Jari Tenhunen, VP R&D, Tosibox
The growth of the Internet of Things (IoT) has brought security to the forefront; this has been identified at the government level as well. Especially in traditional industries, new ways of sharing and utilizing information and data create new opportunities for business, but at the same time they create new attack vectors for hackers.
IoT security challenges include industrial espionage ie. illegal information gathering, sabotage such as denial of service (DoS) attacks and hijacking devices for use in for example botnets.
As connectivity for exchanging data between sensors, machines, devices, processes and services is at the heart of the IoT, these connections – whatever form they take – need to be sufficiently strong to protect business critical information and connections from attacks. Therefore the security of IoT must be approached differently from traditional security. Remote connections must be unbreakable, categorically.
As a basic principle, the number of devices connected to the Internet should be minimized; and Internet access of devices should be allowed only if the below conditions are met.
1. Strongly encrypted connections
Everything that is transferred over the Internet must be strongly encrypted. Minimum recommendations are end to end encryption utilizing modern secure technologies such as AES and TLS.
2. Strong mutual authentication
When exchanging sensitive information, utilize strong multilevel and multifactor authentication, the latter when authenticating individuals. In PKI technologies, ensure sufficient password strength and key protection.
3. Software and security updates
Applications always have vulnerabilities and are being patched constantly. Keep patches up to date. If a vendor does not provide software updates it has no business on the Internet. Automated security patches and software updates are the easiest way, as the number of IoT devices alone makes this the only practical solution.
4. Secure default settings
The default settings of the product should be secure. There should be no default open ports or interfaces. Use strong unique passwords. Do not grant unnecessary access rights for users by default.
Unfortunately, the abovementioned security criteria are not always met. One must be especially careful with cost efficient, for instance sensor equipped devices. With such devices, it is better to connect unprotected devices using a separate security VPN gateway device. A VPN gateway provides a strong secured and authenticated connection, a tunnel in which even unprotected devices can securely be connected to the cloud or elsewhere to an organization’s network. The same gateway and technology can provide remote access to individual users as well.
According to Frost & Sullivan, the global sensors market will be USD 162 billion by the year 2019. The main drivers in this growth are traditional industry, smart cities and e-health. From this point of view, too, IoT security is critical. Start taking ownership of it – today!
PS. I will be presenting on this topic at the Hannover Messe next week. If you are attending the event, you are more than welcome to participate.