sukanda26 - Fotolia

Address IoT security risks before it is too late, urges report

Cyber crime defences are lagging behind IoT development, which could be disastrous for producers and consumers alike, warns Telefónica report

The internet of things (IoT) promises unprecedented levels of efficiency, automation and co-ordination, but it will fail if the security risks are not addressed early, a report warns.

Defence against cyber crime is lagging behind the pace of IoT development, with potentially dire consequences for producers and consumers alike, according to the report by Telefónica.

IoT presents significant opportunities for greater control over technology and access to information, but needs to be trusted and secured if it is to realise that potential, the report said.

“Privacy and security need to be raised the moment there is mass, normalised consumption,” said Chema Alonso, global head of security at Telefónica and one of the report’s contributors.

“Let’s not commit the same mistakes of the past,” he wrote in the foreword to the report, which is entitled: Scope, scale and risk like never before: securing the internet of things.

Attackers see “a host of new opportunities” in the IoT, and although IoT devices have limited resources, the challenge needs to be met to ensure security is not sacrificed, said Alonso.

“Let’s understand the problem before it is too late, and guarantee we are able to offer a complete protection plan, taking advantage of all the knowledge that has been developed,” he wrote.

The weak links

In a briefing on the report, Alonso said attackers typically search for the weakest link. “We have sometimes found that the weakest link in an organisation is the air-conditioning system that is connected to the internet with a public IP address,” he said.

At the recent Enigma security conference in San Francisco, US National Security Agency hacking unit boss Rob Joyce singled out heating and cooling systems as examples of internet-connected devices that offer national-level hackers a route into organisations that computer network administrators often overlook, according to MIT Technology Review.

He said that the poor security of IoT devices and systems is one of his primary concerns when it comes to the safety of US networks.

Alonso said shadow IT is already a big problem in the enterprise, and he predicts that “shadow IoT” will also become a big problem if enterprises do not build or buy in the capacity to monitor and analyse all devices and services connecting to the corporate network.

Put security first

Security typically follows innovation, said Andrey Nikishin, special project director, future technology, Kaspersky Lab.

However, he said some developers of smart grid systems understand that, in that context, security should come first or at least be delivered along with innovation.

Nikishin, a co-contributor to the report said the “security first” approach emerging in the energy sector should be followed in the development of IoT devices and services to ensure that security is built in from the start. “Without security, the consequences will be bad,” he said.

John Moor, director of the IoT Security Foundation and co-contributor to the report, believes the sheer scale of the networks created by IoT devices causes complexity and compounds the challenge.

“There’s lots of focus on the innovation opportunities around IoT. However, there has been relatively little on its dark underbelly to date,” he said. “If we are not careful we could be sleepwalking into a lot of problems, some of which may not have been seen before.”

The report advocates a three-pronged approach based on common standards for IoT software and deployment, consistent dialogue between developers and operators, and a comprehensive understanding of cyber security in the context of IoT to mitigate IoT-related risks and threats.

Read more about IoT security

As organisations build IoT technologies into their networks, the report recommends first examining whether the potential benefits will outweigh the risks, whether the network is protected with updated security controls, whether the IoT developer has a good security track record, and whether the data collected is being stored securely.

“If we consider these concerns, we can welcome IoT innovation while maintaining our ability to respond quickly if our cyber security is threatened,“ the report said.

Alonso, who is also the head of ElevenPaths, Telefónica’s cyber security unit, said IoT security is not just about the privacy of personal data or the security of individuals’ digital identities.

“In the next few years our lives will be surrounded by devices connected to the internet that will digitalise every step we take, convert our daily activities into information, distribute any interaction throughout the network and interact with us according to this information.

“Never before has what we do in our physical lives been closer to the digital world. It is precisely the blurring of the line between the digital world and the real world that represents the changes introduced by the IoT.

“The future of IoT is unwritten, but only through collaboration and insight can we achieve a secure foundation.”

The report was developed by Telefónica’s cyber security and IoT divisions in association with a range of partner organisations operating in the field of cyber security.

These partners include the Inter-American Committee against Terrorism (CICTE), NMI, the University of Cantabria, Kapersky Lab, Sigfox and Intel Iberia.

Read more on Privacy and data protection