noel, Director of Strategic Relationships and Marketing for Plixer said, “Organizations with enslaved IoT devices on their network do not experience a high enough direct cost ($13.50 per device) to force them to worry about this problem. Where awareness and concern may gain traction is through class action lawsuits filed by DDoS victims. DDoS victims can suffer financial losses running into the millions of dollars, and legal action taken against corporations that took part in the distributed attack could be mechanism to recuperate losses. Companies can reduce their risk of participating in DDoS attacks in a number of ways. They must stop deploying IoT as trusted devices, with unfettered access. IoT devices are purposed-built with a very narrow set of communication patterns. Organizations should take advantage of this and operate under a least privilege approach. Network traffic analytics should be used to baseline normal IoT device behavior and alarm on a single packet of data that deviates. In this manner it is easy to identify when an IoT device is participating as a botnet zombie, and organizations can remediate the problem and eliminate their risk of being sued.”
Or as we've argued before, regulation is key. And now that we have an economic cost on IoT insecurity, we have better information for regulators to pursue strategies and legislation for enforcing workable security standards to reduce the negative impacts of IoT devices on society.
The Meltdown and Spectre microprocessor bugs not only compromise billions of desktops, laptops, servers, clouds, tablets and smartphones, they also put tens of billions more embedded, IoT, and control systems at risk.
The current political events in Barcelona provide us with a barely-needed reminder that we live in changing times. I was in the city as part of the Trustonic team exhibiting at IoT Solutions World Congress last week and took some time to speak with fellow vendors. I soon saw some fantastic product demonstrations that drew my attention - I wanted to learn more. Frequently though, the response to: “This looks great - how is it secured? How do we know the data is trustworthy?” was a puzzled look and a “It uses our cloud and we secure that” or “It runs on a secure OS”. Sometimes the response was worse: “It’s a closed network. You couldn’t attack it”.
It didn’t fill me with confidence. Everyone has a secure solution, it seems. But how do we know that it’s secure? Who has validated it? The questions and the perplexed looks continued. I slept uneasily.
I don’t want to criticise the IoT solutions that I saw – they were interesting and point to an exciting future for us all. Unfortunately, securing these solutions isn’t exciting and probably won’t draw a crowd to your stand. It’s rare to see ground-breaking security solutions making the news – consumers just expect it these days. Of course, you can expect a media frenzy if you’re breached. There have been some horrifying examples already and we are still in the early days of this industry. IoT solutions need to be secure by design – or, to put it another way, the components of the solution must already be secure when they are deployed. With the headache (and tedium) of security taken care of, the industry would be free to innovate and dream up even more exciting products.
I was showing an IoT security demo built on a Samsung ARTIK board, which already has Trustonic TEE technology embedded. It showed an IoT device connecting to Amazon Web Services (AWS), cryptographically proving itself to be secure and having a trusted identity, thus enabling it to become automatically registered on the system. Perhaps not as exciting as an IoT boat or sports bike sharing data in real time, but it demonstrated that, by embedding a truly secure OS (one that’s Common Criteria certified and FIPS-140-2 approved) combined with a Root of Trust installed in the factory (think of this like a digital birthmark), an IoT device can be trusted pretty much automatically. Once you have an inherently trusted device, you can be confident that data from its sensors is also trustworthy.
Shakespeare wrote “Love all, trust a few”. So, love all the cool and exciting IoT products – but only trust the few which are truly secure.
Every week, thousands of new apps are seen hitting the mobile market. Unfortunately, the number of hackers working assiduously to tap into these apps to implant malware or phish for user information has also been on the increase. By implication, there is every need to take the security of mobile users very seriously particularly when it comes to app development.
Apart from being highly vigilant about security, app developers need to be able to identify these security issues and know how to avoid them, so as to be able to provide users with the security they need to keep their information and other data safe. Security issues can be experienced in various forms during any mobile application development process; some of which are explained below.
Failure to implement secure communications to servers
Most apps are designed to connect back to a server particularly those applications that control sensitive user information. Therefore, as a critical area of concern, mobile app developers must ensure safe transit between the app and the server. Nothing has to be interrupted on an insecure WiFi connection. Basically, this type of security is achievable through SSL certificates and encryption. User information can be compromised particularly if developers fail to employ the right SSL libraries.
