Conventional approaches to IT security will leave the Internet of Things (IoT) vulnerable to devastating attacks, according to Alan Grau, president of Icon Labs. The firm produces security products and an accompanying framework for manufacturers of embedded and IoT devices.
"Security must be built into the device itself," Grau told Design News in a recent interview. Designing such protection "provides a critical security layer -- the devices are no longer dependent upon the corporate firewall as their sole layer of security. In addition, the security can be customized to the needs of the device."
With proper design from the ground up, Grau said, an endpoint can be "hardened" via such measures as "secure boot, authentication, and intrusion detection."
The concept of decentralized security should be nothing new to security experts, according to Grau. "It's actually similar to where the personal-computing world has gone," he told us. "Every PC has its own protection, its own firewall. On your Android phone or iPhone, when you download an app, the phone validates the app to make sure it's all right to use. All of those same capabilities need to be in IoT devices, as well."
ABI Research estimates that the installed base of active wireless connected devices exceeded 16 billion in 2014. The firm expects that number to more than double by 2020 to reach 40.9 billion. One survey of technology executives found that 62% of them "had already adopted IoT-based systems or had plans to do so." However, 39% said privacy and security were the top barriers to investment in IoT, ahead of questionable ROI and lack of a use case.
MORE FROM DESIGN NEWS: Executives Need to be on the Hook for Cyber Security
A report from HP expressed the concern that network effects can multiply the vulnerabilities. A security problem on a single device "can quickly turn to 50 or 60 concerns when considering multiple IoT devices in an interconnected home or business." HP researchers studied 10 of the most-deployed IoT devices in such applications as TVs, webcams, thermostats, sprinkler controllers, door locks, and security alarms. All devices included mobile apps for remote access and control; most devices included cloud service in some form. HP's study revealed considerable vulnerabilities:
- 90% of devices "collected at least one piece of personal information" through the mobile app, the cloud, or the device itself.
- 70% of devices employed unencrypted network service.
- 80% of devices and associated apps and cloud services "failed to require passwords of a sufficient complexity and length."
HP echoes Grau's assessment that IoT security must start at the device level. HP's researchers noted that many of the vulnerabilities they uncovered are "low-hanging fruit." Basic security controls, "once put in place, can raise the security posture of a device significantly."
However, Grau stressed, IoT security needs to begin at the product design phase. And this was also echoed in the HP report: "Implement security and review processes early on so that security is automatically baked in to your product."
MORE FROM DESIGN NEWS: Power Plants Have a Big Cyber Security Problem
Last year, tech security firm Proofpoint claimed to have uncovered the first proven IoT-based cyber-attack. In this attack, hackers took over some 100,000 smart household appliances and used them as "botnets" to send out waves of 750,000 malicious email communications.
The hijacked devices included appliances such as home routers, multi-media centers, and televisions -- and at least one refrigerator. Proofpoint said the incident proves that cyber criminals "have found a target-rich environment in these poorly protected Internet-connected devices that may be more attractive and easier to infect and control than PCs, laptops, or tablets."
The breach was allowed because of "misconfiguration and the use of default passwords [that] left the devices completely exposed on public networks, available for takeover and use."
Icon Labs will be a key speaker on industrial cyber security at Design & Manufacturing Canada in Toronto, June 16-18, a Design News event. It is part of a comprehensive education conference program on smart factories of the future.
Al Bredenberg is a writer, analyst, consultant, and communicator. He writes about technology, design, innovation, management, and sustainable business, and specializes in investigating and explaining complex topics. He holds a master's degree in organization and management from Antioch University New England. He has served as an editor for print and online content and currently serves as senior analyst at the Institute for Innovation in Large Organizations.