The word “IoT” (Internet of Things) has been a buzz word for several years. It has become the era when more home electronics and cars are connected to the Internet, and many businesses see great opportunities here. At the same time, as you already know, people have started asking whether those devices and cars are safe from online threats.
Eugene Kaspersky rephrased IoT as “Internet of Threats” in his interview by USA TODAY, Nov 2014. It corresponds with the comments by Chair Woman of Federal Communications Commission at CES 2015 in Las Vegas, also it’s truly the thing has no way out from cyber security aspect. No one has ever found the best solution to answer this BIG security issue, just like other typical cyber security issues we are facing now.
Actually, IoT has been recognized as a “New Market” with its huge potential. According to the article of FORBES on August 2015, Cisco stated its economic value would increase to $19 trillion by 2020, calling it “Internet of Everything”. Gartner estimates that IoT product/service suppliers will reach $300 billion revenue by 2020. IDC forecasts the market of IoT solutions will be expanded from $1.9 trillion in 2013 to $7.1 trillion in 2020, making it 3.7 times larger.
Gadgets which record personal biometric, health, and location information — such as globally-trending wearable devices — are also in the category of IoT. However, in terms of the degree, the risk they pose is not overwhelming.
Such devices are personal, but they are not consisting infrastructures for our lives and societies. In other words, you may effectively reduce the risk of data leakage on your own by stopping using a wearable device or a cloud service while you are working out. It’s totally up to you.
Hacking car washes & fitness bands, the future of the Internet of Things? Good #security review from @kaspersky https://t.co/2sNeGw0gei #IoT
— Tom Gillis (@_TomGillis) March 6, 2015
On the other hand, real IoT mostly consists of systems or services traditionally called “M2M” (Machine to Machine). Those are the ones closely integrated (or expected to be integrated) with environmental/social infrastructure, thus cybersecurity is as highly critical as critical infrastructure in question is.
For example, some of you might have heard about smart grids or microgrids. These are systems that manage the regional power consumption by balancing the electric power consumption at home and the electric power generation by wind/solar energy, or gas cogeneration systems. Smart meters are set to each home for this monitoring purpose. It is reported that Tokyo Electric Power Company has already installed thousands of smart meters. It would be possible to say that this is the very first step for deployment of smart grid in near future.
Then, what can cybercriminal do by abusing the mechanism? For example, reduce or increase payment by giving wrong data of power consumption and/or generation to a smart meter.
It’s not hard to discover other possible scenarios of attacks on critical infrastructure. By taking over traffic control systems, one can panic traffic, intentionally trigger a car accident, or even disrupt public transportation systems. Those might affect our daily lives and economy as well.
There used to be some list of service-disruptions causes including a bug/disorder in a software/system, or a natural disaster. Now, we have a cyberattack in the list.
How to deal with #IoT and #sybersecurity of critical infrastructure
Tweet
We need to learn from incidents, then implement much safer mechanisms to IoT systems that operated as parts of social/life infrastructures. To be more precise, operators and developers of IoT systems should ask following questions to themselves:
- Do I prioritize ease of use than security?
It is important to decrease usability for attackers in order to increase system security. Ease of use for users means the same to attackers. Last year, it was reported that webcams used with default state had posed privacy violation. The incident tells us that device makers should keep security in mind. Please don’t forget to encrypt data and communication.
- Do I believe that “read-only system is secure”?
It is not secure. Applications are running in the memory anyway, so an attacker can find the way of intrusion. Networking devices are usually developed with Linux OS, and it is known that Linux OS has a lot of exploitable vulnerabilities. Once an attacker hold a control of the device, he can hack into the entire IoT system.
- Do I believe that my devices will never be hijacked?
Any device is able to be hijacked. So, it’s highly important to monitor the health of the entire system, including connected nodes. It is also important to have any measure to detect anomalities with every node. Remember how Stuxnet penetrated into the Iranian facilities which should have been well-protected.
- Did I cut testing cost?
Penetration tests are very important. Tests should be carefully organized in accordance with your system’s security requirements. It is strongly recommended to implement these tests in your normal development process.
- Do I believe that security is not a requirement?
Security is one of the crucial requirements. Let’s think about it from the very start of planning/developing your system or service. Without sufficient security measures in place, IoT cannot be a part of secure life/social infrastructures.
If one’s answer for any of these questions is positive, it may become really big problem not only for the man or company itself, but also for lots of other people.