By Hardik Patel
Welcome to the future, where even the refrigerator in your house, your insulin pump, and your business’s HVAC systems are linked to the Internet – the Internet of Things (IoT). Unlike the imagined future where the threat of smart devices was that computers and robots would be intelligent and evil, in real life the true threats are human. Every new device that gets hooked up is a new potential vulnerability that an attacker can exploit, to hack into that one device or to reach the network, but that threat won’t stop the IoT from growing.
In the same source, Gartner predicts that consumer devices will continue to account for the greatest number of connected things, while business use will account for the greatest spending. There are two classes of connected things to consider: (1) generic services or devices that can be used by any industry, such as HVAC, supply chain management, customer information security, and security systems, and (2) specific devices developed for particular industries, such as surgical equipment, transportation route trackers, and manufacturing process management. Other specific uses may include cars, heart monitors, wearables, building automation, home energy and utility automation, patient information management, and telematics.
But, as usual, this bright future is under threat by hackers and malware. These products are usually developed by experts in the service area, and not by network and security experts, leading to gaps in security and controls, and opening vulnerabilities in the IoT chain.
Security from the Start
As users of devices, there are some security issues that are simply beyond our control. Much security is in the hands of the manufacturers of IoT devices. Standards have to be created and adhered to, to ensure that security is designed into devices from the beginning, considering both software and hardware vulnerabilities. This is much how industries like aviation, food, and engineering have evolved safety standards to ensure the security of users of the industry. Companies that develop IoT devices should have a place in the development lifecycle specifically devoted to security, including extensive testing for hidden vulnerabilities, and industries should have published standards on what constitutes adequate security.
Raising awareness of security concerns is critical, as infrastructure like utilities, power grids, and hospitals depend on their connectedness to the IoT to manage their day-by-day functioning. Attacks on the IoT can result in nightmare scenarios such as power hacks, loss of life, and malfunctioning nuclear reactors.
Finally, manufacturers of devices have to consider security standards to protect against the accidental disclosure of personal information and privacy-protected healthcare information.
IOT for Businesses
Security for business relies on standard security principles, with a few additional ideas added, but it is worth enumerating some of these basic measures.
- Have a security policy in place that includes defining who has access to systems and why. Flexible, rapid-response account management ensures people who no longer need access are updated as quickly as possible. Use perimeter protection, anti-malware protection, and log system activity (and review it regularly!) to identify unusual traffic. Keep security patches and software up to date. Your security policy should clearly outline roles and responsibilities for prevention, maintenance, and response. The policy should ensure data is secure, probably encrypted, at all stages at rest and in transit using CA signed SSL certificates installed on your web server. Company-owned devices like laptops and cell phones should be secure in case of loss or theft.
- Implement a BYOD (Bring Your Own Device) policy for your network. An employee using their own devices in the workplace has become more common, and can even offer cost benefits to employers. However, data breaches can occur due to lost phones and tablets. The BYOD policy should specify that devices have anti-malware software on them that meets company standards, and that encryption is used at all times.
- Use a VPN to control access in and out of your network from remote sites to ensure that traffic only comes from secure and approved devices.
- Consider moving to cloud-based solutions, where your organization can take advantage of the security expertise already in place as a fundamental requirement for doing business in the cloud. The cloud is likely to offer expanded growth opportunities for the IoT by allowing expansion into internet services without an investment in infrastructure. This would allow, for instance, a healthcare equipment company or an appliance company, to produce enter the market of networked devices for the first time, without having to set up new facilities.
- Consider turning to experts to help you with your security needs as well. The IoT security market has a wide variety of skilled, respected vendors, including Cisco, IBM, Intel Corporation, and Symantec, to name only a few. Some IoT security solutions that experts can help implement include identity and access management (IAM), device management, unified threat management (UTM), encryption, data loss protection (DLP), and DDoS protection, among others. You can engage with consulting services, managed services, and/or support and maintenance services.
- Educate your employees – and everyone else: Security always starts and ends with complete training, for employees, vendors, partners, and clients. Don’t leave the C-suite out – senior management often are among the least cyber-security-conscious people in an organization. An organization’s developers should be sent for expert training in creating secure devices for the Internet of Things so that security isn’t an afterthought. Make sure employees are aware of your security policies, and make sure your vendors and partners are not only aware of it but can meet the standards. Share security knowledge with your clients as well, and make it easy for them to have secure devices. As with all network security, ensure that your own employees know how to keep credentials secure.
- Don’t allow systemic carelessness: We’ve all taken shortcuts, or scribbled down a password – or at least, failed to log out of an application when we’re done with it. These small bits of carelessness can add up to a big security hole. Ensuring employees understand the risks of carelessness is a start, but a company initiative to avoid negligent behaviors like weak passwords, sharing passwords, not adhering to account creation requirements, can lead to big issues.
