Editor’s note: This is the first in a series of posts on IoT security. Keep an eye on the “Related Posts” column on the right for more.
Gartner estimates the mushrooming number of connected devices will reach more than 20 billion in 2020. Keeping these devices secure will present major challenges for Internet of Things (IoT) hardware and solution vendors in the years ahead. Here are some of the major IoT security trends to follow in 2018.
Security trend #1: The Identity of Things
Traditional identity and access management (IAM) systems were developed to identify humans, not machines. To cope with the new connected IoT world, IAM leaders must extend identity management to encompass all entities—humans, devices, applications, and services—in IoT ecosystems. This extension of IAM is known as the Identity of Things (IDoT), and it works by assigning unique credentials, keys and identifiers (UID) to all entities in an IoT implementation. Unique identities enable secure communications between a device and a human, a device and another device, a device and an application or service, and between a human and an application or service. Additionally, device manufacturers and enterprises may want to inject credentials—PKI is generally the best choice—for operational control and secure updates.
This new approach is critical because the future scalability of IoT will depend on secure communications between different suppliers, service providers, and users. The Samsung ARTIK platform not only incorporates digital certificates to assure integrity of IoT entities but also enables additional digital certificates to be provisioned during manufacture and in the field.
Security trend #2: IoT regulations
The exploding number of IoT devices is creating a correspondingly huge amount of data. Consider, for example, that smart buildings may generate 250 GB per day. Every autonomous car is expected to generate two petabytes (PB) or 2,000,000 GB of data each year. Smart utility metering systems have the potential to generate more than three exabytes (EB) or 3,000,000,000 GB of data each year. The volume of data affected by recent high-profile breaches such as the one at Equifax pales in comparison.
Governments have taken note—with so much data at risk, new regulations are in the works to protect citizens’ private information from unauthorized access to IoT systems and data. For example, the use of internet-connected devices is on the rise in healthcare. Under the recent HITECH Act—part of HIPAA—healthcare organizations are liable not just to regulatory fines but also to civil and criminal prosecution if they fail to protect user data.
When it comes to privacy, the regulatory elephant in the room is the European Union (EU) and its new General Data Protection Regulation (GDPR), which goes into effect in May, 2018. GDPR aims to better protect EU citizens’ personal data and give them more control over how their data is used. The penalties for GDPR non-compliance and data breaches are harsh—the regulation stipulates maximum fines of up to four percent of an organization’s annual global revenue or up to 20 million Euros—whichever is higher. Another initiative led by the European Union Agency for Network and Information Security (ENISA) sets out rules for how private and personal data collected through IoT devices can be used. It also mandates real-time IoT device monitoring.
The bottom line is that any company creating IoT solutions or leveraging IoT for their business—whether or not they are located in the EU—should be aware of, and be ready to comply with, privacy efforts such as GDPR and ENISA, or risk losing a major market.
A number of other government and industry initiatives may soon regulate IoT or promote guidelines for IoT best practices. For example, the Cloud Security Association (CSA) is working on guidelines covering best security practices for everything from drones to smart cities. Also, the European Union Agency for Network and Information Security (ENISA) has set its sights on IoT security, and is mulling the establishment of baseline security requirements for IoT devices in critical systems and infrastructure ranging from connected cars to factories.
Businesses harnessing IoT in this new regulatory environment—especially where consumers’ personal data is involved—will need a completely different, and more secure approach to IoT data processing, analytics, storage, and distribution. If your IoT products and initiatives don’t promote the use of best practices for providing security assurance, your organization could become exposed to significant cyber liabilities.
Security factor #3: IoT ransomware and DDoS attacks
IoT-related cyberattacks generated some huge headlines in 2017. For example, the high-profile WannaCry and NotPetya ransomware attacks caused widespread disruption to organizations around the world. In 2018, ransomware and distributed denial-of-service (DDoS) attacks using IoT devices as the threat vector will become increasingly sophisticated, presenting a major problem for businesses and consumers. A lack of security in billions of connected devices means they also have little or no defense against hackers who want to gain control of them either to hold the data or functionality hostage or to attack servers and internet choke points with massive data traffic.
Ransomware typically prevents users from accessing data on their devices until a ransom is paid. In the near future, ransomware could hack the functionality of devices themselves with potentially dangerous and devastating implications. For example, hackers could take control of smart thermostats in a hotel and turn up the heat to the point where rooms would be uninhabitable. A smart home could be made to unlock, providing easy access to burglars. Or, a compromised smart car could be used to kidnap riders.
Watch for DDoS attacks to get worse in 2018. The Mirai botnet attack of 2016—which hacked 300,000 Internet-connected devices and took down dozens of major websites—was a harbinger of things to come. Botnet kits are available on the dark web and provide even the least-experienced hacker access to a global army of compromised IoT devices. Therefore it’s imperative that IoT device makers improve default security features to make it more difficult for their products to be turned into botnet recruits.
It’s clear that strong security can no longer be a secondary priority in the design and development of successful IoT products and services. Hardware and solutions vendors must add security resources and expertise to their development teams or consider developing on an IoT platform such as Samsung ARTIK which integrates security features across hardware, software, and cloud. Secure platforms such as ARTIK allow innovators to focus on creating the products which will make all our lives safer and smarter.