vege - Fotolia

Multi-layer approach to IoT security needed

Experts say physical security, encryption and tokenisation can enhance the security of connected things

The internet of things (IoT) may have spurred innovation and unlocked revenue opportunities for many organisations, but the security of the technology remains a key concern among senior business leaders.

According to the Internet of things business index 2017 report by the Economist Intelligence Unit (EIU), 26% of 825 respondents globally cited security and privacy as one of the top obstacles to IoT deployments.

The high cost of investing in IoT infrastructure – cited by 29% of respondents – remains the top bugbear.

The EIU said in its report that security concerns are likely to have been “exacerbated by several cyber attacks in the US in late October 2016 that caused major issues for users of internet services, including Twitter and Spotify”.

The two popular internet services were victims of distributed denial of service (DDoS) attacks on Dyn, the DNS service provider that they and other internet companies rely on to resolve their domain names to IP addresses.

The source of the attacks was traced to networks of compromised IoT devices, such as baby monitors, thrusting IoT security into the spotlight.

Responding to concerns over IoT security at a Seagate IoT event in Singapore, Hugh Ujhazy, IDC Asia-Pacific’s associate vice-president of IoT and telecoms, highlighted the need to put in place multiple layers of security to ensure a level of trust in IoT systems.

“We’re reintroducing concepts of physical security at the end-points – you could use accelerometers, so if the devices have been moved from where they are supposed to be, you know something is wrong,” said Ujhazy.

Ujhazy said organisations can also encrypt data at-rest and in-transit, as well as constantly profile the connection between an IoT device and its gateway to pick up any anomalies, such as the volume of data transmitted.

“A connected water bottle shouldn’t be giving me 25MB of data – it should only give me 200 bytes,” he said.

Tobias Puehse, vice-president of innovation management, digital payments and labs at Mastercard Asia-Pacific, noted that tokenisation services, which create tokens to enable specific uses and transactions, can also play a part in bolstering IoT security.

“Tokenisation is already used in payment services such as Apple Pay, Samsung Pay and Android Pay,” he said, adding that tokens, along with tokenisation standards, will help to secure IoT devices, which have a higher chance of being compromised as compared with networks.

Read more about IoT in Asean

Kwong Dim-Lee, executive director at the Institute for Infocomm Research, an organisation under Singapore’s Agency for Science, Technology and Research (A*Star), said a multi-layer approach to IoT security is here to stay until quantum technology, which can provide higher levels of security than what is available today, becomes more widespread.

Ujhazy noted that the while IoT security remains an ongoing discussion in the industry, one thing is clear – that is, “the old moat and castle wall defence is not going to work”.

Quocirca analyst and director Bob Tarzey recently wrote in Computer Weekly about the need to orchestrate between different IT security tools to fend off sophisticated threats.

“Such orchestration enables the enforcement of unified network security policy addressing both traditional and IoT devices. Security information and event management and/or operational intelligence tools have a role to play here,” he wrote.

With the rise in the number of IoT devices, technology research firm Gartner expects more than 25% of cyber attacks on enterprises will involve IoT by 2020. That said, IoT will account for less than 10% of IT security budgets.

Specifically in Southeast Asia, organisations are generally not prioritising IoT security due to internal security cultures and the prevalence of ad-hoc security systems.

“Security suppliers will be challenged to provide usable IoT security features because of the limited assigned budgets for IoT and the decentralised approach to early IoT implementations in organisations,” Gartner said.

Read more on Information technology (IT) in ASEAN