SECURITY AND THE IOT
How to safely connect your business
In an increasingly connected world, the Internet of Things (IoT) is delivering business value and real-world benefits to individuals across the globe. From increasing physical safety to creating fundamental changes to how we build and consume products, the IoT is creating the data that unearths insights into better ways to work and live. Deploying IoT solutions effectively and successfully, however, means deploying them securely, fully aware of the need to provide data integrity and confidentiality as well as being resilient to cybersecurity risks.
We live in a world of connected devices, an Internet of Things. From the tablets on our coffee tables, to the electricity meters on our walls, to industrial control systems and smart building technology – it’s a world that’s full of opportunity. New organizations and services based on IoT and data analytics are constantly evolving, and established firms are adapting to new data-driven business models that drive efficiency and innovation for themselves and their customers.
In markets as diverse as healthcare, manufacturing, transport and the construction of smart buildings and smart cities, the IoT is enabling the development of products and services that would have been impossible just a few years ago.
Yet many businesses are still reluctant to adopt an IoT strategy and embrace the benefits. Concerns around how to implement a secure infrastructure and manage the associated costs, as well as reputational damage from recent high-profile cases of IoT hacking and data breaches, are holding back investment – leaving companies at risk of being out-competed by those who are moving ahead.
At the same time, end-users are increasingly aware of the consequences of poor security, and concerns about the level of digital protection offered by IoT innovations are growing - which could put people off new services. These concerns that could dangerously make them turn their back from new, convenient services. Already, research commissioned by Gemalto suggests that 90% of consumers lack confidence in the security of IoT devices.
These concerns are understandable. IoT solutions have to be well managed and care must be taken to design security into every single part of the whole. As more and more systems are connected together via the IoT, weak security in just one part can end up jeopardising the whole.
We see instances of this in the headlines all the time, where attackers compromise one seemingly innocuous device and gain access to far more critical systems and databases. But it doesn’t have to be this way. With a solid understanding of the fundamentals of IoT security and the right partnerships in place, risks can be mitigated and benefits gained.
The IOT: Driving digital transformation
There is an intrinsic relationship between IoT technologies and the digital strategies followed by successful companies. While this goes by many names - the fourth industrial revolution, Industry 4.0, digital transformation - they all describe new, agile working models underpinned by data.
“Digital transformation is important for companies,” explains Steffen Sorrell, a Principal Analyst at Juniper Research. “And digital transformation is about becoming ‘digital first’ and data-driven. The IoT is ultimately the provider of that data. Myriad devices provide mountains of information that businesses can leverage, analyse and act on. The digital transformation of these businesses involves first of all connecting devices, and then implementing the proper analytics that enable that data to become useful information that can add value.”
Myriad devices provide mountains of information that businesses can leverage, analyse and act on
The IoT isn’t something you can ignore. In a report commissioned by Gemalto and conducted by Vanson Bourne – The State of IoT Security – of those businesses that have deployed IoT solutions, 94% say that they are doing something different as a result of the data captured and insights gained.
Back to top
The IoT by numbers
Back to top
UniKey: Putting trust into smart locks
Orlando, Florida-based startup UniKey launched in 2010 with a simple proposition. It has built a smart lock and mobile key platform that is being used in homes, businesses and vehicles around the world. UniKey’s solution replaces traditional access control methods – such as a physical key or RFID-based card – with a Bluetooth-enabled smart mobile device, such as a phone.
The UniKey platform gives building or vehicle owners the ability to allow or deny access to users remotely. For end users, the convenience of using one device for multiple purposes is clear.
A key challenge has been overcoming the perception of an online lock being inherently less secure than a traditional one, says UniKey Founder and CEO, Phil Dumas.
“Security is only as good as its weakest link,” Dumas explains, “And our digital security is significantly harder to break than a physical key or an access card – or a window for that matter. We have a perceptual, rather than a technical challenge.”
Security is only as good as its weakest link... we have a perceptual, rather than a technical challenge
Building trust is important, Dumas says, and it is achieved through being irreproachable yourself and partnering with brands that uphold the security standards your customers expect. It works with Gemalto to protect data stored on the mobile device, and relies heavily on encryption for transfers to the cloud.
