Connected Device Protection and IoT Security
The Internet of Things is here, bringing a whole new realm of possibilities to industry and individuals, and a whole new range of potential security threats. As stated in a Wind River white paper on IoT security, the rapid transition from closed networks to IoT enabled devices presents an enormous challenge in protecting billions of devices from intrusions that could threaten public safety and compromise personal privacy.
According to the security firm Gemalto, enterprise security breaches occur at a rate of 13 per day, resulting in approximately 10 million records lost every day and 420,000 per hour. Security threats to our data systems have never been greater, and the challenge continues to grow, as new IoT-enabled devices come to the market.
Types of IoT Security Threats and Protection
Internet of Things security threats can be classified in 3 major categories, and gemalto recommends best practices to protect against each type of threat:
- Attacks against devices: IoT devices are attractive targets for attackers because of the inherent nature of their function. Security cameras, for example, can provide an attacker with valuable information about the security system in place in a particular location. ID certificates for IoT devices, issued by the manufacturer, can serve to facilitate authentication and establish identity.
- Attacks during communications: Attackers can intercept, monitor, and alter messages while they are being transmitted. The volume and sensitive nature of the data transmitted in the Internet of Things makes this type of attack particularly dangerous. For protection, any sensitive data transmitted through the cloud and IoT devices should be encrypted to keep it from being intercepted, and stored sensitive data should also be encrypted.
- Attacks against a master: Every device or service in the Internet of Things has a master — the manufacturer, an IoT solution provider, or a cloud service provider. Attacks against masters have the greatest potential to cause harm, as masters are entrusted with large volumes of data, much of it extremely sensitive in nature. Additionally, the analytics represent a major strategic business asset for IoT providers, leaving them vulnerable to competition when exposed. Best practices to protect masters from attack include code signing, using code signed with digital certificates, of all software/firmware updates, and using SSL certificates (small data files that allow a secure connection from a web server to a browser) for all communications with devices in the field.
The Special Security Challenges of Protecting IoT Devices
There is no single control that can adequately protect an IoT device, and security issues must be addressed throughout the life cycle, from design to operations. The White River report indicates that this process should involve the following five practices:
- Secure booting
- Access control
- Authentication of the device
- Updates and patches
- Firewalling and IPS
While these are all familiar practices from the world of PCs, many of them are complicated by both the sheer number of IoT devices and the fact that many of them are being used in critical capacities that are difficult to interrupt (i.e. pacemakers or security systems). For example, with regard to the need to update and patch IoT devices, the report says the following:
“It’s one thing when Microsoft sends updates to Windows® users and ties up their laptops for 15 minutes. It’s quite another when thousands of devices in the field are performing critical functions or services and are dependent on security patches to protect against the inevitable vulnerability that escapes into the wild.”
In the current environment, although IoT security has become a top priority, data breaches occur at an alarming rate and millions of records are lost every day. If your company is dealing with the consequences of a data breach, McCuneWright LLP can provide the legal assistance you need. Our complex litigation attorneys have a history of success handling a wide range of complex business litigation matters. Contact our office to schedule a free consultation.