Enterprises facing “nightmare” with IoT security and data privacy, says IEEE
The Institute of Electrical and Electronics Engineers (IEEE) has warned enterprises all over the world are face a “nightmare” with the security of everyday devices connecting to their networks. Manufacturers of new ‘internet of things’ (IoT) devices are not thinking about security by design, according to Kevin Curran, senior IEEE member and professor of cyber-security and intelligent systems, and could be held to ransom.
Familiar enterprise devices like smart locks on office front doors and even automated company cars are at risk, he said
“Connected devices are quite limited. They are often single-purpose devices, performing specific functions within a wider, more complex system – for example, light bulbs, TVs, pacemakers, and kettles. IoT security mechanisms should be equally specialised and prevent targeted attacks, which are often unique to device function,” said Curran.
“Unfortunately, because they are so simplistic, the adoption of security support ecosystems, such as large databases of malware signatures, is impractical. The solution is to enforce rules-based filtering to allow communication only from authorised devices. Firewall policies like this allow a reduced rules-set to be adopted.”
The technology industry is failing to learn from its mistakes. A glance at top IoT security vulnerabilities, as calculated by the Open Web Application Security Project (OWASP), shows this to be the case. The same errors and oversights from IT security keep appearing, invariably linked with identity authentication, transport encryption and physical security. Devices are invariably the weakest link.
Conformity is everything in the fight against cyber-crime. However, IoT confounds this drive for consistency, with a multiplicity of technologies and devices. IoT security regulation and standards are tightening, slowly, but enterprises cannot wait.
Still, policies governing enterprise networks have not evolved with the threat landscape, said Curran. The work environment now includes more than just laptops and servers, but security measures have hardly developed. Multiple connected devices now roam in and out of enterprise networks; control mechanisms have been weakened and IoT has “opened the floodgates”.
Enterprises do not have a “lockdown on the devices and the software being downloaded,” he said.
“People will be installing smart devices in their offices that automatically connect to the internet. But what if a builder hasn’t checked if it’s secure? We’re heading for a nightmare down the road as things cannot be patched and secured.”
Concerns have also been raised about the IoT security of non-traditional ‘shadow’ devices on enterprise networks.
A third of companies in the UK, Germany, and US have more than 1,000 so-called shadow IoT devices connected to their network on a typical day, with 12 per cent of UK organisations reporting having more than 10,000. The most common devices found on enterprise networks include fitness trackers (49 per cent), digital assistants such as Amazon Alexa (47 per cent), smart TVs (46 per cent), smart kitchen devices (33 per cent) and gaming consoles (30 per cent), according to Infoblox.
Curran also pointed to a lack or preparedness among enterprises facing up to the incoming General Data Protection Regulation (GDPR), which comes into force this week (May 25).
“Organisations need to be aware that privacy issues can arise due to their IoT data collection mechanisms, which may lead to user profiling and identification of individuals. It is crucial that information security, privacy, and data protection be addressed comprehensively at the design phase,” he said.
“Companies will have to pay more attention to the secure storage of data collected via the Internet of Things as legal repercussions intensify and data collection increases. This data is generally being stored in the cloud and recommended practices should apply. Companies with large data sets should pay extra attention to the data lifecycle phases and ensure that aspects such as data destruction and a layered security strategy are provided.”
The IEEE believes the buck stops for both data security and data privacy with senior management and the technology department. Policies should be continuously reviewed, including deciding on what authentication is needed, what apps are allowed on the network, who and what can connect to it, and whether certain things should go on a guest network or over an enterprise network.
Firewalls and IDPS need to be considered and encryption will play a core role. The professor commented that ‘devices need strong passwords and organisations might need to start enforcing certificate-based or biometric authentication to highlight failed access attempts or denial-of-service attacks.
But Curran said manufacturers need to be held to account: “The onus needs to be on the people who make the devices, who currently have zero responsibilities. Until that is addressed, enterprises will be vulnerable. Everything that could be connected is becoming connected. However, with out-of-the-box products, security comes at the cost of convenience.”