Security threats from the internet of things (IoT) have not yet reached wide public perception, according to Hanns Proenen (pictured), chief information security officer at GE Europe.
“Security professionals must look ahead for the early indicators,” he said at the 2015 European Identity & Cloud (EIC) conference in Munich.
Proenen believes public perception will change only when an IoT security weakness is exploited to carry out a destructive attack that has visible effects, such as taking a TV station off-air.
“European perception of IoT today is that it just collects data and the focus is on confidentiality,” he said.
However, Proenen believes that the important security issues with IoT will be about integrity and availability.
“We have already seen an example of potential integrity compromise that was discovered in a well-known German car brand,” he said.
Before the system was patched, security researchers found that no encryption was used and only the car’s chassis number was used as an identifier.
This meant the communications could be hijacked as there was no way the car could verify that it was connected to the car manufacturer and not a cyber criminal.
Read more about IoT and security
- As the number of IoT devices in the enterprise grows, so do the potential risks.
- It is possible to mitigate the privacy and security risks of the IoT without losing its benefits.
- Research firm Gartner claims managing identities and access is critical to the success of the IoT.
- As the IoT becomes more achievable, businesses need to prepare for the avalanche of data that is to come.
Proenen said researchers have also demonstrated that it is theoretically possible to hack and manipulate wireless communications between blood sugar level sensors and insulin pumps.
“This is an example of how an IoT security weakness could be exploited by hackers with lethal consequences,” he said.
Proenen said security professionals need to be on the lookout for indicators of IoT threats.
“Stuxnet was an early indicator that destructive cyber-enabled attacks are likely to become increasingly common,” he said.
Proenen said Stuxnet was the first public example of code being used as a weapon and there was a lot of debate about who created it.
“A much more interesting question is: who will do it again and what will they target?”
When it comes to IoT technologies, Proenen believes that information security professionals should be prepared for attacks exploiting security weaknesses.
“Just as every company should assume it will be attacked at some point, every organisation should accept that anything connected to the internet will be targeted,” he said.
For this reason, Proenen said CISOs must understand the effects of successful attacks so that when they come, whatever their source, the organisation is prepared.
“Prevent, detect and respond is still our job, but resilience is the key, which means it is also important to be able to contain attacks and reduce the time to recovery as much as possible,” he said.
Proenen believes CISOs, who understand security controls and their importance, should work with engineers to ensure IoT devices are secure by design and have built-in security controls.
He noted that his company has started a software centre in the US that is specifically focused on improving the security-embedded systems.