Is IoT Driving Without a Seatbelt?

Finding harmony between the functionality, size, and security of IoT devices has proven to be a major hurdle. It will require a joint effort between consumers, industry, and state and federal governments, to solve the problem.

457
Image of a car with a seat belt sign

Securing the Internet of Things (IoT) has been slow going, and it’s putting user privacy and personal security at risk.  The subject of IoT security has gained a lot of visibility over the last few years. We’re wondering whether the industry is doing more than consumers to enhance security.  Moreover, consumers don’t seem all that interested in understanding how to protect themselves. What more can be done? In this article, we’ll attempt to pull together all the highlights of our research into these points.  We’ll be talking about:

  1. Problems in recent years
  2. Why we think security isn’t currently the highest priority for IoT makers but should be
  3. Whether secure IoT is even possible to obtain
  4. Lastly, some suggestions as to what businesses and consumers can do today

IoT Providers Should Learn from History

In the 1930’s, United States physicians began installing makeshift safety belts in their own cars as a result of vehicle-related deaths and injuries that physicians witnessed all too often. Over the following decades, there was a great deal of innovation in automotive safety. It wasn’t until 1968 when the first federal automotive safety law took effect. It required all motor vehicles (except buses) to be manufactured and equipped with seatbelts. For many people, the basic understanding that a seatbelt could save their life was enough to justify wearing one.

Despite the statistics, many people continued to ride in cars without securing their safety belts. Recognizing that a simple measure was being ignored by many passengers, it took several more years for US states to pass laws that actually require passengers to wear seatbelts or risk fines. Why did it take both the industry and consumers so long to adopt this simple security feature? Years from now, will this same question be posed about the current state of IoT security?

Like 1930s Physicians, We’re Aware of the Problem

As early as 2014, Target Corporation was dealing with the fallout from a hacker that had gained access to their network remotely (via the HVAC system: a connected device). This breach alone compromised thousands of cardholder records. Security of IoT devices garnered additional attention in late 2016 when the Mirai botnet was discovered to have infected what experts estimated to be hundreds of thousands of connected devices. The malicious code was used to launch distributed denial of service (DDoS) attacks on various targets causing widespread disruption. Another unsettling fact reported by Symantec in their 2017 Internet Security Threat Report, is that the average time to hack a connected device was only two minutes. For a career cyber criminal, this isn’t much of a barrier to overcome. Ultimately, the concern for device security isn’t merely about the user/device that is infected but also the assets that are part of the larger network on which these devices depend. So, it’s no secret that IT security experts and professionals are concerned with the security of connected devices.

Experts estimate that a staggering number of devices will be connected through IoT systems within the next five years. According to Gartner Inc., the number of connected devices reached approximately 8.4 billion in 2017. They predict that the market will grow nearly threefold to 20.4 billion by 2020. Perhaps the only fact more surprising than the number of connected devices is the number of unsecured connected devices.

Consumer and industry demands are driving the need for enhanced functionality and user experience. In keeping with the “instant gratification” appetite of today’s marketplace, consumers won’t wait. Simply put: gone are the days of making appliances or products that only deliver on their functional purpose. So at the same time that pressures mount on executives to drive change and innovation within their business to provide these products, IT professionals and security experts are faced with an equally alarming concern: how can companies keep up with the demand for smart devices while also being smart about security? In order to answer that question, it might help to outline some of the factors adding unwanted complexity to IoT security IoT:

  1. Non-tech companies being forced to compete in the technology space
  2. Shortage of IT and security professionals
  3. Variety of devices presents standardization challenges

In a time when a toaster that only toasts bread feels mildly archaic, it seems every company needs to be a tech company.

Given the previously mentioned dynamics, if a company is to remain relevant in today’s tech-driven economy, they must consider their role within the connected device world—even if they’re a traditional appliance manufacturer or non-tech company. Additionally, as if the pressure to bring the ‘smart’ aspect to their products wasn’t enough, tech companies are also finding ways to break into traditional product markets, only adding to the urgency non-tech companies feel to compete in the IoT arms race. This means that original equipment manufacturers (“OEMs”) or non-tech companies are handed the tall task of rapidly bringing innovations to market that not only meet the original intended use of the equipment but also satisfy the tech-savvy user.

The Rush to Get “Smart”

So what is a ‘non-tech’ company? For the purposes of this discussion, a non-tech company is one that produces or manufactures products or appliances that aren’t traditionally considered smart or connected (e.g. refrigerators, toilets, heating systems, medical devices, cars, etc.). On the other hand, a tech company is one that primarily produces or develops technology; think Google, Amazon, Microsoft, IBM, etc. Considering the significant amount of expertise, research, and development that are required to add connected components to a traditionally non-tech device, industry leaders are finding ways to stay in the game. Two common strategies that non-tech companies are employing to compete in the IoT space are merging with or acquiring tech companies, and partnering with tech companies in joint ventures.

