Promotional material There are billions of network-connected devices in homes, businesses, and urban spaces around the world. If cybersecurity is not a priority, the Internet of Things could become an easy target for criminals.
Everyone knows that the Internet of Things (IoT) is developing very rapidly. Unfortunately, only a handful of people are aware of what this means from a security point of view – whether in private homes or businesses.
The popularization of grid-connected smart devices comes with forecasts of further growth – according to IHS, their number in 2015-2025 will increase from 15.4 billion to 75.4 billion, while General Electric estimates that investments in IIoT (Industrial Internet of Things) alone, the Industrial Internet of Things, will reach $60 trillion in the next 15 years.
Control communication threats
Everyday people and businesses have high hopes for the IoT – it is expected to bring significant benefits and increase efficiency, but there is also a spoonful of tar in that barrel of honey: the security. The devices that make up the Internet of Things are inherently small, have little computing power, and have no, or at best, little physical security. They are also often located in public spaces accessible to multiple users. Here is another challenge: who has the right to collect, download and use the data collected in these domains?
The first step in securing the IoT is to build security into your devices. A set of best practices in this area includes preventing software and hardware modifications, creating secure firmware upgrade paths, and encrypting the entire mass memory, or at least the boot sector.
Authentication and authorization
Authentication is another essential element of IoT success. The devices will have multiple users, but their small size and operating systems virtually preclude the use of strong encryption. Some IoT security proposals herald an evolution of authentication in the world of the Internet of Things.
“Today’s strong encryption and authentication schemes are based on cryptographic packages such as AES (Advanced Encryption Suite) for transporting confidential data” – indicated in the document describing the architecture proposed by Cisco. “Although the protocols are reliable, they require a computing power platform that may not be present for all IoT-connected devices.”.
“These authentication and authorization protocols also require some degree of user intervention for configuration and provisioning. Nevertheless, access to many IoT devices will be limited, so the initial setup will need to be secured against modification, theft or other forms of compromise throughout the lifecycle, which in many cases will be counted in years. “
Of course, new technologies and algorithms are constantly being developed. An example is the compact SHA-3 algorithm, which has been adopted by the American NIST (National Institute of Standards and Technology) for embedded smart devices.
In addition, ISPs may have to assume certain security responsibilities. They have the ability to block and filter unwanted traffic. An example would be the BCP38 standard, but with costs. Providers can also notify customers if a device on their network is generating suspicious traffic, similar to detecting illegal file sharing.
However, both strategies are controversial – blocking may inadvertently stop some regular legitimate network traffic, and notification may involve network management activities that users may find too intrusive. More importantly, both require the cooperation of vendors, or at least some of them believe that security is not their domain.
Connecting our entire world to the Internet can bring huge benefits, but until all players take responsibility for ensuring security, IoT will be a problem rather than a solution.