While the premise behind UniKey is simple, the applications of the technology have been varied and surprising, demonstrating just how one innovation leads to another.
“New technology can’t just be as good as the existing solution, we have to be better than a key and badge,” Dumas says, “We’ve seen people using data gathered through UniKey to maximise the use of shared space thanks to real-time knowledge of who is in a building, and tying UniKey into time and attendance systems.”
UniKey is already integrated with AI and voice control platforms such as Amazon Alexa, says Dumas, which will undoubtedly see more innovation as products are combined in the smart home.
“It’s Metcalfe’s Law,” Dumas says, “The value of these systems grows exponentially as more people come online. The more doors we connect, the more value will be created.”
The more doors we connect, the more value will be created
Smarter locks for secure access control: Phil Dumas, UniKey
Back to top
Overcoming security challenges in IoT
Despite the vast majority of business leaders agreeing on the importance of IoT, according to the Economist Intelligence Unit many also believe that adoption of the technology has been slower than expected. While some firms are racing ahead, others are still “watching and waiting”.
In Germany, for example, concerns have been raised about the slow rate of adoption in the country’s famous SME manufacturing community, the Mittelstand. A report by McKinsey found that Mittelstand firms were using just a tenth of their digital potential, risking slow growth and falling behind their global peers.
IoT Security costs and risks can be mitigated
“Companies may be putting off adopting an IoT strategy,” Juniper’s Sorrell says, “First of all because it is perceived as high cost, and secondly because it appears complex. Especially for SMEs, which are not familiar with ingesting mountains of data, performing analytics and protecting the devices that are supplying the data.”
Fears about the cost and complexity of IoT security have risen in the last two years, as awareness of the perils of poor implementation have become clearer. As Sorrell mentions, the Mirai and WannaCry attacks costed millions.
There’s no denying that IoT security is complex, but best practices for efficient risk assessment and mitigation are well understood by professionals in the field. One of the key tenets is that security must be a consideration at the very beginning of the design process, with the right expert knowledge brought in as early as possible – from outside the firm if necessary.
Not only does this approach lead to better security, the later the process of assessing, testing and hardening of IoT solutions is left, the more difficult and costly it is to get right. Worse yet, discovering critical weaknesses or poor contingency plans only after a breach has happened can be more costly still. This is especially true for small businesses. A recent report by Hiscox found that it takes small businesses longer to recover from cyberattack, which in turn means more disruption and loss of revenue.
Back to top
Five cyber attacks on the IoT
The Mirai malware infects IoT devices by attempting to log in using common credentials (such as admin/password). IoT devices ranging from routers to video cameras and digital video recorders have been found to be infected by Mirai, which can coordinate their use to create a botnet with millions of devices.
In 2016, Mirai-infected devices were used to launch the world’s first 1Tbps Direct Denial of Service (DDoS) attack on servers at the heart of internet services, successfully taking down parts of Amazon Web Services and its clients – which include Github, Netflix, Twitter and Airbnb.
Based in part on Mirai, Reaper first came to light at the end of 2017. Around 20-30,000 devices were found to have been compromised by Reaper, which can be used to launch crippling DDoS attacks.
Arbor Networks says that it thinks Reaper has been created for the “DDoS-for-hire” market, in which criminals can rent out botnets to attempt to take down websites that they disagree with. It costs just a few dollars to launch huge DDoS attacks capable of generating up to 300Gb/s.
Another malware that spreads and acts in a similar manner to Mirai, Satori is notable for two reasons. First, it doesn’t just spread via credential guessing, but has been found to target vulnerabilities in specifc ranges of WiFi routers.
Second, Satori has been discovered infecting smart processor architectures that were previously ignored by IoT malware, SuperH and ARC.
Triton has been designed specifically to target a type of popular Industrial Control System (ICS) manufactured by Schneider Electric, the Triconex. Triconex controllers are used in many industrial processes, including power generation, and Triton appears able to tamper with and even disable systems.
The vulnerable fish tank
One of the big challenges for IoT security is that compromised devices can be used to access other systems. In April, researchers from Darktrace revealed that they had discovered a sophisticated attack on an unnamed casino, in which hackers accessed a database of “high rollers” (i.e. big spenders) by accessing the network through a thermostat attached to a fishtank.