The acquisition of tech companies by non-tech companies has seen an uptick. The New York Times, relying on Bloomberg data, reported that in 2016, “682 tech companies were purchased by a company in an industry other than technology, while 655 were acquired by tech companies.” Based on these figures, non-tech companies account for nearly half of tech company acquisitions. In 2017, General Motors made a bold move in order to compete with Tesla in the self-driving car market. They acquired Strobe, a relatively young company based out of California, that specializes in the development of driverless technologies.

Whirlpool is an example of an OEM that embarked on a joint venture in 2010 to connect their home appliances to the internet.  This strategic move allows consumers to control and monitor their appliances remotely via a smartphone. They did this by partnering with a tech company Prodea to help them build the connected portion.

It’s important to note that each strategy described above presents its own challenges in terms of security. With the acquisition of a tech provider, there’s still the responsibility to ensure proper funding for IoT security development. “Gartner predicts that by 2020, more than 25 percent of identified attacks in enterprises will involve IoT, although IoT will account for less than 10 percent of IT security budgets. Security vendors will be hard pressed to provide usable IoT security features because of the limited budgets for IoT and the decentralized approach to early IoT implementations in organizations. Vendors will focus too much on spotting vulnerabilities and exploits, rather than segmentation and other long-term means that better protect IoT.”

Outsourcing doesn’t absolve non-tech firms of their responsibilities either.  Careful plans should be made to determine who’s responsible for ensuring the secure design of products and subsequent support of devices. Insofar as a non-tech company outsources the software development piece to a third party, non-tech companies need to be responsible for a well-developed plan for security and sustainability. In essence, this requires them to be a tech company by proxy.

A Shallow Roster of Qualified Security Professionals

The impressive growth in demand for smart technologies is matched only by the growing deficit of personnel that possesses the skills to build those smart technologies securely. As reported by Sudashan Krishnamurthi of Cisco, “Many organizations are struggling to understand what skills are and will be required to allow for successful IoT implementations.” Additionally, according to ISC2, analysts believe that the security professional shortage will reach 1.5 million by 2020.

That isn’t to say that the IoT industry isn’t trying. In an attempt to remedy the lack of qualified professionals, leading security industry organizations are ramping up certification programs and training opportunities. For example, ISC2 has created the International Academic Program to support higher education institutions in developing security curriculum, along with the Center for Cyber Safety and Education, which has established scholarships to entice individuals to consider the cybersecurity field as an option. Additionally, ISC2 has highlighted the following suggestions for this issue:

  1. Offering more opportunities for internships and apprenticeships, and entry-level pathways for students post education.
  2. Reaching our youngest generation as tomorrow’s leaders start to formulate ideas about their futures. Integrating cybersecurity and information security into academic curricula.
  3. Opening up new sources of talent or expanding the use of existing talent pools that are still underutilized (e.g. community college students, women, returning service members, and minorities)
  4. Integrating tools and processes to optimize overall talent resources.

Paramount to the risks just described is the speed at which these products are being created and brought to market. As quoted in the Chicago Tribune, Colm Lennon, founder of Haka Products, “All of the roles in this connected Internet of Things space, they have to really work closely together if the company wants to innovate at great speed but also innovate with the intent of doing so to protect their customers, to protect themselves and to protect their partners.” As businesses strive to grow and change, their strategy needs to incorporate consumer protection over beating the competition to market.

One Size Doesn’t Fit All

There’s a range of devices and architectures and that presents a variety of security challenges. Connected devices perform various functions including processing, storing, and transmitting data; some do all three, others, only one. Additionally, IoT devices come in various shapes and sizes. A majority of devices are small and discrete. So why do function and size create security issues?

As noted by Dr. Nick Allot at the 2016 IoT Security Conference, a significant security challenge is dealing with constrained or low power devices that have difficulties supporting adequate encryption. The devices are small and processing capabilities are naturally limited. Finding the harmonious balance between device functionality, size, and security has proven to be one of the major hurdles for device developers and manufacturers.

Click To Tweet

Various types of architecture are available. However, according to a study published in the Journal of King Saud University, “the central issue of these architectures is the lack of full interoperability of interconnected things in abstraction level. This leads to invoke many proclaimed problems, such as: degraded smartness of high degree, less adaptability, limited anonymity, poor behavior of the system, reduced trust, privacy, and security. IoT architectures do pose several network oriented problems due to its limitation of homogeneity approach.” In short, there are many great “security by design” architectures, but making them work together is proving a challenge.

Security by Design Should Be Required

Regardless of the path that non-tech companies are taking to integrate connected devices into their product portfolios, one thing is certain: security must be at the forefront. While management across various industry sectors figures out how to incorporate IoT into future business plans, security professionals must develop and build consensus on standards. The trouble is that advanced global economies continue to grow through technology, and IoT device manufacturers don’t have a set of regulatory standards to ensure device security.

There’s much the IoT industry can start doing now to improve security outcomes. Best practices are being set forth by the industry, government, and SRO’s alike. Cloud provider— Google, Amazon, and Microsoft—all publicly boast IoT security best practices that guarantee secure infrastructure, encryption, authentication, timely patching, and protection from malicious activity. Some cloud providers even guide device makers through building with security in mind. They promote such standards as a patchable device design, encrypted data, no hard-coded passwords, no known security vulnerabilities, and the use of industry standard internet protocols.