- Don’t jump in too quickly: When new technologies arrive, it’s easy to get excited and want to jump in quickly ahead of the curve, giving your business a competitive edge, but this is a recipe for disaster. IoT contains a massive amount of personal information, financial data, healthcare information, and other information that can be stolen and used. Play it smart and make sure that your manufacturers can meet your security needs, that your infrastructure can be made secure, and that you have done the research necessary to use safe, networked products.
IoT in the Home
- Know what home devices you have that are connected: Before you can effectively secure your home network and devices, you need to know what is there. The average home in the U.S. has five networked devices, not including computers, tablets, and smartphones. Typical connected devices include game consoles, media systems, and anything with a microphone or camera.
- Know what information each device has access to, and also what the access points are – for instance, a cable connection, or an internet connection to an online application. Any point of access to any device, or any point of access between your devices and your network is a point of vulnerability and must be guarded.
- Password protects your devices and accounts: Even your cell phone should be password-protected. Any device connected to an Internet-based account, or managed through one, should be protected. Use a strong username and password combination that includes letters, numbers, and symbols. Try to create random-seeming passwords – sometimes you can derive a “random” password by using the first or last letters of every word in a key sentence. Never reuse the same password for all your accounts. When you first set up the products, change passwords and keys from their factory settings to something personal.
- Secure your own network and avoid using or managing smart devices on non-secure networks: Password protection isn’t enough when you’re using networks in public places – unless your coffee shop uses strong security, any device management you do over your cappuccino is at risk. If you can avoid accessing IoT accounts from an open network, do so. To protect your home network, create strong passwords for your own router, and change it regularly.
- Keep your smartphone and other devices safe and secure: Password-protect and encrypt your device, so if you lose or misplace it, a hacker won’t be able to use it to access your personal information and smart devices. There are mobile security programs that can back up your data as well as track your device’s location, and lock and wipe your phone remotely. Two-factor authentication, like a password and a security question, can also add a layer of security in case of device loss.
- Create a separate network on your router for your devices: Most routers enable multiple networks to be set up, and keeping your IoT devices on a separate network is another good layer of security. Hackers who are able to infiltrate one network don’t automatically have access to the others.
- Install or enable a firewall: A firewall is perimeter protection that helps keep viruses and worms – and hackers – from reaching your connected devices. Many modern operating systems offer a default firewall which you can enable. Third-party firewalls offer more security features and functions than the one that comes with your computer.
- Keep security patches up to date: Smart devices, just like network software and computer operating systems do, regularly release updates that address security flaws and other issues. Install updates as they are released to help you stay fully protected. Most updates will come to you automatically, but just in case, make a habit of checking manufacturer websites for updates and news.
- Disconnect devices when not in use: There are many reasons to turn off devices when they aren’t in use – energy savings and fire safety is a couple of examples – and one of the top reasons is security. If you’re not using a device and can turn it off, do so, particularly if it has a microphone and/or camera. Some devices, like smart thermostats and some medical equipment, will need to be on all the time and stay connected to the Internet, but other devices, like your TV and coffee maker, don’t require that. Turning them off closes off opportunities for incursion.
- Adjust default privacy settings: Devices and their online management apps usually feature privacy settings that can be adjusted, and the default is usually to pass more information than is necessary. Check your privacy settings and adjust them to a secure level with which you are comfortable.
- Make sure that any devices you buy and connect to the Internet are from companies with good, stable reputations.
- It’s easy to collect data through deployed devices, so as a consumer, ensure that any data being collected is actually required for the device to function. Do read their privacy and data usage policies, and if a device requires more information than it needs to do its job, bring it back and find another one that isn’t as nosy. Take note of whether your providers ask you to agree to share data from your smart device for marketing purposes or to share with third parties.
Many benefits can be realized from the Internet of Things. Medical devices can save lives, your home can be more comfortable, and your business can enjoy improved applications from customer service to HVAC. But while you’re setting up or creating your devices, take some time to focus on the security aspect of the Internet of Things.
This new realm is unknown, much like the oceans of earlier centuries. Hackers are the pirates of the internet, and gaining control over them is similar in many ways to fighting pirates. They have the means and opportunity, a high level of motivation, and ingenuity and nerve that law-abiding citizens simply don’t use for these purposes. So far, we are still at stages of exploration and discovery, and the hackers are right there behind us.
Hardik Patel is a Digital Marketing Consultant, Editor of News for Public and professional Blogger. He has 5+ years experience in Development, SEO, SMO, SEM, Online reputation management, Affiliated Marketing and Content Marketing. Find him on Twitter, Linkedin and Google+.