The importance of network segregation has never been more clear.
Back to top
Expert collaboration simplifies IoT deployments
Jihad Tiyara is the Vice President of Business Development and Partnerships at Dubai-based telecoms operator du. du is a key partner in the development of the smart city platform, Dubai Pulse, and is developing services for enabling IoT solutions on both its own platform and the municipal one.
The secret to security success, Tiyara says, is collaboration.
“As a telco,” Tiyara explains, “We’re used to operating in a world of standardization. But in IoT that’s not the case yet. Many devices still can’t talk to each other and there’s a shortage of skills when it comes to securing multiple endpoints, it’s really new territory. We are responsible for the security of the platforms and so we have to work with partners and external third parties, some from very niche areas.”
Tiyara doesn’t have the luxury of waiting to see what happens with security. The Dubai government has mandated that it will be fully paperless by the end of 2021, with a blockchain-based system used to secure all government service transactions on Dubai Pulse. It’s envisioned that sensors relating to transportation, environmental data gathering and more will be integrated as well, into a system that moves smoothly from data capture to analysis to open publishing.
“The beauty of being in Dubai is that we have to do this,” Tiyara says. “So our conversations can focus on how to do it securely.”
The secret to success is collaboration
Dr Sohail Munir is Smart Dubai’s Advisor on Emerging Technologies and Digital Transformation. He agrees that effective collaboration plays a key role.
“I don’t foresee that it will only be government departments that will be putting out these IoT devices and sensors for the smart city,” Munir says. “So partners will certainly have a very significant role in making the security happen. Those partners could be the technology providers and the device manufacturers and device providers, or they could be the end application developers. So this whole ecosystem has to come together.”
Smart Dubai is a grand project of huge ambition, but the lesson is relevant in any IoT deployment; security can only be achieved when everyone in the supply chain works together towards a common goal.
But that also means no one organisation should carry all the cost or manage the complexity by itself. Partnerships (and regulations stating who is responsible for what) could help to spread the burden.
IoT Jargon Buster
The proof of knowledge of a secret. Device authentication is used to provide secure access to a connected device and data it generates, only to authorized people and applications who can prove they know the secret.
IoT Jargon Buster
A network of computers or IoT devices that have been compromised by malware, which can be utilised for distributed computing tasks or to launch a DDoS attack.
IoT Jargon Buster
A digital ID document enabling a digital entity (IoT device, computer etc) to transfer data securely to authorised parties. X509 certificates are standard certificate formats usually signed by a trusted Certificate Authority (CA).
IoT Jargon Buster
Distributed Denial of Service: an attack that involves flooding a webserver with traffic in an attempt to overwhelm it and take it offline.
IoT Jargon Buster
The capacity to transform a message so it cannot be understood except by intended and authorized recipients
IoT Jargon Buster
Fourth Industrial Revolution/Industry 4.0
The digitization of traditional manufacturing techniques using new technology, such as 3D printing and bioengineering, and data analytics drawn from the IoT.
IoT Jargon Buster
Using IIoT data to anticipate failure in a mechanical system and intervene and repair before issues occur.
Back to top
Security by design: a foundation of trust for IoT deployments
Securing the IoT is not a radically new, complex set of ideas and principles. It’s an evolution of best practices that has been built up over many years in all areas of IT security. An IoT deployment should be approached by following the principles of security by design.
In a security by design approach (a straightforward methodology that ensures security is a key objective at all stages of product creation and implementation), it’s assumed that at some stage a connected device or system could be successfully attacked. So attention is given to analyzing the potential threats in order to ensure the right level of protection, at the point where it makes most sense.
Key to security by design in IoT is the need to build a reliable trust model for all elements connected to a network, in which a strong and private digital identity is given to any connected object. This is the basis for connected object authentication to external partners and secure data exchange, ensuring only authorized stakeholders can access a device and its data.
Regularly controling and issuing updates to a large number of devices spread in the field requires remote capabilities. If firmware has been corrupted or tampered with, or if device access seems compromised, action can be taken quickly, without costly service trucks. Building this in at design and manufacturing is critical for this process.