Along the same lines, IoT security foundation (IOTSF) is a non-profit organization and has developed numerous guidance documents to address an IoT security framework checklist for device makers, the reporting and public announcements of vulnerabilities, and product and consumer security awareness support. IOTSF established the Best Practice User Mark which can be used by organizations that implement the compliance framework recommendations. Massachusetts and California senators drafted a bill in Oct. 2017 to ensure IoT devices meet certain cybersecurity requirements. A seal of approval may gain momentum similar to the ratings that are now required on video games. The anticipated outcome would be “[to] help consumers identify products that meet certain standards,” said Sen. Edward J. Markey. The benefit to having these seals or marks in place today is that they are helping to bring awareness to the consumers versus waiting for regulations to be put in place. In this way, the economy might drive protected devices faster.

The IoT Industry Can Enhance Security Compliance

Cloud and IoT network providers could unite to secure IoT systems. For example, consider how the payment brands (Visa, MasterCard, & American Express) created the Payment Card Industry Data Security Standards, which helped to reduce credit card fraud. The security standard protected credit card users while also saving card providers time, money, and brand damaging hacks.

Will cloud and IoT solutions providers like Google, Microsoft, and AT&T protect connected devices by enforcing security standards? It would be interesting to see the day when these providers ask device makers for their third-party audit security statement. To this end, third-party audit organizations will be needed more and more to independently review security due diligence.

Perhaps a quick win security best practice the industry can put in place today would be to update the internet protocols that connected devices use. As stated by Charles Sun of Computer World, “The moment we turn off IPv4, we will eliminate global cyberattacks and security threats based on the IPv4 stack.” Interestingly, this 2016 article shows the US government leading the way in the adoption of IPv6, which may force the solution. Governments have more at stake when protecting data than consumers. As such, governments are more in touch with security concerns. Not only will we be better protected with IPv6, but IPv6 is scalable to the future growth of connected devices. The FDA and NIST have published guidance for industry and international cybersecurity standardizations while the FTC is actively seeking and rewarding easy and user-friendly solutions that help to protect consumers with devices in their smart homes.

Click it or Ticket!

Some of the latest security issues with IoT medical devices don’t actually stem from the device itself. According to HealthcareITNews.com, “The most common types of Internet of Things medical devices security alerts originate from user practice issues, such as using embedded browsers on medical workstations to surf the web, conduct online chat or download content, accounting for 41 percent of all security alerts, according to a new study by ZingBox, an Internet of Things cybersecurity company.”

Consumers cannot yet rely on the industry to produce secure devices, but 90% of consumers lack confidence in securing their own devices. However, it’s worth mentioning a few things consumers can do. Recall that solving the automotive fatalities crisis in the 20th century required individual, industrial, state, and federal parties to unite around a common and simple solution: seatbelts. IoT devices are connected to your home network, and typically your smartphone or a hub maintains direct control over the home network. For this reason, you need to make sure to secure all three areas—smartphone, home network, and connected devices.

Secure Your Smartphone

  • Use strong passwords and lock screens
  • Use multifactor authentication where possible
  • Install security software
  • Any apps used to control devices need to be updated with the latest patches

Reinforce Your Home Network

  • Create a network from your connected devices on which to shop or bank online
  • Use an encrypted protocol when setting up your WiFi
  • Use routers that offer firewall protection
  • Use strong passwords and change the default username and password
  • Keep software up to date with the latest version

Fortify Your Connected Devices

  • Understand how the device works, its capabilities, and what data it transmits or stores
  • Determine whether the device needs to be connected to the Internet at all
  • Use strong and unique passwords for every device.
  • Sign up for notifications and install updates as soon as you receive them

Note: A guidance document has been published by the U.S. Department of Justice for consumers.

We hope that by now you understand that it’s possible to secure the Internet of Things. Security standards and protocols are slowly coming together. Accelerating the movement to secure IoT systems can be as simple as this:

Enhance Cybersecurity Education

  • Encourage younger generations to seek cybersecurity/information security-related careers
  • Require cybersecurity/information security curricula even in lower education levels
  • Speak out to promote consumer awareness

What Companies Can Do

  • Invest in hiring security professionals
  • Invest in security by design
  • Use trusted third parties and build transparent business relationships
  • Do more research and get on board with IOTSF
  • Support your government regulations

Should you happen to be in the IoT industry, we’d like to encourage you to have an open dialogue with your business to ensure security is at the forefront. And if you aren’t building IoT, but are using IoT, it is worth triple checking the security of your network and devices.

This article was written by Kelly Arnholt and Kristen Wilbur. Kelly is an Audit & Compliance Manager for Oracle Cloud SaaS Services leading a team who hosts third-party SOC, HIPAA, and PCI audits and has worked for Oracle for eight years. Kristen is a manager with Schellman & Company LLC, with over 8 years of experience in providing IT attestation and compliance services.