Inability to plan for physical security breaches
Nothing much can be done to prevent theft or loss of mobile devices. In fact, mobile app developers have a very little role to play in this. However, they can greatly help to minimize the problem by executing a local session timeout code. Usually, users are obligated to enter a password from time to time to access an app. Rather than making this a daily occurrence, password requirement from devices can be observed once a week or at the fifth time the app is used. Local session timeout can also prevent the use of software that helps users remember passwords.
The use of weak encryption or an entire lack of encryption
Obviously, improves constantly which helps to make algorithms become obsolete and very easy to crack. Failing to use encryption or using weak encryption in an app can put sensitive user information at risk of getting exposed. In the course of using certain apps, users are obligated to input sensitive data like personal identification information or credit card numbers. It is sad to know that this information can be hacked particularly with the absence of good encryption. An app is more likely to be hacked when it becomes more popular. So, if you are looking to push your app to the top, there is every need to invest in good encryption.
Bypassing systematic security testing
Most importantly, Indian app developers need to consider themselves as the last line of defense. You stand to put your app users at risk when you fail to ensure a secure app. In every development process, testing is very important and as such, there is no need to rush in releasing an app. Ensure to test every common inlet for security issues, such as sensors, GPS, camera, and even the development platform. Viruses and malware are no respecters of apps – every app is vulnerable to an attack from them.
Developers should try as much as possible to avoid the eruption of a crash and debug logs during testing. These are often common places hackers often take advantage of for app vulnerabilities. Apart from increasing the speed of an app, NSLog statements on iOS can be effectively disabled during iPhone app development to avoid vulnerabilities. Also, an Android app remains vulnerable until the Android debug log is typically cleared.
Lack of proper planning for data caching vulnerabilities
Unlike standard laptops and desktops, mobile devices are well-known for their ability to store short-term information for longer periods. This caching method generally helps to increase speed. However, since hackers can easily access cached information, there is every possible for mobile devices to be susceptible to security breaches. A major way of avoiding the problem is by demanding for a password to use an app. However, this can affect the popularity of your app, as most app users often find the use of passwords to be quite inconvenient. Alternatively, you can program the cache to be automatically erased every time users reboot their mobile device. This is another meaningful solution to data caching vulnerabilities.
Adopting other developers’ code
Developing an app from the start can be very time-consuming but with the availability of numerous free codes, this process has been extremely simplified. Interestingly, some hackers create codes for unsuspecting developers. In the hopes that application developers would pick up their codes, some hackers have ventured into creating anonymous codes. Through this, they tend to gain easy and free access to any information of their choice after the app has been designed and released.
Although it is never a bad thing to build upon people’s ideas, however, it is highly essential to carry out relevant research before doing so. In order to avoid experiencing security issues, it is well advisable that you make use of code from reliable sources. So, if you’re looking to build upon the ideas of a third-party, ensure to use sources you can trust. As a matter of fact, always use verified and trusted sources for code and ensure to be on the lookout for phishing scams by reading the code line by line.
Slow patching of app
Just because your app has been launched does not mean that you are done with the development process. Hackers are always on the move, they do not relent in their efforts to break through an app and so, they always work very fast. Most times, they search for apps with irregular security updates. Then they exploit these security breaches to bring down the app. Just to let you know, it is good to perform regular security updates by revisiting the app often.
However, users on their own part may be unable to get these patches on time. This is because they have to accept and download them. Additionally, the approval process of a patch on an iOS platform can typically take up to a week. Obviously, patches can take a while to reach users. To this end, you can put user information at risk if you fail to stay right on top of new security updates.
When it comes to creating apps that deal with confidential matters such as personal information and customer credit cards, there is always no room for error. To any app developer, the repercussions of the smallest security breach can be highly catastrophic. As a matter of fact, it is your duty to protect both your app and its users. So, ensure to take all necessary precautions so as not to get caught unawares.
In my recent interview with Sam Shawki, the founder and chief executive officer of MagicCube, I wrote about getting a new Ram Truck and noted that it was a beast not just in size and towing power, but a beast of electronics and connectivity. According to Intertrust Technologies, the percentage of new cars shipped with Internet connectivity will rise from 13% in 2015 to 75% in 2020, and that in 2020, connected cars will account for 22% of all vehicles on the road. That number is sure to grow. More stats in the infographic below.