It also means making sure that a device only has access to the services that it needs, which can prevent an attack or malware infection spreading.
Most of all, though, security by design means thinking like an attacker, and layering defences in a way designed to protect data and devices even in the event of a breach. The approach emphasises encryption of all data, when it is stored – be it in the device, in a gateway or cloud platform - or when it is in motion on the network or on the way to the cloud. Encryption mechanism ensures data confidentiality and integrity, rendering stolen data useless and preventing data tampering.
building IoT security from the ground up: Steffen Sorrell, Juniper
Why IoT security lifecycle management is so important
Security by design also extends to planning for the lifecycle management of a product. This is key as a large majority of IoT devices are implemented to operate for long periods, sometimes exceeding 10 years. New cyber threats arise and IoT stakeholders come and go, so the need to ensure that there is a convenient and secure way to distribute important security updates, and to maintain remote controls of access credentials.
One of the challenges in industrial environments is that many legacy systems and operational technology (OT), such as automation controllers for heavy machinery or power generators, were designed without cybersecurity defences – because they were never envisioned to be online or accessed remotely. In too many circumstances, OT has been put at risk because internet connected devices have been integrated to the same networks, creating pathways for criminals and malwares to reach critical systems.
Security by design principles attempt to foresee such risks, and avoid unintended consequences.
IoT is already changing the way we are managing the manufacturing sector
The IoT security challenges for industry 4.0
Eric Prevost is the Global Head for Emerging Technologies and Industry 4.0 at Oracle. His work covers the implementation of IoT strategies within industrial organisations, also known as the Industrial IoT (IIoT).
“The main security constraints are how to make sure that nobody will be able to access the automation systems,” Prevost explains. “These systems are there to make sure that the industrial process is running well all the time and if there are issues in the communication between the automation system and the management of the manufacturing process, you have a big risk.”
Prevost is upbeat about the potential of IoT technology in industrial environments.
“IoT is already changing the way we are managing the manufacturing sector,” Prevost says. “It’s changing how we get information from the field, in ways that are more efficient and enable us to be more productive, and its changing the underlying business models by introducing a new way to interact with customers.”
What’s holding it back, however, is the capacity to deal with the data generated in a safe and secure manner.
Back to top
Protecting connected objects
Eric Prevost highlights three important areas for consideration in the security by design process.
End-to-end encryption for all communication between IoT devices, machines and back-office systems.
Protecting data at rest, both from illicit access and from being altered. If a bad actor can change data without being detected, they may be able to influence analytics and automated decisions made as a result.
Use strong authentication and identity management for all human interactions with IoT devices and data.
In IoT security, these principles form the three pillars of Confidentiality, Integrity and Availability (CIA).
Confidentiality means only allowing authorized people to access data and devices.
Integrity means being able to verify that data and devices have not been tampered with.
Availability means being able to reach data and devices and nominal IoT services all the time.
MANAGING SECURITY IN THE INDUSTRIAL IOT: Eric Prevost, Oracle
Back to top
Cellular IoT connectivity and security
As we see more standards emerging that are designed to facilitate IoT communications, security should be thought of during project deployment, to make sure the right security options are in place to support the chosen connectivity.
Many IoT developers and platforms are still choosing to deploy solutions over the cellular GSM network, though.
Every use case is different, says Oracle’s Prevost, but in many cases cellular networks are the best option. When deploying a solution in rural Africa, for example, there may be no alternative to a 3G network for carrying data.
For Evan Cummack, Principal Product Manager for Twilio, a global platform which simplifies the deployment and management of IoT devices across multiple territories, ‘the breadth, reliability and level of standardisation of cellular networks makes them perfect’ for deployment of global IoT solutions. Twilio has a vision of “One SIM, One API, Global Reach”.
Twilio’s network is used for many different purposes, from thermostats in affluent connected homes, to pay-as-you-go LPG ovens in developing markets.
Enabling a large number of diverse solutions means that security is taken seriously, but also treated efficiently. Twilio partners with Gemalto to build security directly into SIM cards using authentication certificates embedded into IoT devices during manufacturing.
