Protecting Your Data From the Internet of Things
"It's human nature to think about availability first and security second," says Brett Kelsey, vice president and chief technology officer, Americas for Intel Security. "Say you have a Fitbit or other fitness tracking device attached to your smartphone through Bluetooth. If I'm able to compromise that device, I don't care about how many steps you've taken, but theoretically, I might have a hook to go from your wrist to your phone to your corporate environment."
That simple principle — compromising a small, innocuous device to gain access to more critical or valuable functions and data — is at the center of concerns about Internet of Things (IoT) security. The Global State of Information Security Survey 2015 estimated that about 70% of connected IoT devices lack fundamental security safeguards.
By 2020, Cisco expects the number of IoT devices worldwide to hit 50 billion. On a consumer level, the home IoT environment may include a refrigerator that serves as a home hub or a NEST operating system that controls your air conditioning, heating and other functions.
Connected fridges, thermostats and washing machines, however, aren't the IoT items that keep Kelsey up at night.
Implications in the corporate environment
"My big concern is the IoT that sits in a true corporate world," he says. He cites the Ukranian hacker attack in December 2015 — in which 80,000 people lost power for 6 hours — as an example of where the potential weaknesses lie. The hackers attacked the power grid, specifically a multitude of various control-type devices that manage the flow of power. "Most of those controls are archaic, running old operating systems, and they're no longer supported. The industry claims that the devices are what they call air-gapped — not physically connected — but the normal standard is to attach the back-end systems to the normal IT systems for reporting and production. As soon as you've made that connectivity and capability, you've exposed that entire side of the network to attacks."
Of course, that's just one industry and one example of the security challenges in an IoT world. Kelsey reels off a list of other examples, including the hacktivist group Anonymous going after the Bay Area Rapid Transit in San Francisco in 2011 and the ransomware attack at Hollywood Presbyterian Medical Center earlier in 2016.
"Look at the quantity of IoT devices that sit inside a patient room," he says. "You go to visit a friend or relative in a hospital room, and there's a multitude of devices hooked up to them monitoring their blood pressure, heart rate and other biometrics. Nine times out of 10, those devices are also connected to a network that feeds info to the nurses' station or other people monitoring their care, and the entire IP network of the hospital. At Hollywood Presbyterian, it was serious enough that they literally had to move patients to a different hospital to continue functioning."
Kelsey cites driverless vehicles as another area with serious implications for IoT security, but not just for consumer transportation. "Some of the greatest minds in tech are also talking about the capability of the entire trucking industry to be driverless by 2025," he says. "That would fundamentally change how we receive inventory, speed things up and make everything more efficient. No question, great things go with it, but from a carrier perspective, a cyberattack that shuts down system transportation is a devastating scenario."
With drone technology in its infancy, the IoT security issues are every bit as important to resolve as how to deploy them for delivery, construction and transportation. "I can see the usage, but we need a lot of work in that space," Kelsey says. "How do we secure them? How do we keep someone from creating armies of technology that can be used against us?"
Taking the lead in IoT security
Some of the steps Intel is taking to address IoT security issues include:
- In the consumer space, Intel has created a home gateway with the capability of securing IoT devices.
- In the auto industry, Intel has founded and sponsored an auto security consortium to bring together a wide range of players who make back-end platforms, in the interest of making sure devices are secure before hitting the market.
- Intel is also partnering with companies such as Siemens to improve the security of their industrial control systems.
"There's a lot more work to be done to resolve the larger problems, but we're doing everything we can to participate where and when we can," says Kelsey.
As an Intel Technology Provider Platinum partner for more than 10 years, Insight has been a consistent leader in helping clients adapt to technology advances. When you're ready to ramp up the security of your corporate devices, contact an Intel specialist for help or with questions. In the meantime, read how to batten down the hatches of your data center and navigate mobile device security.