Not far from San Francisco International Airport, San Bruno is a quaint middle-class residential suburb, yet underground in San Bruno was a gas pipeline controlled by SCADA software that used the Internet as its communications backbone. On Sept. 9, 2010, a short circuit caused the operations room to read a valve as open when it had actually closed, spiking the readings coming from pipeline pressure sensors in different parts of the system. Unbeknownst to the families returning home from ballet and soccer practice, technicians were frantically trying to isolate and fix the problem. At 6:11 pm, a corroded segment of pipe ruptured in a gas-fueled fireball.
The resulting explosion ripped apart the neighborhood. Eight people died. Seventeen homes burned down. The utility, PG&E, was hit with a $1.6 billion fine.
The accident investigation report blamed the disaster on a sub-standard segment of pipe and technical errors; there was no suggestion that the software error was intentional, no indication that malicious actors were involved. “But that’s just the point,” Joe Weiss argues. “The Internet of Things introduces new vulnerabilities even without malicious actors.”
Joe Weiss is a short, bespectacled engineer in his sixties. He has been involved in engineering and automation for four decades, including fifteen years at the respected Electric Power Research Institute. He has enough initials after his name to be a member of the House of Lords—PE, CISM, CRISC, IEEE Senior Fellow, ISA Fellow, etc., all of which speak to his expertise and qualifications as an engineer. For instance, he wrote the safety standards for the automated systems at nuclear power plants.
The problem, Weiss claims, is using the internet to control devices that it was never intended to control. Among these are industrial systems in power plants or factories, devices that manage the flow of electricity through the energy grid, medical devices in hospitals, smart-home systems, and many more.
Continue reading this article on Quartz.
Threat actors have weaponized the Internet of Things (IoT) and connected devices.
They’re using unsecured IoT devices and creating botnets to launch catastrophic distributed denial of service (DDoS) attacks. This has given rise to the DDoS of Things (DoT).
LEARN MORE IN THE DDOS OF THINGS INFOGRAPHIC
Additional information here.
Tripwire, Inc., a security company, recently announced the results of a study conducted in partnership with Dimensional Research. The study looked at the rise of Industrial Internet of Things (IIoT) deployment in organizations, and to what extent it is expected to cause security problems in 2017.
The big not so surprise: 96 Percent of IT Security Professionals Expect an Increase in Cybersecurity Attacks on Industrial Internet of Things.
Yes, you should expect to get hacked.
Robert Westervelt, security research manager at IDC said in a statement: “As Industrial companies pursue IIoT, it’s important to understand the new threats that can impact critical operations. Greater connectivity with operational technology (OT) exposes operational teams to the types of attacks that IT teams are used to seeing, but with even higher stakes. The concern for a cyber attack is no longer focused on loss of data, but safety and availability. Consider an energy utility as an example - cyber attacks could disrupt power supply for communities and potentially have impact to life and safety.”
Key findings include:
- 96 percent of those surveyed expect to see an increase in security attacks on IIoT in 2017
- 51 percent said they do NOT feel prepared for security attacks that abuse, exploit, or maliciously leverage insecure IIoT devices
- 64 percent said they already recognize the need to protect against attacks against IIoT, as they gain popularity with hackers
- 90 percent expect IIoT deployment to increase
- 94 percent expect IIoT to increase risk and vulnerability in their organization
The study was commissioned by Tripwire and carried out by Dimensional Research in January 2017. A total of 403 qualified participants completed the survey. All participants had responsibility for IT security as a significant part of their job and worked at companies with more than 1,000 employees. Survey respondents were based in the United States (278), the United Kingdom (44), Canada (28) and Europe (53).
Read more about IoT and security on IoT Central. To receive these articles, sign up on IoT Central.
Note: this page contains paid content.
Please, subscribe to get an access.
Note: this page contains paid content.
Please, subscribe to get an access.
Nowadays, it’s easier than ever to power your home with clean energy, and yet, many Americans don’t know how to make the switch. Luckily, you don’t have to install expensive solar panels or switch utility companies…Continue
Without electrical engineers, everything from your home lighting to your smartphone wouldn’t work properly. Needless to say, electrical engineers make our world go round, and it’s them who spearhead the latest innovations in tech. If you’re…Continue
Nowadays, it’s easier than ever to power your home with clean energy, and yet, many Americans don’t know how to make the switch. Luckily, you don’t have to install expensive solar panels or switch utility companies…Continue