The Internet of Things and The Fools Who Rushed In: A Cautionary Tale

There is no doubting the exponential rise in the popularity and uptake of the Internet of Things (IoT) over the last couple of years. All manner of devices and gadgets are now being connected to our networks in an effort to capitalise on the benefits of: Improved efficiency. Behaviour tracking for real time marketing. Optimised […]

There is no doubting the exponential rise in the popularity and uptake of the Internet of Things (IoT) over the last couple of years. All manner of devices and gadgets are now being connected to our networks in an effort to capitalise on the benefits of:

  • Improved efficiency.
  • Behaviour tracking for real time marketing.
  • Optimised process.
  • Automation.
  • Enhanced analytics.
  • Instantaneous control.

Connecting everything from lightbulbs to heating thermostats, traffic lights and irrigation, there is little that is not already able to connect to the IoT. Along with improvements in efficiency, reductions in overheads and greater visibility, the motivation for this drive towards ubiquitous networks is one which is being driven (to a large extent) by manufacturers and retailers.

Cynical though it may be, the current gold rush of bringing devices to market as quickly as possible to maximise on sales is doing so at a huge detriment to the future of this incredibly powerful and useful technology. Products are designed and developed to get to market as quickly as possible and, in the process one of the key features is being ignored.

What we are talking about here is security.

Any and all devices that are connected via the IoT represents an access point to your network and whilst great planning goes into strategizing, implementing and updating security for laptops, mobile devices and PCs, very little thought is currently being applied to the IoT.

If manufacturers haven’t considered the security implications of their own devices how will it be possible for organisations to incorporate the same stringent security standards for IoT as they have for other access points?

How do you upgrade the OS on a smart home lock? Or a wireless energy monitor? What about light bulbs, thermostats or traffic management device?

Latest research suggests that almost a third (29%) of all organisations have implemented IoT and this is expected to rise to almost half (48%) by the end of 2018.

This is despite the obvious problems being forecast in advance about the security issues associated with the IoT. More than 75% of UK consumers are concerned about the potential for hacking and data breaches with IoT yet there seems to be no slow down in the uptake of these devices. The same survey has forecast that over 25 billion devices will be sold over the next few years.

The rush to stay ‘on-trend’ and to take advantage of the positive aspects of IoT has blinded many to the obvious negatives. This, despite such high-profile examples of how vulnerable the technology is such as the Mirai ‘incident’ in 2016. Using IoT devices to launch a highly disruptive attack in Germany, Mirai was the malware responsible for infecting almost a million Deutsche Telekom customers and several thousand TalkTalk consumers.

Since this widely publicised incident it has been identified by an additional research report that more than half of all IoT device owners do not employ any third-party security to protect them from external threats. 35% also admitted to not changing the default passwords on their devices!

There is no question about it, the Internet of Things is storing up a potential minefield of security issues that could have a far more devastating impact then the much feared but widely anticipated ‘Millennium Bug’. Unlike perceived impact of ‘Y2K’, the threat of the IoT goldrush is far more likely to have globally disruptive consequences.

The bottom line is that IoT currently represents an unlocked door in the defences of any network and it is simply a matter of time before someone tries the handle.

How Can a Disaster be Avoided?

So, what can be done to avoid sleepwalking into a crisis? How can we close the gaps being opened up in our defences by the IoT?

The first step is an obvious one but one that goes against the commercial instincts of those it concerns. Vendors of the technology must work together with professionals to produce a robust standard of security that can be deployed across IoT devices. As well as addressing concerns over how operating systems are updated and vulnerabilities fixed, the issue of certification should also be looked at. At the moment, there are no standards by which consumers can judge the trustworthiness of a product or technology.

Until these issues are resolved on a global scale then IoT will only ever be as secure as the untrusted devices that have been added to it. If these pieces of kit can’t be securely upgraded or defended by appropriate third-party solutions then organisations will have no choice but to remove them.

The problem with this is that the longer they remain in situ, the more embedded they become in the infrastructure of an organisations systems and network. The cost to remove them will no doubt exceed their installation cost; some observers estimate this to be up to 100 times over.

In retrospect, the rush to be at the forefront of this new technology suddenly starts to look like less of a wise-investment.

Of course, there is always the issue of governance on these matters and governments too have a duty to legislate the industry to help establish these standards and make them mandatory.

In 2017, the U.S. Government proposed a new bill that would require IoT vendors to ensure that devices:

  • could be patched with security updates.
  • Are free from known vulnerabilities when sold.
  • Do not have hard-coded passwords that cannot be changed.

Whilst the bill is still in the first stages of its legislative process, the Internet of Things (IoT) Cybersecurity Improvement Act of 2017 is one step towards forcing developers to take the matter of security more seriously. And its not just the USA that is pushing for improvements, the EU has also commenced discussions on the challenges faced for the industry. ENISA (EU Agency for Network and Information Security) has started the ball rolling to bring suppliers, industry associations and developers together to discuss both threats and their solutions.

In a post-Brexit future, the UK government is also working towards a standard of ‘Secure by Default’ with both the National Cyber Security Programme (NCSP) and the Department for Digital, Culture, Media and Sport (DCMS) working towards building security into IoT devices as standard.

A Final Word of Caution

Until such time as developers are forced to integrate comprehensive and agile security into IoT devices, they remain a vulnerability to any organisation that uses them. The failure to assess their potential impact to your infrastructure and plan accordingly could result in devastating consequences for network security.

The general consensus of opinion when it comes to IoT is that until such time as devices are secure by design instead of being patched as an afterthought, they remain a risk.

Don’t forget that in the ‘gold rush’ to capitalise on the benefits offered by IoT devices that there is an adage worth remembering; only fools rush in.