Securing the IoT Requires Multiple Lines of Defense

To reduce the risk of a hack, a company needs to look at all the ways data is collected, analyzed and shared, and how devices can be accessed, controlled and managed.
By Claire Swedberg

ARC is conducting a survey, known as "Industrial Internet of Things Cybersecurity – 2015," that it hopes will shed some light on security issues. The company launched this survey because a lot of its end-user clients expressed concerns regarding cybersecurity implications, "and this seems to be a serious roadblock to adoption," says Sid Snitkin, ARC Advisory Group's VP and general manager for enterprise advisory services. IoT end users are being asked how likely they are to collect and analyze information within their facility, share data with service providers, allow a supplier to remotely change control parameters, or enable someone to remotely control device performance in the field. Any of these actions could require a unique security strategy, and much of that may fall on the device makers. Other questions focus on how data is being collected.

Under its enforcement authority, the Federal Trade Commission (FTC) can investigate and take action against deceptive and unfair practices. In the future, the industry can expect that the FTC will have some oversight for devices that fall within the Internet of Things when it comes to deceptive marketing or unfair business practices. However, its role with regard to the security of IoT systems is less clear. The FTC will likely offer IoT user tips and suggested best practices to businesses.

As the number of IoT products and sensors grow, other federal agencies are likely to drive research and develop policy around security. For instance, the U.S. Department of Health and Human Services and the U.S. Food and Drug Administration will help to protect patient health data as it is transmitted via IoT devices. Expect the U.S. Department of Transportation to be involved in such technologies as self-driving cars.

Finally, there is the issue of data-transmission security. Companies are dedicating solutions to better securing data as it passes from a device to a server. One example is Secret Double Octopus, an Israeli startup that seeks to offer a scalable alternative to standard encryption. Raz Rafaeli, the firm's chief executive officer, likens the solution to a paper shredder that can "unshred" the data once it reaches its recipient. Instead of encrypting data and requiring an encryption key to unlock that information, the system breaks it down into many small pieces, each sent along a different route to the server, where it can then be restored to its original form. The multiple transmission routes that Secret Double Octopus employs to send data can include the public Internet, virtual private networks (VPN), Google Drive and Amazon Web Services (AWS). The company is currently testing its solution with a large firm that, according to Rafaeli, cannot yet be named.

No security is stronger than that of a user's own employees, however. Ensuring that you've hired reliable individuals to oversee your IoT system is the first line of defense.

Claire Swedberg is a senior editor at RFID Journal and a freelance writer for IOT Journal.

Simply enter a question for our experts.
Sign up for the RFID Journal Newsletter
We will never sell or share your information
RFID Journal LIVE! RFID in Health Care LIVE! LatAm LIVE! Brasil LIVE! Europe RFID Connect Virtual Events RFID Journal Awards Webinars Presentations