The important thing is that you have to be able to trust your manufacturing partner
“We ship SIM cards with X 509 certificates already on-board,” Cummack says, “The certs can be used to authenticate a device against any web service, whether it’s a cloud interface on Azure or AWS or something in-house. The important thing is to bring trust and convenience to the manufacturing process. All the private keys live on the SIM itself and are non accessible by the end user nor the manufacturer. At the same time, device makers can identify unique devices as they come online for the first time.”
Embedding access credentials into IoT devices’ SIM cards or connectivity modules during manufacturing, enables secure authentication to future IoT partners and simplifies integration and enrolments with cloud platform providers. But this also eliminates the need for IoT device manufacturers, who are not security experts, to self-deploy a secure production line.
They can rest assured that their devices won’t be cloned by a potentially malevolent manufacturing supplier.
Back to top
IoT for smart cities
According to the United Nations, the majority of people already live in urban settlements – some 54.5% of us in 2016 – and by 2030 that figure will be closer to two-thirds. If we’re going to keep those cities habitable, and embrace sustainable ways of generating energy and getting around, we’re going to need IoT technologies to help.
Autonomous electric vehicles (EV), for example, will reduce pollution – a perennial public health concern – while real-time traffic data generated from sensors in vehicles and roads will help reduce congestion in built-up environments. EVs will also create a headache for energy suppliers, which need to balance demand for power with manageable loads on the grid. If an entire city population plugs in its runabouts at 5.30pm, the sudden surge will overwhelm infrastructure.
Likewise, investments in renewable energy are producing more efficient and diverse ways to generate power, which reduce reliance on fossil fuels. This means healthier spaces to live, with fewer greenhouse gas emissions. Its inherent unpredictability, however, creates more challenges for those who need to manage the flow of power to and from homes.
If we are to adopt these new technologies, then, we will need a better way of distributing power: one that can balance supply against demand, and store energy generated by renewables when necessary.
“Smart grids” with IoT connected devices in every meter, solar panel and car, will be required to ensure everyone’s lights stay on and cars are fully charged. Real time analytics based on thousands of points of data will help automate decision making around what energy is directed where in the future, unlocking new models for buying and selling energy to the grid for consumers at home.
If demand is high, prices will rise, encouraging more people to generate power or sell energy stored in batteries at home or in the office. Conversely, if supply is high, buildings could be programmed to automatically switch to grid power instead. The implications are only just being explored.
None of this, however, can happen without robust cybersecurity in everything connected to the smart grid. An attack on smart grid systems, for example, could plunge a city into darkness. Weak security in smart meters could result in fraud or privacy breaches. Fortunately, there are solutions available to protect the smart grids.
How to protect the smart grid
Michael John is a Senior Security Consultant for the European Network for Cyber Security (ENCS), an organization that focuses on improving the resilience of critical infrastructure against cyber attack.
“In electromobility,” John says, “we have to make sure charging stations don’t overload the grid. Utilities are preparing for this with ‘smart charging’, which adapts the rate based on availability and time of day. But that has to be secure: there’s a risk devices could be used to attack the grid or to attack customers.”
Security is a learning process, John says, and smart grids will take time to develop. They are, though, designed to operate for many years, so security lifecycle management is particularly key when it comes to smart grids.
“Years ago, security wasn’t high on the agenda,” John says, “But everyone now has a Chief Security Officer and project leads who take care of security for new projects. The challenge is that legacy systems weren’t interconnected, automation has to be introduced over time and new processes need to be in place to protect systems that were never designed to be secure.”
Likewise, John says, software protocols for secure communications across GSM, LTE and powerline networking have had to be developed, and his mission now is to educate industry about them.
Years ago, security wasn’t high on the agenda, but everyone now has a Chief Security Officer
Back to top
Getting the best out of Smart buildings
You can’t have smart cities without smart buildings, says Emmanuel Francois, President of the Smart Building Alliance (SBA). His organisation is working to develop best practice for integrating intelligent systems and services into buildings and city grids, including energy optimization, tools for assisted living, occupant services and more. The SBA has developed a framework, called Ready2Services (R2S) that helps designers and manufacturers create products and services that can interconnect securely.
