The Internet of Everything heralds a new kind of world for everyone. But it also requires a new way of thinking about IT security.
Don’t panic just yet: but in a few years, your fridge could become a target for cybercriminals. As the number of devices in the Internet of Everything grows, so does the likelihood that connecting these devices and networking them together could increase the number and type of attack vectors we will see in the future. And that means we need to think differently about IT security and the levels of protection needed for this new, connected world. Protecting all of IoE interactions is crucial in enabling people and organizations to benefit from these advances.
The IoE builds on the foundation of the Internet of Things, or IoT. By comparison, the IoT refers to the networked connection of physical objects (doesn’t include the “people” and “process” components of IoE). IoT is a single technology transition, while IoE is a superset that includes IoT.
Dima Tokar, co-founder and chief technology officer at MachNation, an Internet of Things (IoT) consultancy, says: “IoT brings efficiency to processes and infrastructure while introducing new technologies that bear security risks which need to be considered and addressed.”
He adds: “IoT devices create new attack vectors for hackers, which can be exploited to get access to sensor data and sensitive personal data. Hackers can also take advantage of poorly secured IoT solutions to interfere with processes and critical infrastructure.”
Thankfully, right now the level of risk from IoT-connected devices is largely a matter of conjecture, according toProfessor Rolf H Weber, an IoT expert who is chair for International Business Law at the Faculty of Law in theUniversity of Zurich, Switzerland.
“In theory the risk is substantial, but so far I have not yet seen examples of IoT technologies being compromised,” he says. “However, this could be since the IoT only has a limited practical volume for the time being, which makes it less attractive for hackers.”
What is clear, though, is that the advent of the IoT and the Internet of Everything will demand a re-think on security strategies.
According to the Cisco 2014 Midyear Security Report: “To some, it might seem far-fetched to think something as mundane as a wearable device for tracking fitness or a digital video recorder could pose a significant security risk or would be of any interest to a hacker.
“But as cars and other nontraditional computing devices start to resemble standard computing platforms more and more, they could be vulnerable to the same threats that target traditional computing devices.”
One of the security challenges with the IoT is that hackers could potentially gather much more personal data than at present.
The Cisco report warns: “When adversaries reach a point where they can begin correlating information from different sources … they will be able to gain a much bigger picture about a user than if they were looking at information from only one device, system, or application.”
How to deal with this growing potential threat? Experts say security may need to be built into the fabric of the IoT in an integrated way. Piecemeal or silo-based systems won’t do.
Organizations have a wide range of disparate technologies and processes to protect their information technology (IT) and operational technology (OT) networks, as well as their physical spaces. The combined IT and OT networks are evolving to become IoT networks, equally affected by the wealth of devices and increased attack surface the IoT brings. Decision makers in enterprises need to shift their vision of security to recognize that since every aspect of the network is now working together, cybersecurity and physical security solutions must also work together with a coordinated focus on threats.
Tokar says: “The security risks of an IoT solution are a combination of existing risks from each component of the value chain, as well as new risks introduced by the solution as a whole.”
Hence, he advises: “A secure IoT solution must not only rely on security best practices for each component used in the solution but also take a holistic pass at security end-to-end.”
Research from the SANS Institute predicts the biggest challenge for IoT security could be patch management, implying that software updates and the like may increasingly need to be delivered in a fully automated way via the network.
The fear that IoT devices could spread malware to companies, or be subject to denial-of-service attacks, were concerns voiced by 26 percent and 13 percent of people surveyed by the SANS Institute.
About half of respondents thought devices might pose a risk by virtue of being connected to the Internet. Almost a quarter felt the command and control channel to the device could be an attack risk, while 10.7 percent cited the device’s OS.
But the research also highlights how the IT community has got IoT security in its sights. About half of respondents said they were either completely prepared for it or could cope with minor modifications to their existing setups.
“Security professionals are already dealing with the first several waves of Internet-connected things and have begun to plan for the next wave of more diverse, more complex devices,” says the Institute’s report.
However, it adds: “The basic critical security controls … will face new barriers to success if manufacturers don’t increase their level of attention to security and if enterprise security processes and controls don’t evolve.”
Weber agrees that infrastructure and service providers may need to improve security measures. “Furthermore, data protection rules in cross-border data delivery must be strengthened,” he says.
MachNation’s Tokar concludes: “The best IoT solutions have tight end-to-end security. This includes securing the entire IoT value chain, from endpoint devices to networking infrastructure, applications, platforms, and connectivity.”