IoT Security
How bad is it?
Add bookmarkDr. George Antoniou returns as a guest to talk with host George Rettas, president and CEO of Task Force 7 Radio and Task Force 7 Technologies. Dr. Antoniou is the associate professor of cyber security management at Lynn University in Boca Raton, Florida, where his research interests include leadership, developing effective information, security policies, cloud security, IoT security, blockchain identity, access management, and cyber education and awareness. The topic of this episode is Internet of Things (IoT).
IoT Explained
An IoT device is simply any physical device with a defined purpose that has an operating system and can communicate through the internet with other things. Projections show that by 2021, about 25 billion IoT devices will be in operation, and 75 billion by the year 2025.
The support of so many connected devices used to be impossible. Now, advances in technology such as IPv6—the communications protocol that provides an identification and location system for computers on networks and routes traffic across the Internet—and 5G is enabling the IoT revolution.
Benefits of IoT
The benefits of IoT span across all industries, including agriculture and healthcare, but personal lives are enhanced by IoT as well. For example, IoT thermostats monitor and control temperature, which is both convenient and cost saving. Smart watches and Fitbits monitor health stats such as pulse and steps, going so far as to send this information to a doctor or sounding an alert if a risk is detected. Smart cities, homes, and cars are other large-scale examples of IoT. While the ultimate realization of these technologies is a long way off and involves the use of imagination, advancements in IoT aren’t slowing down.
In fact, wearables are a perfect example of this. What was once a clunky step-tracking device is now a fashion statement that serves multiple purposes. In addition, designers and engineers are playing with fabrics that can be interwoven with IoT components so a sport shoe can measure speed, heartbeat, and sweat output or a jacket can charge phones.
Cyber Security With Wearables
However, wearables are prone to cyber attacks. While not a wearable but similar, a connected pacemaker was compromised in 2018, which opened the eyes to the industry of the associated risks that come along with IoT devices. As Dr. Antoniou explains, “The pacemaker was compromised through a remote execution of the code into the person who was having the pacemaker.”
Manufacturers of connected wearables must practice their due diligence to ensure that the security of devices is done correctly. Dr Antoniou emphasizes that the onus lays on the manufacturer.
Smart Cities and IoT
When people think of smart cities, they often envision traffic signals that change according to the current traffic pattern, tickets handed out automatically after cameras catch illegal incidents, or tolls automatically deducted from checking accounts when a sensor deems it appropriate. Smart cities are so much more than that, however.
Dr. Antoniou explains that a smart city exists as an ecosystem of those sensor components plus the services the city is providing. That includes public lighting, smart roads and parks, and free Wi-Fi across the city. Services include DMV renewal and efficiency measures that help keep costs and resource draining low through the use of a connected device or app.
Enterprise IoT
Enterprise IoT, also called Industry 4.0 consists of IoT devices that are designed to operate within a business to drive efficiency, effectiveness, and cost savings. Examples include voiceover IP phones, smart lighting within the building, and smart TVs and vending machines located in an enterprise building. With these tools, internet connection enables TVs with internet access and vending machines can take debit cards. Security features like cameras and intrusion detection also fall into the realm of Enterprise IoT.
There is some concern that Industry 4.0 will eliminate jobs, but Dr. Antoniou believes the contrary. “I think we will see some reduction in certain jobs, but then we will see more demand in other jobs. As we know, cyber security is a very hot field nowadays, and if you go to the Department of Labor, you can see millions of openings especially in cyber security.” He goes on to explain that what IT administration and project management jobs are lost to IoT, cyber security jobs will fill—and then some. He also believes any collateral damage will be worth one other key benefit: sustainability.
“Sustainability is a big, big issue and a trending around the globe. So these devices, they will be helping us to accomplish [the things that make] a better planet: reduce waste [and] make more effective use of resources and consumption.”
On-Prem IoT Security
Many at-home IoT devices run on Wi-Fi connected to home modems. Dr. Antoniou encourages everyone who purchases a new IoT device to always read the manufacturer instructions in order to understand what kind of security parameters and configurations need to be put in place for that device. He also talks about Rule Zero, or his firewall rule. “I explicitly deny everything inbound to my home… That would protect your IoT, but also your other devices that are connected to your home network.”
Dr. Antoniou stresses the fact that IoT technology is still in its infancy. There are a lot of security and connectivity kinks to be worked out. Too many manufacturers are rolling out new, snazzy devices without actively imagining all the future security risks the device may enable. Cyber security needs to be an active part of the manufacturing supply chain.
Digital Identities
Finally, each device must have its own digital identity, or an identity that the device can assume for the entirety of its life. “So the digital identities on the IoTs, it is similar to what we call the identity access management, and it's important to have them. And today, we don't have a centralized digital identity management for IoTs.” Dr. Antoniou is an expert in the future of digital identity evolution: “if you get that digital ID and marry it with a microchip that is embedded to this device and it creates a strong encryption algorithm and somehow creates a digital ID in a centralized identity and access management database that is utilizing blockchain for verification, authentication, and authorization, that device now has a digital ID. It has a body of existence.”
Humans are defined with a social security number which enable transactions like home loans or tax payments. Digital identities for IoT devices identify them within their ecosystem. From there, authorization is granted only to the IDs of the devices we want active on our home or enterprise network. This system is not currently in place. For example, a rogue employee could potentially go to work, pair their smart witch with a Bluetooth device, piggyback into the work network, and steal data. If that smart watch had a digital ID, the network would know instantly that it doesn’t belong.
Currently, Dr. Antoniou explains that the best defense to IoT threats is enterprise education and policy. By running a risk analysis, companies start to think about connectivity as a whole. From there, they can create policies and train employees on those policies.
When asked about current IoT regulations, Dr. Antoniou exhaustedly explains that there aren’t any. Some countries are farther ahead than others, however, and most countries are working on them. Also, there are commonly-accepted preliminary guidelines. “NIST the National Institute of Standards and Technology, run by United States government, has some preliminary frameworks for IoT, but it has not been come to a fruition as a standard yet.”
To listen to the full conversation and past episodes, click here.