Let’s first of all define what the IoT is. There are a few definitions, but when you mention the IoT most people think of internet connected fridges that automatically order milk when you run out. Simply put, the IoT is smart devices linked by wireless networks. Rather than providing a computing service, the scale of the IoT is much broader, encompassing how we interact with our environment. Typical IoT devices are driverless cars, biometric security devices, and industrial robots. Siemens reckon that there will be over 26 billion IoT devices by 2020. Others think that the IoT will really take off as 5G technology becomes commonplace.
The first true IoT device is thought to be the Bank ATM introduced in the early 1970s.
As with the Internet, the IoT has security issues. The standard Internet Security tactics are not sufficient for IoT devices, and the potential impact of a security breach in an IoT device can be much more severe. Internet Security for the IoT is a key consideration when designing IoT devices.
This scenario arises from the implicit trust that IoT devices share. Very often devices automatically share data without it first passing through a check to see if it contains malware. This has the potential in the worst case for very serious or even fatal consequences.
The first serious IoT attack was the Mirai botnet in 2016. It attacked internet routers and webcams, taking them over and propagating itself as it traversed the Internet. In a second stage, it launched attacks that flooded DNS servers, taking them out of service, and effectively shutting down the Internet for millions of users. Unfortunately, the source code for Mirai is readily available, so there are frequent outbreaks of Mirai look-alikes, making it a continual battle between the hackers and the defenders against malware.
And it’s only going to get worse. According to Gartner, threats and attacks will increase as more IoT devices are rolled out. They estimate that the IoT security spend will reach at least $547 million in 2018.
The type of threat and its purpose will move away from mischievous or malicious damage. Industrial espionage is expected to be a major threat with technology embedded in commonplace items not normally considered as threats. For example, a IoT doll that could record conversations has been banned in Germany. In Finland, a denial of service attack shut down a building’s intelligent heating system, leaving the residents in the cold.
To parallel the increased type and range of threat, IoT malware defences need to also become more sophisticated. They need to be much more than just software, firewalls and anti-malware appliances.
Designers and users need to become much more aware of the potential for threats and malfunctions.
The place to start is at design time. When an IoT product is designed, the IoTSF (Internet of Things Security Foundation) recommend that the designers carry out a risk assessment to try to identify potential security problems and define and build in countermeasures. Ericsson go further and recommend regular security checkpoints during the product lifecycle.
The reason for continual monitoring is because a product may be very secure in its initial release to market, but becomes less so as it receives software updates.
Another recommendation is to create an incident response plan. The plan is part of a process of continual monitoring of IoT devices. Hackers will sometimes leave tracks as they investigate and test malware defences. If tracks are found, IT specialists can enhance malware defences on the potentially compromised IoT device Normally, enhancing security controls is sufficient, but it may be necessary to reverse software updates or even switch off compromised devices.