iconimage - Fotolia

IoT not necessarily a security disaster, says Maersk CISO

A growing focus on the internet of things means there is hope that it will not be a security threat, says Maersk CISO

The internet of things (IoT) presents enormous business benefits, but the security risks need to be recognised and avoided, according to Andy Jones, chief information security officer at Maersk UK.

“Some estimates put the number of IoT devices at one trillion by 2025, but it is unlikely that we will ever be able to patch all of them,” he told the (ISC)2 Security Congress, Europe, the Middle-East and Africa 2015 in Munich.

But that does not mean companies such as Maersk cannot benefit from IoT. In fact, Maersk has one of the largest deployments of industrial IoT, said Jones.

The shipping company uses IoT to ensure its refrigerated containers all maintain the correct temperature.

“Maersk vessels typically carry 12,000 to 19,000 containers, and around 5,000 of those are usually refrigerated,” he said.

In the past, it took an engineer roughly around two days to inspect all refrigerated containers on a vessel, but by fitting them with internet protocol-enabled sensors the company can now monitor them all in real time.

Readings from the sensors are continually fed into Maersk’s monitoring systems via satellite link.

“This means that not only can engineers at sea identify any problems immediately, the shipments can also be monitored continually by Maersk’s land-based operations,” said Jones.

The problem arises, he said, where IoT systems are connected to something physical such as the braking or airbag systems of vehicles or the heating and cooling systems of buildings.  

The security challenges are many, said Jones, not only because of the difficulty in keeping all devices and software patched, but because the internet protocol (IP) used by IoT devices is inherently insecure.

“Combine this with the fact the internet does not have any form of service level agreement, that there are millions of devices in the hands of unsophisticated users, and that the internet is accessible worldwide, and you have the perfect storm,” he said.

However, Jones is optimistic. “This is an exciting time in IT, but it is important to remember that things should not be done just because they are possible.”

Instead, he advocates isolating IoT devices on the basis of risk. “Any risk assessment should include the criminal mindset and learn from past analogies,” he said.

The most powerful control, according to Jones, will be deciding whether or not to connect things to the internet and he suggests anything that is safety critical should not be connected on principle.

“IoT does not have to be a disaster, because there is a growing focus on this issue. Although we will never be able to patch one trillion ‘things’, there is hope,” he said.

Jones believes that industry-specific cyber security standards are just beginning to emerge and so we will see a lot more of that in the future. .....................................

Read more about IoT security

Read more on IT risk management