The Internet of today, what some are calling the Internet of Things (IoT), is a network enabled by embedded computers, unobtrusive sensors, worldwide systems, and big-data analytic environments. These systems, sensors, and devices are communicating amongst themselves and feeding a ubiquitous network seamlessly integrated with our lives.
While the efficiencies and insights gained through the deployment of this massive interconnected system will bring new benefits, it could also bring new risk. Experience shows us that when everything is connected, everything is vulnerable.
In fact, this approach to creating systems of systems is not new. The military has been connecting mobile command posts, unmanned vehicles, and wearable computers in the battle space for decades. These devices and systems are connected to a network that feeds into a common operating picture for the warfighter.
The expertise gained by companies creating these systems of systems for the military has provided a unique perspective on information security risks. As cyberthreats become more sophisticated and aggressive in this expanding IoT environment, four areas of concern will rise in importance. All organizations should:
1) Make sure information is reliable and systems are resilient. With the large amount of data generated by the IoT, a key question will be: “How do I know the data generated by this system is reliable?” Chief information security officers (CISOs) can find answers within information assurance strategies. Data can be encrypted with simple tools like Secure/Multipurpose Internet Mail Extensions (S/MIME) or more complex systems like Information Rights Management solutions.
Additionally, data separation and risk containment can be provided through virtual machine technology, database containers, and cross-domain solutions brought over from the military domain. Systems must be hardened, not just patched; unnecessary services and applications must be removed and remaining software configured appropriately. So many systems built for the IoT either on the device side or the cloud side are based on multipurpose operating systems and are left with many features running that unnecessarily expose risk.
2) Keep pace with technology. With each new device that enters the IoT domain, new vulnerabilities and threats are introduced. A cyber adversary will not only have this new target with its vulnerabilities to exploit, but he will also have a new path from which to attack the other entities on your network. Companies will succeed in the IoT environment when they understand both the new opportunities gained from new devices in their business ecosystem and the new risks they take on, and preplan how best to manage them.
Security organizations should have a lab and do their research on new devices to understand, not just how to use a device, but also what is embedded in the device; what data is generated and transmitted; where does the device transmit its data; and what connections will it accept from other devices in an environment, among a host of other concerns. Most importantly, if adversaries have access to the sensors and data generated by this device, including the personal devices users are bringing into the building, organizations must know and prepare for the advantages it would give them.
3) Focus on the insider threat. The IoT is about connections among devices, the masses of data generated by sensors, cloud processing and storage, and automated actuators. Threats to this environment may be slowed by perimeter defenses, but security experts know the most dangerous threat is the one inside -- where the most serious damage can be done. The Target, Wikileaks, and Snowden breaches are evidence of this damage, particularly regarding financial costs and loss of trust. The Target example is all about the IoT, whereby adversaries were able to penetrate the point-of-sale (POS) devices by first entering through a heating, ventilation, and air conditioning controller. As a result, banks and credit unions lost more than $200 million, according to the Consumer Bankers Association.
In this new environment, it’s critical for companies to have insider-focused security and continuous monitoring solutions that can detect anomalies, unauthorized privileged user activity, and determine when information has been accessed inappropriately. These must be behavioral analytics, not just simple rules and policies.
4) Embrace (big and community) data analytics to minimize cyberthreats. The IoT will generate more data as new devices and systems are added to the ecosystem. Innovations in analytics will drive more than efficient processes but also new ways to detect threats. For example, successful data analytics programs apply algorithms that automatically identify areas of cyber security interest in large volumes of data. In this new ecosystem, analytics will hold the key to predicting threats before they happen.
The IoT has moved from the military to everyday life, allowing us to create and process more data than ever before on everything from the products we buy, to critical power and water, to how we drive on the highway. Making sure this system of systems is secure will help us ensure the IoT delivers its promise of convenience and efficiency.