“Security is a key element of the R2S standard,” Francois says, “It must apply to all elements in the supply chain: equipment, the network infrastructure and the processes.”
Within three to five years, Francois believes, all new buildings will integrate some form of smart technology because the benefits are so apparent. From reducing energy use to facility management, he foresees buildings that adapt to the environment and their inhabitants using IoT technology combined with Artificial Intelligence (AI).
“It will drastically impact the valorisation of the real estate industry.”
Within three to five years, all new buildings will integrate some form of smart technology
The benefits of smart cities
The ultimate goal for Smart Dubai, says Dr Sohail Munir, is happiness. The plan is to make Dubai the happiest place on Earth, because government services will respond to citizen needs, rather than the other way around. Smart IDs and contracting will ultimately enable people to move house and provision new utility services quickly and seamlessly, for example, and the authority has recently held a “Happiness Hackathon”, encouraging citizens to think about new products and services that can plug into Dubai Pulse.
Securing smart dubai: Dr Sohail Munir, Smart Dubai
Many other cities around the world are also building a connected future. For example, Santander, in northern Spain, has been working on smart city development since 2010. IoT has played a big role in its plans: there are some 12,000 sensors scattered around the city, gathering environmental information from the air and soil, monitoring lighting and parking spaces, and tracking public transport vehicles as they journey around.
“Our main objective when innovating is to provide citizens with more and better services,” says Juan Echevarria Cuenca, Innovation Technical Manager at the Santander city authority. “We work on the small things that impact citizens directly, as this is the best way to transform innovation into real and concrete benefits.”
REDEFINING SANTANDER AS A SMART CITY: JUAN ECHEVARRIA CUENCA & GEMA IGUAL ORTIZ, SANTANDER
Santander’s advanced infrastructure makes it a laboratory for entrepreneurs who want to try out ideas and develop smart city products, according to Echevarria, and right now he’s working on ways to improve waste management and water supply using IoT sensors and big data analysis. But he recognises the inherent risks.
“Today, governments at all levels are targets,” Echevarria explains, “raising concerns about cyber attacks on critical connected infrastructures. “The key threat is on data security, but we insist that all solutions are ‘secure by design’.”
Back to top
How can we improve IoT security?
The best ways to mitigate against malware and cyber attacks on the IoT, whether it’s deployed in smart cities, manufacturing or any other sector, are well understood by security professionals. Embrace security by design principles, encrypt everything, keep networks properly segmented, regularly update software – the list goes on.
Yet it’s likely that we will see more headlines featuring widespread attacks from criminals, extortionists or state actors who target IoT devices.
How can we improve the security of off-the-shelf products, and ensure all partners in a specific supply chain are pulling their weight when it comes to security?
Respondents to the Gemalto survey were almost unanimous that there should be better regulation around IoT security, in order to provide guidance and clear lines of responsibility for business owners and device manufacturers. A full 96% of business decision makers believe that governments need to get more involved.
Defining security responsibility for better trust in IoT
This year the European Union has brought in to force two important pieces of legislation: the General Data Protection Regulation (GDPR) and the Directive on Network and Information Systems (NIS), which will introduce ground-breaking guidelines and penalties for those who don’t take security seriously. Both should impact IoT in a positive way, by introducing clarity about who has responsibility for security and data protection in all parts of the supply chain, and underlining how important security considerations are.
The business community overwhelmingly agrees that governments need to take a leading role in these issues. Only 2% of business decision makers surveyed for Gemalto’s The State of IoT Security felt that regulations in the area aren’t needed.
Now we have them, but they will still take time to filter through.
In the meantime, people are rightly concerned about security in IoT. Stories of data loss are depressingly common, today most people are aware that another major attack is just around the corner.
That doesn’t mean that you should put your business at risk by waiting to embrace innovation and the benefits of IoT.
The most important consideration of all is trust: if you work with partners that you can trust to put your security needs above all else, you’ll win the trust and confidence of your customers too.
Back to top
Get in touch with us
For more information regarding our services and solutions, contact one of Gemalto's sales representatives. We have agents worldwide who are available to help with your digital security needs. Fill out our contact form and one of our representatives will be in touch to discuss how Gemalto can assist you.
Back to top