How to Secure IoT: THINK BEFORE ADOPTING
July 9th, 2014Topics: Infrastructure Internet of Things Risk Management
It’s a well known fact that in cyber security the defenders are forever lagging the hackers in finding the latest exploits and holes in networks and systems. Hackers have existed ever since the first computer and the idea (and rewards) of beating the system has naturally attracted incredible talent and created a very active community. Says David Aitel, a former NSA programmer and founder of cyber security firm Immunity, “The best among us work on offense, and they do their best work when they aren’t apologizing for it.”
With each technology trend comes a plethora of new risks. Protecting corporate and personal computers is one thing, with many familiar products and practices that get the job done. But the flood of smart devices creates an unprecedented challenge. Designed for all aspects of everyday life, these items include apparel, smart thermostats, refrigerators, and other home appliances but often have little or no security features built in.
Tuck MBA fellow Mandakini Saroop ’14 noted that the internet of things extends far beyond the home. The industrial world has been quick to adopt connected devices and on a far larger scale. The amount of sensitive information at risk makes these applications a huge target of professional hackers. The potential for industrial sabotage is not out of the question, for example manipulating power plants to cause an outage.
So how do we go about managing these potential threats? It takes a top down approach, starting with users carefully thinking about what exactly they need to connect to the web. As with any new trend, there are lots of “me too” products on the market that will prove to be little more than gimmicks in the coming years. Do we really need locks that automatically unlock based on a user’s proximity? Borrowing from the idea of “permissions” in computer applications, we must be careful not to give our possessions too much power! This is probably the easiest and most effective thing to do, simply taking the time to understand and evaluate before adopting new technology/devices.
Mandakini’s presentation, (highlights in video below) also discussed streamlining and only purchasing from trusted vendors, thus completely avoiding intentionally devious devices. Another subcategory of security is in the software, building security into the application level. Ideas presented included:
Secure handshake protocols between communicating devices
- Identity and access management
- Secure connection protocols between all devices
- Storing all identifiable information on servers instead of devices
To sum it up, securing the internet of things is really not anything close to a paradigm shift, it’s just applying the traditional principles of cyber security to an emerging space. Technology in this area has already shown great promise, but to utilize it we have to understand it and be proactive users.
Sources:
http://www.informationweek.com/strategic-cio/executive-insights-and-innovation/internet-of-things-done-wrong-stifles-innovation/a/d-id/1279157
http://www.businessweek.com/articles/2014-06-05/infiltrate-conference-draws-hackers-spies-to-miami-beach
http://www.theguardian.com/books/2014/may/12/glenn-greenwald-nsa-tampers-us-internet-routers-snowden