Any discussion of the IoT must include a deep look at security. Organizations rolling out the technology must be certain that they are doing so properly. The IoT is like any technology, from electricity to nuclear power to artificial intelligence: There is potential to do great good and profit in the process. But poorly planned and executed implementations can be disruptive and destructive. Security must be a key concern from the earliest planning stages.
The dangers of the IoT are easy to describe – and they are scary. The billions of devices all are potential entry points to their host network. The sheer number of IoT-connected devices in the field and the reality that each must consume very little power means that it is technically and financially impossible to provide each with more than the most rudimentary security functions.
If not handled proactively, this is a recipe for disaster: It gives the bad guys an almost limitless set of unprotected or under-protected targets. And, to top it all off, these sensors and other end point highly available. The IoT is all about interacting with the public, whether it is through a Fitbit, a smart speaker or any one of hundreds of other pieces of consumer equipment. A criminal can simply walk into an electronics store, buy a device, connected to the network and have what experts call “an attack surface.”
We are not just talking about future threats. In 2016, IoT-enabled surveillance cameras and other devices were attacked by malware that made them part of a huge botnet. Owners did not know that their devices had been kidnapped. The botnet — called Mirai – launched crippling distributed denial of service (DDoS) attacks that made servers unavailable to legitimate users.
Not the End of the Story
It would seem that the IoT is a dangerous place. That’s not the end of the story, though. The bottom line is that the entire IoT ecosystem – from device makers to networking companies – is aware of the challenges. They also understand that this is an “existential” problem that threatens the entire IoT business.
The goal, of course, is not to let this happen. The IoT ecosystem has gone to work. There are steps that device manufacturers can take that will promote safety. Likewise, telecommunications companies that host the IoT networks can implement technologies and policies that limit risk.
End-users – companies and individuals – also play a big role in keeping the IoT secure. Earlier this year, IoT World Today posted a story that noted ten steps an enterprise can do to help themselves. Some of the steps are simply common-sense best practices, such as changing passwords from the default that the device comes with, keeping security software updated, using multifactor identification and turning off devices when they are not in use.
Other steps are a bit more complex and likely requires the help of an outside expert. For instance, segregating all the IoT devices onto the same firewall-protected and monitored subnetwork creates a barrier that in essence can choke off devices that are compromised before the bulk of the network is impacted and the problem explodes.
Proactivity the Key
Organizations must make security a key discussion point with telecommunications service providers, device vendors and anyone else who will have input in their IoT planning, buying decisions and implementations. Watch carefully: This is a discussion that these vendors and consultants should want to have. If they seem reluctant or downplay the risks, consider selecting other outsiders to help with your project.
The good news is that there is a lot of activity aimed at securing IoT devices. It’s important that enterprises that use IoT devices think in terms of safety and security and create a culture of security in their organizations.