Where there is technology at play, you can be pretty sure there will be associated risks and the Internet of Things (IoT) has not been immune to these.
The initial risk the IoT industry faced was that they would move too fast and technology adoption would outpace security.
According to Jon Tullett, research manager – IT Services for Sub-Saharan Africa at International Data Corporation (IDC) that is exactly what happened.
“We’ve had plenty of instances already of IoT devices being attacked, subverted and poisoned. All the things that we described as being potential risks have happened and it has really shown that the malicious actors are very much on top of the technology. They understand how to use it, and how to take advantage of it and turn it into profit,” he says.
Despite this, Tullett believes the industry is starting to turn it around. “The industry is taking security much more seriously. They understand that although applying security means costs and delays, that it is part of the process and not something you try to avoid.”
He says that while the risks are still the same, they are being approached in a much more mature fashion.
“Denial-of-service attacks remain one of the biggest risks faced by the industry. So, if part of your business relies on IoT, you need to know what the risk of being knocked out of commission would be. Whether that is at a network or application level, there are risks. So, if you’re looking at building LPWAN based IoT networks, what are the risks that somebody might jam that network or that the service provider might be unavailable?”
There is also the risk of devices being compromised and used for attacks on someone else in distributed denial-of-service (DDoS) attacks.
“Once compromised, these devices can either be used to steal data or, more subtly, poisoned to feed incorrect data back. A famous example of that would be the StuxNet attack on uranium centrifuges. That was a classic example of an IoT attack. It was very subtle yet very damaging.
“These attacks generally take place over a long period of time, so you won’t detect it as an attack and then suffer damage. You only realise way too late that something has happened,” says Tullett.
When devices are poisoned, the data you build up over time becomes compromised, which has a direct impact on analytics and ultimately decision-making.
“Knowing what the threats are, you then need to turn the discussion to what to do about it. That comes down to standard security practice, but I think in IoT things scale up and become more interesting. You do the usual stuff like intrusion and anomaly detection and it’s stuff that the security world knows, loves and does well,” says Tullett.
“The subtler data level attacks become more interesting, however. That’s where your analytics at scale starts looking a lot more like machine learning. An example here would be having one sensor reporting that another sensor is misbehaving because it understands what it should be reporting. It also involves putting checks and balances in place that will let the network self-remediate.”
When you have a network of many thousands of devices it becomes a lot harder to manage them one by one. Tullett says the only solution here is to start looking at them as a community, ensuring the community can respond to something that is going wrong and act.
“It evolves the security picture immensely and, in a sense, this is where the IoT world is almost positioned to take the lead. We are starting to see a ton of security interest in advanced analytics and it may well be that IoT will be at the forefront of it. So, IoT can go from being right at the back of the race in terms of security to starting to look like a frontrunner.”