Internet of things cannot be about products alone, warn experts

The UK technology industry has welcomed government support for the internet of things, but warns that security and infrastructure cannot be overlooked.

The UK technology industry has welcomed government support for work on devices that communicate over the internet, but warned that security and infrastructure cannot be overlooked.

At the weekend, prime minister David Cameron announced an additional £45m funding for the development of internet of things (IoT) technology at the CeBIT technology show in Germany.

This takes government funding for IoT technology to £73m as part of efforts to make the UK a world leader in digital technology.

But while there is agreement on the potential benefits of IoT technology, information security and networking experts have called for more details of how this funding will be allocated.

“For the benefits of IoT technology to be fully realised, we also need to ensure that our core infrastructure is equally advanced,” said Joy Gardham, regional director EMEA West for networking firm Brocade.

“We need to ensure that our core infrastructure is able to cope with the massive increase in traffic volumes that this increased connectivity will bring.

“It is vital that we do not just focus on software and applications without making sure we have the right networking foundations in place as well,” said Gardham.

IoT privacy and security concerns

Despite the projected benefits of IoT technology, it has also raised privacy and security concerns as cyber criminals increasingly target the channels and devices through which sensitive data flows.

Information security professionals have said the government’s vote of confidence for technology of the future needs to be balanced with a commitment to securing the internet of things, rather than just developing new products.

While they agree that the government funding is a huge opportunity for the UK technology industry, they believe that ongoing success is dependent on companies ensuring they can keep both personal and commercial data safe, and building security and privacy into products from the start.

“The benefits that these intelligent, connected devices bring to our lives are almost too numerous to count. However, when we gift these things with intelligence and senses, we also fundamentally change their very nature,” said Marc Rogers, principal security researcher at Lookout.

“Mundane objects, once familiar in appearance and completely unremarkable from a security perspective, suddenly become the guardians of sensitive data, ranging from sensitive financial information to detailed telemetry about personal aspects of our lives,” he said.

Security is definitely a concern, said independent security analyst Graham Cluley. “We need to recognise that the producers of these connected household appliances are not likely to be deeply entrenched in information security,” he told Computer Weekly.

According to Rogers, connected devices need to be treated like software when it comes to security.

“Just like forward-thinking software companies – Microsoft, Google and Facebook – companies making connected devices need to partner with the security industry to find flaws in the system during and post development to make the products more secure,” he said.

Security must be embedded in product development

Information security professionals are calling for security and privacy to be baked into these products from the ground up.

“As soon as work begins on designing the product and its supporting services, someone should be responsible for considering what the risks are and how best to address them. Security should be part of the design process,” said Rogers.

As soon as work begins on designing the product and its supporting services, someone should be responsible for considering what the risks are and how best to address them. Security should be part of the design process

Marc Rogers, Lookout

“Good design will take these areas into consideration and ensure the appropriate controls are put in place to support the expected normal use – while prohibiting unexpected or malicious exploits,” he said.

Producers of devices that make use of IoT technology need to recognise that security needs to be at the top of design requirements, said Cluley.

“To produce such devices without paying proper attention to security could backfire when users realise they are leaking personal information,” he said.

In announcing the additional funding for IoT technologies, the prime minister made no reference to security or infrastructure, highlighting only the broad benefits of internet-enabled devices.

"I see the internet of things as a huge transformative development – a way of boosting productivity, keeping us healthier, making transport more efficient, reducing energy needs, tackling climate change," said Cameron.

Research firm Gartner predicts nearly 26 billion devices will be connected to the internet of things by 2020.

The UK government’s chief scientific advisor, Mark Walport, is to carry out a review into how these new technologies can be best exploited. It is not yet known if security will be part of this review.

“Security needs to be part of the checklist when government considers awarding development funding to technology companies,” said Cluley. “Consumers need to be assured that their privacy is being taken seriously.”

However, a minimum security standard is probably not a good idea, he said. “Setting rules and regulations around minimum security requirements is likely to stifle innovation because manufacturers will aim no higher than that minimum.”

Cluley would prefer to see manufacturers responding to market demands for security and privacy. “This should be enough motivation, although I would also expect to see manufacturers meeting the security requirements of standards like the PCI DSS [payment card industry data security standard],” he said.

Read more on Privacy and data protection