Where are security and data governance in IoT?
IoT Back to Basics, chapter 3: It’s no surprise that security and governance are important considerations when it comes to the IoT, but quite how incredibly important they are may not be immediately obvious.
Ensuring that users of IoT systems and smart devices remain safe and secure – which requires that their data stays protected and carefully governed – is vital if businesses and public sector institutions are to initiate successful IoT projects. There isn’t just the risk to a user’s privacy, and the possibility of big fines from regulatory bodies when things go awry, but also the issue of reputational risk and the commercial consequences of confidence in your brand being undermined.
Of course, security should be high on the agenda in all areas of IT. A targeted and sustained ransomware attack on the NHS, in May last year, was just one example of how sophisticated some of the hackers – and their malware – have become. At a machine data analytics conference last year, the chief security officer at Travis Perkins, a British builders’ merchant and home improvement retailer, told us that his organization had faced 3,851 ransomware attacks in just one month last summer.
Attack surface
The extra problem with IoT is that it vastly increases the potential ‘attack surface’ – there are more connected devices and gateways, and hence more areas of potential vulnerability, which gives those with nefarious intent greater opportunity to wreak havoc. And while many existing technologies and data governance methodologies can also be used in the era of IoT, they cannot make up for the broader attack surface.
Some of the ‘things’, such as sensors, are relatively dumb and therefore unlikely to bring much gratification to hackers. There’s not a huge amount of twisted satisfaction to be gained from interrupting temperature or wind-speed readings from a sensor in a wind turbine, for example.
But when you consider that IoT also includes the likes of connected vehicles, wear-at-home medical devices, industrial and hospital equipment, you can see why security is such a vital consideration.
For instance, in 2015 a group of researchers from the University of California, San Diego, discovered a serious weakness in vehicle security that allows hackers to take remote control of a car or lorry, thanks to small black dongles that are connected to the vehicles’ diagnostic ports.
These are common in both cars and lorries, fitted by insurance companies and fleet operators, as a way of tracking vehicles and collecting data such as fuel efficiency and the number of miles driven.
But the researchers found that the dongles could be hacked by sending them SMS text messages, which relayed commands to the car’s internal systems. The hack was demonstrated on a Corvette, where the researchers showed they were able to apply the brakes or even disable them (albeit as long as the car was at low speed).
You can imagine the repercussions of such a hack as we move ever-closer to driverless cars.
Home invasion?
There have been other worrying security lapses around IoT that give pause for thought. In 2013, for instance, the US Federal Trade Commission (FTC) filed a complaint against TRENDNet, a Californian maker of home-security cameras that can be monitored over the Internet, for failing to implement sufficient security measures.
TRENDNet’s cameras were hacked via the Internet, leading to the display of private areas of users’ homes on the Web, and allowing unauthorized surveillance of adults as well as children going about their usual daily lives. As well as an invasion of privacy, there was the potential that such covert surveillance could be used to monitor the comings and goings of the occupants of a premises, and hence give rise to further criminal activity once the hacker knows when there is no one at home.
Clearly, some IoT initiatives have different risk profiles to others. For instance, ‘white hat’ hackers last year demonstrated that they had been able to hack into a smart domestic appliance network and turn off ovens made by the British company AGA. Being able to turn them on and adjust the temperature would be more dangerous, but the ramifications are still worrying.
Another penetration testing company discovered that hackers could remotely compromise a connected kettle with relative ease and thus potentially gain unfettered access to a person’s wireless network, from which they could change DNS settings and monitor all web traffic for access to bank accounts and other sensitive data.
It’s obvious that the companies involved in implementing IoT need to be just as sophisticated about their security processes and protocols as the most sophisticated hackers – but time and again we have seen companies outsmarted by either ‘white hat’ or, worse, ‘black hat’ hackers.
The potential security risks around IoT are very real
Organizations contemplating the benefits IoT projects (or in the case of local or federal government, their citizens) would be wise to consider security and data governance very carefully indeed. Authentication and authorization technologies are likely to be necessary. Data masking (removing attributes that would enable a hacker to identify specific people and their habits, for instance) may also be called for, and in some cases even mandated by law.
Ensuring privacy is also an issue. While some consumers or citizens are quite happy to share various data with organizations, others are not. Organizations must therefore ensure that they ask users to ‘opt in’ to IoT-related projects or systems, rather than opting them in without explicit consent (even if they subsequently offer an opt-out).
Companies that don’t do this run the risk of annoying customers and falling foul of auditors and legislators. If potential fines are not sufficient to deter some companies from taking security and data governance seriously, the potential reputational damage certainly should be!