The Internet of Things (IoT) has burst into the connected world and promises much: from enabling the digital organization, to making domestic life richer and easier. However, with those promises come inevitable risks: the rush to adoption has highlighted serious deficiencies in both the security design of IoT devices and their implementation.
Coupled with increasing governmental concerns around the societal, commercial and critical infrastructure impacts of this technology, the emerging world of the IoT has attracted significant attention.
While the IoT is often perceived as cutting edge, similar technology has been around since the last century. What has changed is the ubiquity of high-speed, low-cost communication networks, and a reduction in the cost of compute and storage. Combined with a societal fascination with technology, this has resulted in an expanding market opportunity for IoT devices, which can be split into two categories: consumer and industrial IoT.
Consumer IoT products often focus on convenience or adding value to services within a domestic or office environment, homing in on the end-user experience and providing a rich data source that can be useful in understanding consumer behavior.
The consumer IoT comprises a set of connected devices, whose primary customer is the private individual or domestic market. Typically, the device has a discrete function which is enabled or supplemented by a data-gathering capability through on-board sensors and can also be used to add functionality to common domestic items, such as refrigerators. Today's "smart" home captures many of the characteristics of the consumer IoT, featuring an array of connected devices and providing a previously inaccessible source of data about consumer behavior that has considerable value for organizations.
Whilst the primary target market for IoT devices is individuals and domestic environments, these devices may also be found in commercial office premises -- either an employee has brought in the device or it has been installed as an auxiliary function.
Industrial IoT deployments offer tangible benefits associated with digitization of processes and improvements in supply chain efficiencies through near real-time monitoring of industrial or business processes.
The industrial IoT encompasses connected sensors and actuators associated with kinetic industrial processes, including factory assembly lines, agriculture and motive transport. Whilst these sensors and actuators have always been prevalent in the context of operational technology (OT), connectivity and the data processing opportunities offered by cloud technologies mean that deeper insight and near real-time feedback can further optimize industrial processes. Consequently, the industrial IoT is seen as core to the digitization of industry.
Examples of industrial usage relevant to the IoT extend from manufacturing environments, transport, utilities and supply chain, through to agriculture.
Fundamental security issues with the IoT
There are several security issues that are common to both the consumer and the industrial IoT.
IoT devices are often part of a wider implementation that is key to the overall functionality. Few devices exist in isolation, and it is the Internet component of the IoT that reflects that dependency. For a home or commercial office to be truly smart, multiple devices need to work in cooperation and for a factory to be smart, multiple devices need to operate and function as an intelligent whole. Whilst there are some exceptions to this, particularly in the consumer IoT, this reflects an immaturity in the implementation of the final vision of a connected interdependent world. As devices can come from different manufacturers, and there is a considerable complication of standards and protocols, many devices cooperate based on trust. This is because they have no ability to validate incoming data or instructions from other devices, providing an inherent contrast to the growing popularity of "zero-trust" models. It means that the devices can be vulnerable to forged or manipulated instructions and therefore to attempts to hack the IoT device itself or other directly or indirectly connected systems.
The IoT technical characteristics described previously preclude several security controls -- such as encryption, authentication, certificate management, validation and logging -- for reasons of practicality, aesthetics or cost. Without these fundamental security controls in place, the capability of a device to be secured is very limited, and basic security design is often neglected consequently. In the industrial IoT in particular, a design assumption is frequently made that the industrial operation is technically isolated from other systems and security controls are therefore not required. In practice, this design assumption is flawed and exposes the IoT devices, and connected ICS systems in that environment, to both internal and external threats.
The IoT incorporates many use cases in both the consumer and the industrial modes, and the design lifetime of these devices will similarly vary according to those use cases. From the fashionable, relatively disposable, low-cost device that is quick to market and quick to be superseded by a new version, to the newly built smart factory that requires considerable investment, the life expectancy of a device can vary from six months to 30 years. For a device that is expected to be obsolete in six months and whose functionality has a low criticality, the ability to update and patch that device may be perceived to be less important than for the device which supports critical national infrastructure over 30 years. The difficulties in being able to update and patch are common to both consumer and industrial IoT, and reflect lack of input devices, difficulties in access to the device, and the impact of downtime. The associated impacts, however, can be dramatically different.
