Securing the Internet of Things

Brid-Aine Parnell

Wednesday 10 May 2017

There are billions of connected devices in homes, cities and businesses around the world. But unless cybersecurity is made a top priority, the Internet of Things could become an easy target for cybercriminals.

Everyone knows the Internet of Things is here and rapidly growing. What they don’t know is what this will mean for cybersecurity, whether at home or work.

Predictions surrounding the proliferation of connected devices have been rife – IHS forecasts the figures will grow from 15.4 billion devices in 2015 to 75.4 billion by 2025, while General Electric estimates investment in the Industrial Internet of Things (IIoT) will reach $60 trillion in the next 15 years.

Curbing connectivity threats

The IoT hopes to bring a host of efficiency and expediency benefits to both citizens and businesses, but there’s a fly in the ointment: security. By their nature, these devices are small and so have low computing power, with little to no physical security. They are also often located in public spaces and accessed by various users. This is where a second concern comes into play: who has the right to collect, access and use the data gathered in these areas?

The very first step in securing the IoT is making connected devices as secure as possible out of the box. Best practice for the IoT includes ensuring hardware is tamper-proof, has secure pathways for firmware upgrades and contains encrypted storage or boot functionality where possible.

Authentic and authorised

Another important element of the IoT’s success is authentication. IoT devices will have multiple users, but their small size and operating systems will inhibit the use of strong encryption. Some IoT security proposals believe authentication will need to change in a connected world.

“Today’s strong encryption and authentication schemes are based on cryptographic suites such as Advanced Encryption Suite (AES) for confidential data transport,” states Cisco’s proposed framework. “While the protocols are robust, they require high compute platform – a resource that may not exist in all IoT-attached devices.

“These authentication and authorisation protocols also require a degree of user intervention in terms of configuration and provisioning. However, many IoT devices will have limited access, thus requiring initial configuration to be protected from tampering, theft and other forms of compromise throughout its useable life, which in many cases could be years.”

But new technologies and algorithms are already being investigated, such as the compact SHA-3 algorithm adopted by the National Institute of Standards and Technology for embedded smart devices.

Internet service providers (ISPs) might also need to take a larger role in security provision. They already have the capability to block or filter malicious traffic, like the BCP38 standard, but there’s a cost involved. ISPs could also notify customers if a device on their network is sending or receiving malicious traffic, similar to how they detect illegal file sharing.

But both strategies are controversial – blocking could unintentionally stop legitimate traffic, while notifications involve a level of network management that users would find intrusive. Most importantly, both require the cooperation of ISPs, some of which believe security is not their domain.

There are huge potential benefits from connecting our world through the internet, but unless every stakeholder is willing to play their part to maintain security, the IoT will become a liability instead of an asset.


Building the next-gen data centre

Where traditional and web-scale apps co-exist