Security

Cyber security and the IoT

21st April 2020
Joe Bush
0

Digitisation and the increasing connectivity provided by the Internet of Things (IoT) bring enormous opportunities, but also unforeseeable risks and serious vulnerabilities that can be exploited by new forms of cyber crime. Joe Lomako, Business Development Manager (IoT) at TÜV SÜD, explains the link between cyber security and the IoT.

In the UK 32% of businesses reported having cyber security breaches or attacks in the last 12 months (Cyber Security Breaches Survey 2019 – UK Government Department for Digital, Culture, Media and Sport).

Every coin has two sides, and the same technologies that enable value creation in an IoT product also create attack vectors. For example, IoT botnets have been used in some of the most prominent Distributed Denial of Service (DDoS) attacks. Hackers create botnets from a variety of IoT products by scanning the internet for devices with easily compromised passwords. DDoS has become so pervasive that the software can be rented hourly on the dark web.

Ransomware is another attack that is growing in frequency. In a traditional ransomware attack, hackers encrypt critical data. The decryption key is shared after the victim has paid a ransom, typically in Bitcoin. Imagine being on a business trip and being told that your thermostat was hacked and set to the maximum temperature. Device availability can be critical in many such scenarios. Although devices can be reset, it is often a challenging process for a typical customer, and the loss of data and settings can be problematic.

A type of cyber attack that is exclusively in the IoT domain is device remote control. Imagine hearing a stranger’s voice coming from your two-year-old daughter’s room and realising that your baby monitor had been hacked. Dr. Yossi Oren, a lecturer at Ben-Gurion University in Israel, found that many baby monitors remain easy to hack, despite publicity of numerous previous incidents. As device connectivity becomes pervasive, there is a growing risk of physical harm caused by remote control of vehicles, ovens, healthcare devices, and other consumer products.

Vulnerability considerations

To use the opportunities offered by the Industrial Internet of Things (IIoT), companies invest in connected production facilities. However, cyber criminals are rapidly developing and adopting new forms of attack to hack into the networks of companies and critical infrastructure. Given this, ongoing investment in cyber security is crucial to keep up with technological development. ‘Security by design’, which considers the security requirements for software and hardware right from the design and development phase, is one possible solution for avoiding security gaps.

Investment in new IT landscapes or company acquisitions represent complex and often very challenging projects. In this situation, companies often forget to disconnect equipment that is obsolete or no longer needed. This ‘shadow IT’, offers convenient gaps for cyber criminals to hack into company networks. Risks can be minimised by monitoring the security of the IT infrastructure and clearing out outdated equipment and software.

Cyber attacks are increasingly implemented with the use of machine learning and AI. ‘Pattern matching’, i.e. checking values against known patterns, is no longer enough to ward off these attacks. Given this, companies should focus on identification of anomalies and also use artificial intelligence (AI) in their cyber security efforts. By taking this approach, they can identify unusual activities at an early stage.

Many companies use sophisticated technological methods, such as threat intelligence services and penetration tests, to identify IT vulnerabilities – but unfortunately neglect their staff's IT security training.

Increasingly companies are moving cyber security up to the status of being a management issue. Given this, cyber security is becoming a focal topic not only for IT managers, but increasingly also for C-level management in operational business. However, executives and IT experts often do not communicate effectively and adopt vastly different perspectives on many issues. In this case, communication that is appropriate for the respective target group is helpful. Otherwise, communication problems may delay the necessary investments in IT security.

IoT product security

Gartner forecasts that 14.2 billion connected things will be in use in 2019, and that the total will reach 25 billion by 2021. There is good reason why sales of cyber security products are growing at twice the rate of GDP. In the age of the IoT, every connected consumer device, from homecare monitors to kids’ toys, is a potential threat to data security and privacy. Proactive holistic security planning enables a manufacturer to manage cyber security risk while avoiding costly product recalls, design changes and heavy penalties.

So are manufacturers doing enough to mitigate the risk of cyber crime and embedded data protection? Preventative security measures should be both end-to-end across the technology stack and integrated across the product lifecycle and IoT ecosystem. It should cover design and manufacturing through to implementation and product obsolescence, and be continuous.

End-to-end cyber security decisions entail trade-offs between security level, system complexity, time-to-market and cost. This process begins with an assessment of the business impact and probability of risks. Without clearly understanding and prioritising risks, it is not possible to determine the security requirements of individual technology components or of the IoT system as a whole.

After risks are understood, the next step is to evaluate the technology compilation. Testing of the individual components against requirements determined by the risk assessment is the foundation of a secure product. Security is very difficult to install as a software add-on after product development. Every aspect of the product must be assessed for vulnerabilities, including device hardware, wireless communication modules and protocols, device firmware, cloud platforms and applications. Following component testing, an end-to-end assessment should be performed to determine the attack resilience of the individual components and support services. This should be continuous, implementing a process of security validation for updates.

Mature consumer IoT companies go beyond embedding security into their products - they study customer behaviour to identify and minimise user-generated risks. Product manufacturers need to think through unintended misuse by the consumer and ensure that they are made aware of potential issues. An additional benefit to this approach is that it adds value to the final product.

Regulatory requirements

While there are defined standards available globally, they are not complete and ratified, neither are they mandatory. However, these do represent a first line of defence, and as a first step, think ‘secure by design’ and take a proactive approach to cyber security. Recognise that attacks are ‘when, not if ’ scenarios and ensure up to date compliance with ALL standards. And constantly review ‘cyber resistance’ status.

Many consumer product manufacturers, whilst having internal security knowledge, will nevertheless benefit from working with external advisors who have wider exposure to assessing various types of product or infrastructure and be better equipped to help manage threats. Building a network of trusted partners is a strong first step towards planning cost effective end-to-end security. Tackling the problems of cyber security risks can, after all, only be realised by comprehensive planning, periodic evaluation, updates and monitoring - from design through to obsolescence.

Featured products

Product Spotlight

Upcoming Events

View all events
Newsletter
Latest global electronics news
© Copyright 2024 Electronic Specifier