If you think about it, “smart” devices are having an increasingly significant impact of our lives. Whether it’s a cellular phone or tablet, a wearable health monitor, or a series of in-home devices used to make life easier, more efficient, safer, and healthier. All these billions of smart devices and sensors comprise the growing Internet of Things (IoT). The reason IoT data security is such a hot topic is because there is only going to be more and more of these devices at both a consumer, commercial, and government level, collecting data and being interconnected together. And where there is data and connectivity, there is potential for trouble. For example, HVAC IoT devices in your house communicating over Zigbee transmit numerous data points to a WiMax network provided by your city, all feeding to local utility companies. This is fantastic for the environment and for ensuring houses are running as efficiently as possible while aiding in understanding energy requirements for communities. However, what happens when these devices are breached by hackers and used to simultaneously turn on thousands of HVAC systems, causing a spike in electric utilization, resulting in rolling black-outs?
What are the risk points for securing IoT sensor data? How do you deploy and manage IoT devices while maintaining compliance with existing security standards and regulations? In this two-part blog series, we will dive into why securing IoT sensor data has the attention of cybersecurity teams worldwide.
IoT Creates a Vast Multi-Point Attack Surface
Now, consider a multi-point cyber-attack combined with a full-on foreign military attack whereby our electric grids are completely out due to a cyber-attack and our armed forces cannot respond because there’s no electricity and we have no understanding of what’s happening — before it’s too late. Sounds familiar? Does Pearl Harbor ring a bell? This is a reality in our world today, and it is exactly how our foreign enemies are thinking when it comes to any type of attack—our connected devices are an “Achilles heel” of the United States of America.
Is There Any Privacy with In-Home Devices?
In a more personal example, did you know that if you have an Amazon Echo or Google Home, these devices are listening and recording your conversations, and in some cases activities, all the time? Think about it, when you prompt these devices they know exactly what you’re asking them – including context – because they are always listening. There already have been cases where these device recordings have been used against people speaking in a house — without them realizing they were being recorded. The invasiveness of these proliferating devices is enough to be concerned about in one sense, but then adding multiple devices that track just about every aspect of our existence becomes disconcerting to say the least.
What Are the Risk Points of IoT Sensor Data?
The risk points to IoT sensor data, as previously explained, come in both large scale and micro formats. Sensitive information about countries, companies, or individuals collected and transmitted by IoT devices is already being used in multiple nefarious ways. Because of the rapid growth of IoT and the lack of standards and regulations, many IoT device manufacturers are not using due diligence to ensure the data they are collecting and using is secured appropriately.
Security by Design Provides Compliance Pathway
Having limited control of the source and nature of the IoT software and hardware being deployed, how do organizations remain compliant with existing PCI, HIPAA, and the new GDPR regulations? A first step is to follow the principles of “security by design”. With the appropriate internal security by design requirements for adopting software and hardware elements, companies can implement policies and technologies that help ensure that sensitive data collected and used by IoT devices is secured appropriately. With the understanding that data security and privacy need not disrupt a companies’ ability to generate revenue, executives must also realize that they absolutely cannot put data managed by their IoT and business systems — especially customer personal data — at risk by using poorly developed hardware and software solutions. Reference any one of the 1,500+ companies who experienced a data breach in 2017, and you’ll get a solid statement that they all wished they had performed more due diligence on testing the security of the breached hardware and software elements they were using.
IoT Healthcare Devices Have Security Weaknesses
The Healthcare device sector has major security challenges with the vast amount of data collecting devices being deployed. Which devices do you trust? At this point, I don’t know that there is a device that I would personally use/trust outside of those that collect seemingly meaningless data. For example, I will use a FitBit because the data that it is collecting deals very much with my personal health — sleep patterns, heart rate, diet, and weight — that I don’t mind sharing. Meaningful data that I am not willing to share are medications I am taking or treatments I am undergoing, as this can lead to an understanding of my health liabilities.
IoT Gateways and Communication Channels Are Vulnerable Too
Some IoT devices act as a communication interchange layer (gateways) between endpoints like cloud services, internal/external networks, and other devices. Securing data within communications is generally guided by secure protocols like Transport Layer Security (TLS) and using encryption methods to secure data while it’s traversing secured communication channels. Therefore, be aware that IoT devices and gateway software that cannot be updated to leverage the latest secure protocols should be avoided. For example, TLS supersedes Secure Socket Layer (SSL) which had become vulnerable to hacking. If deployed IoT devices could not be upgraded to use TLS, they would be vulnerable to attack and the data being transmitted intercepted.
Part 2 – Securing IoT Devices
In an upcoming part 2 on this blog topic, we will discuss preserving the integrity of IoT devices, what security controls should be used to secure endpoints, and lastly, what type of oversight should be provided for professional services providers that will be hired by organizations who have limited internal resources for risk assessment, testing, and technology implementation. Stay tuned, the devices are listening.
TokenEx is the industry leading Data Protection Platform. Our tokenization, encryption, and data vaulting platform is protecting sensitive data for enterprise organizations worldwide. Follow us on Twitter and LinkedIn.