fotohansel - Fotolia

Cultural change a critical but neglected element of IoT security

Managing how people within an enterprise deal with data is a vital element of shoring up security around the internet of things, says Vodafone

Ensuring that employees know how to secure data, and controlling who can access what data at what time and from where, are critical elements of a fit-for-purpose internet of things (IoT) security posture that many enterprises may be missing in the rush to secure the network, according to mobile services supplier Vodafone.

In a new whitepaper Securing the internet of things, which uses statistics drawn from the Vodafone’s last annual IoT Barometer report, and although the stats are now over a year old, the narrative around IoT security has moved a long way since then, not least in the wake of the October 2016 distributed denial of service (DDoS) attack on Dyn, which was carried out by a botnet made up of compromised IoT devices.

Speaking to Computer Weekly in advance of the whitepaper release, Phil Skipper, Vodafone Global Enterprise head of M2M business development, said the Dyn attack had certainly helped to raise awareness of IoT security and brought more people to his door.

“For the industry, it was actually very helpful because people could see what the potential risk was and then ask what they could do about it,” he said. “We are trying to demystify what security means to people who have not done this before.”

However, Skipper said Vodafone’s enterprise IoT customers had actually dodged a bullet when it came to the Dyn attack because the devices involved were largely consumer products using unsecured, unmanaged connections to the public internet, something Vodafone does not offer.

Vodafone’s enterprise IoT service relies on a private network, which Skipper described as “not IoT running on a consumer network, but IoT on an IoT network”.

Each of its IoT SIMs is assigned a private, unpublished IP address that is not discoverable on the public internet, and by capturing the data traffic generated by these devices and routing it over a separate core network with standardised security built in back to a private cloud, Vodafone can effectively shield its customer IoT installations from external actors.

Additional strength is baked in by soldering SIMs into devices to make them harder to remove, and using tamper-resistant casings and hardened firmware configurations.

However, even the tightest-possible network security measures are not invulnerable to employee action, people who usually make entirely innocent mistakes, but may be acting maliciously.

Read more about IoT security

  • Research from analyst group Quocirca conducted in the UK and German-speaking regions exposes the challenges organisations face in managing and securing IoT devices.
  • US Republican and Democrat senators have proposed legislation seeking to address security vulnerabilities in IoT devices.

This means far more attention must be paid to the people who have access to IoT data it in different situations, and how to track and forensically audit that data, said Skipper.

“Securing devices is what everyone gets excited about – but people forget that data has to be shared according to rules and regulations,” he said.

One way in which human security gaps can be sealed is by paying more attention to what is happening within your technology supply chain, said Skipper. This can include controlling who is authorised to set up and enable an IoT device, where and when it is connected, and so on, to eliminate the possibility of a rogue actor gaining access to it. This could apply to a smart meter installation, for example, where it would be very easy for someone to hack a device to expose customer data, compared with a traditional energy meter.

“The IoT is really important and comes with its own security challenges, so you have to look at it holistically, especially from the angle of people, processes and privacy,” said Skipper.

He said this called for the sort of cultural change that could only be driven internally, and was not something Vodafone could do for its IoT customers. Rather, it was something that should flow naturally as part of a well-executed enterprise digitisation process, he added.

The whitepaper also covered an emerging skills gap around IoT security, with a notable lack of specialists in vertical expertise. This is extremely important in the IoT world because a connected car will have substantially different security needs to a temperature monitoring system, for example.

Vodafone is addressing this by making more use of analytical and predictive algorithms to detect anomalies in IoT data that may indicate an oncoming problem that can be fixed before it becomes a real-world issue.

The 2017 edition of the IoT Barometer report is set to be released this autumn. .............................................................................................................................................................................

Read more on Internet of Things (IoT)