Whose responsibility is IoT security?

Posted On 22 Nov 2018
Comment: Off

Internet of Things (IoT) technology is accelerating at such a pace that it can potentially create detrimental problems for which organisations may be ill-prepared or not even be able to comprehend. Several flags have been raised when it comes to the safety of IoT technology and the debate still centres around who is responsible for the security of these devices.

The term IoT refers to the ever-growing network of physical objects that feature an IP address for Internet connectivity and the communication that occurs between these objects and other Internet-based devices and systems. When the Internet first originated in the mid-90s, it was a utility only accessible through computers and dial tones. Now its reach is far and wide, and IoT technology includes everything from wearable devices equipped with sensors that collect biometric data to smart home systems that enable users to control their lights and thermostats.

PSI asked Kim Loy, Director of Technology and Communications at Vanderbilt, to give us an overview of the huge take-up of IoT devices and the potential security implications we will be facing as a result. She told us:

There are already millions of smart home devices in the world, including intelligent alarms, locks, lighting, baby monitors, thermostats and televisions. It is predicted that there will be more than 21 billion connected devices by 2020. Gartner recently predicted that IoT security spending would hit $1.5 billion by the end of the year, up 28 percent from 2017, and is expected to more than double to $3.1 billion by 2021.

IoT devices typically come with built-in electronics, software and sensors, and their design is built around convenience. But are we paying enough attention to security when designing these devices?

Unfortunately, all cyber hackers require is one weak link to infiltrate a system before spreading throughout a more comprehensive network. For instance, smart vending machines on a college campus were recently used as a starting point to launch a cyberattack against an unnamed university in the United States.

Attackers employ a variety of methods to infiltrate devices and use them to gather, process and transmit data. The more information the device can transfer, the more valuable it becomes, making this hijacking more tempting and rewarding.

Building a secure IoT device

This vulnerability demands a strong and concerted focus on ensuring the thorough protection of devices used within the IoT, as we’ve seen occur in other areas. In the IT industry, for example, customer demand sparked the change to deliver robust security protocols, which manufacturers then implemented. Now companies like Microsoft and Apple openly fix software vulnerabilities on a regular basis, and no gloss is taken off the prestige of their brand for doing so, as this is what the consumer expects and wants of these software giants. This is the same mentality that needs to be adopted by IoT manufacturers.

To help spur this shift toward IoT device security, manufacturers must deliver solutions that are protected from threats. This can be done through constant and consistent testing of the devices long after they are introduced to the market. Hackers wishing to do harm will stop at nothing to break into IoT-connected devices, taking every avenue to discover vulnerabilities. But a manufacturer that spends valuable resources to continue testing and retesting will be able to identify any issues and correct them through regular software updates and fixes to deliver a secure device to consumers.

IoT security responsibility

IoT security responsibility falls on a number of entities: the organisation, the manufacturer and the user. Many manufacturers are including the protection of these devices into their product design plans before anything is built. Protocols are developed to ensure everything is encrypted, all communications are monitored and multiple types of attacks are considered for defensive purposes to provide the best security possible. For example, built-in protection mechanisms send some systems into protection mode once they are attacked by an outside source. While the system will remain operational and still be able to communicate out, it will start to shut down elements of itself to protect from further attack.

Many people think that an organisation is the most responsible for IoT security; after all, if a company is managing a network, one would expect it to protect the network as well. This can be attained by adapting a user-centric design with scalability, tactical data storage and access with appropriate identification and security features (for example, the use of multilevel authentication through biometrics in access control). Organisations must also use their IT team to strengthen the overall cybersecurity of the IoT by keeping up with the latest software updates, following proper data-safety protocols and practicing vulnerability testing.

Finally, users must also be responsible for a reasonable amount of control over IoT security. Despite the protection delivered by the organisation and manufacturer, there’s always the option for IoT security to be enhanced or possibly even diminished by the individual user. It’s critical that best practices for data protection are in place every time an individual uses a device that is connected to the network. These include disabling default credentials, proper password etiquette, safe sharing of sensitive information and the instinct to avoid any suspicious activity or requests.

IoT security doesn’t have to be an afterthought. Through careful evaluation when making purchasing decisions and looking further than simply the latest tech gadgets that can flush your toilets and turn on your lights from the palm of your hand, true security can be achieved. It just takes research and the ability to ask questions – along with trustworthy manufacturers that take security to a whole new level and are ready for any challenge.