Securing the IoT Requires Multiple Lines of Defense

To reduce the risk of a hack, a company needs to look at all the ways data is collected, analyzed and shared, and how devices can be accessed, controlled and managed.
By Claire Swedberg

According to a spokesperson with the U.S. Department of Homeland Security's Industrial Control System Cyber Emergency Response Team (ICS-CERT), the DHS's primary concern with regard to cybersecurity and the Internet of Things is that viruses, malware and cyber-attacks could cause objects to cease functioning entirely. For example, malware injected into the software controlling a refrigerator could simply shut that appliance down, spoiling the food or medicines stored within. It would be a simple and highly effective way to wreak havoc.

The solution on the device side may lie in the hands of the manufacturers. It doesn't make sense for users or systems integrators to install antivirus software or firmware in every sensor or device like a refrigerator. Such firmware or software must be built into products at the point of manufacture.

On the other side of IoT device security is the actual eavesdropping on a device, or the collecting of data that belongs to a user. The collection of such data has a more tenuous benefit for those with malicious intent. Information stolen from connected things would not necessarily lead to cash, the ICS-CERT spokesperson told me, or to personal data such as credit card numbers that could be sold for cash, "which is a main motivator behind today's cyber-attacks."

However, with the IoT's vulnerability to eavesdroppers in mind, users need to be sure that their IoT systems are isolated from corporate or engineering data, or from other networks. Systems should be completely standalone, while the devices themselves should be rigorously protected from a changing-of-controls point of view.

Dan Lohrmann, the chief security officer at Security Mentor, which provides companies with security awareness training, has warned that IoT devices that process less-sensitive data could become "back-doors" into networks containing more sensitive information. For example, a Wi-Fi-connected kitchen appliance might provide a trusted connection to a PC with tax information stored on it.

ARC Advisory Group, a technology research and advisory firm for industry and infrastructure, reports that the necessary technology, such as antivirus software, exists to build secure IoT deployments. However, ARC notes, suppliers also need to understand end-user concerns and constraints in order to configure secure solutions. This includes the expected IoT use cases, the most likely cyber threats and a system-management strategy.

JOIN THE CONVERSATION ON TWITTER
Loading
ASK THE EXPERTS
Simply enter a question for our experts.
Sign up for the RFID Journal Newsletter
We will never sell or share your information
RFID Journal LIVE! RFID in Health Care LIVE! LatAm LIVE! Brasil LIVE! Europe RFID Connect Virtual Events RFID Journal Awards Webinars Presentations