There are countless different types of IoT devices on the market in both the consumer and industrial space. However, removing the cover of the device often reveals a discrete number of components and manufacturers, such that the ecosystem is relatively homogeneous. This means that a vulnerability discovered in a single commonly used component can have an amplified effect and result in thousands of models of IoT devices sharing the same vulnerability.
The target market for IoT is so vast that, for both consumer and industrial deployments, only a very low level of technical expertise can be assumed for the user. In the consumer market, the user is presumed not to be capable of tasks that are familiar in the IT world, such as resetting passwords, installing malware protection or configuring the device. Consequently, devices may simply not offer that capability. A device that is useable out of the box (plug and play) is typically the market requirement. Similarly, in the industrial environment there will be a low tolerance for additional training for staff and those working in a fast-moving operational environment will not be motivated to spend time correctly setting up a new device. Such low expectations over setup and maintenance for IoT devices means that the security bar is set at its lowest, if set at all.
IoT devices typically generate large quantities of small pieces of data from their sensors. To make best use of this data, and to infer information and value from it, it needs to be analyzed and stored. This is not the job of the device itself as they simply do not have the capacity to do this. External storage sources, such as cloud services, tend to fulfil this role. However, it is likely that over time manufacturers and smaller supporting cloud services will go out of business or fail to safeguard this data, resulting in the data being lost or abandoned and inaccessible to the user. This will give rise to the "Internet of Abandoned Things," with implications for both consumers and industry as valuable data and devices are rendered useless.
By far the most problematic element for the IoT is connectivity between OT (operational technology) networks supporting IoT devices and IT networks supporting office-based IT. A weak point in security is where the consumer IoT, the industrial IoT and the OT and IT world combine and overlap. This can be by design or by coincidence but can result in joined networks running significantly different protocols, different states of patching and different vulnerabilities, all creating an environment that is attractive to malware. Office and IT networks that have consumer IoT devices installed on them may find that these devices constitute weak points that may be exploited on their network and used in a steppingstone attack. Conversely, for industrial environments, the relative lack of security of IoT devices makes them, and the industrial processes that they support, vulnerable to malware and attacks originating from a connected IT network. Whilst it is common practice to separate the networks, this can give a false sense of security since it is often bridged deliberately or accidentally.
There is commonality between the security issues mentioned above across consumer and industrial IoT, but they may manifest themselves in different ways.
The IoT is a reality
The IoT has become a reality and is already embedded in industrial and consumer environments. It will further develop and become a critical component of not just modern life, but critical services. Yet, at the moment, it is inherently vulnerable, often neglects fundamental security principles and is a tempting attack target. This requires a change.
There is a growing momentum behind the need for change, but a lot of that momentum is governmental and regulatory-focused which, as history tells us, can be problematical. The IoT can be seen as a form of shadow IT, often hidden from view and purchased through a non-IT route. Hence, responsibility for its security is often not assigned or misassigned. There is an opportunity for information security to take control of the security aspects of the IoT, but this is not without challenges, amongst them skills and resources. Nevertheless, there is a window of opportunity to tame this world, by building security into it. As most information security professionals will know, this represents a cheaper and less disruptive option than the alternative.
In the face of rising, global security threats, organizations must make systematic and wide-ranging commitments to ensure that practical plans are in place to acclimate to major changes soon. Employees at all levels of the organization will need to be involved, from board members to managers in non-technical roles. Enterprises with the appropriate expertise, leadership, policy and strategy in place will be agile enough to respond to the inevitable security lapses. Those who do not closely monitor the growth of the IoT may find themselves on the outside looking in.
— Steve Durbin is managing director of the Information Security Forum (ISF). His main areas of focus include strategy, information technology, cybersecurity, digitalization and the emerging security threat landscape across both the corporate and personal environments. Previously, he was senior vice president at Gartner.