If the 1990s were when the dream of a hyperconnected world first took hold in the public consciousness, the 2010s are when that dream has become a reality – and, for some, a security nightmare. Analysts estimate that by 2020 there may be more than 50 billion devices connected to the internet. A large portion of the growth in connectivity comes from the internet of things. The internet of things, or IoT, refers to a new breed of devices which, though not obviously computers, are nevertheless connected to the internet. This encompasses anything from smart-watches to thermostats to smart-speaker assistants, like Amazon’s Alexa or Google Home. While the IoT presents great opportunities for businesses and consumers, it carries potentially key security vulnerabilities, which users should be aware of before fully embracing the revolution.
This revolution began with devices that one might consider pure novelties: a drinks machine for example, which a laptop can connect to and check if a desired drink is in stock before you make the trip to buy it. Despite these novelties, these internet-connected ‘things’ paved the way for the new industrial revolution. The first such revolution of the 18th century was based on the idea that machines could complete tasks as instructed by a human operator. This new industrial revolution removes the human component entirely, as soon as the machine is built and connected to a network. Taking this one step further brings us to the concept of Machine to Machine (M2M) economy, a radical shift in the organisation and processing of the global system. In the M2M regime, machines can essentially hold bank accounts, they can make transactions, not just with humans but other machines as well. An MRI machine for example would be able to charge a patient, run a test, and organise and pay for its own repair, communicating with a central fund held by yet another machine. This might even be described as the ‘integration’ of machines into society.
This is still in the pipeline mainly due to cost ineffectiveness, particularly when it comes to financial transactions; if paying a machine $1 costs another machine significantly more than $1 then the system is unsustainable. Nevertheless, with the reducing prices of the production of IOT devices coupled with the increasing amounts of targeted data collection, as well as recent breakthroughs in the handling of M2M economy transactions, this unsustainable system is rapidly approaching its point of inflexion.
With this in mind, many logistics companies are racing to incorporate internet-connected devices and sensors to improve their monitoring and analysis capabilities in a vast array of areas. IoT devices are used in industry for everything from monitoring fuel consumption, to tracking fleets of trucks to monitoring damage to railways. These devices radically enhance the visibility of a supply chain, allowing companies to better understand their processes, and those of their third-party providers.
This visibility is a double-edged sword, however, as connecting more devices to the internet necessarily increases a company’s exposure to online attacks. This exposure is exacerbated by the fact that many IoT devices have poor security features and update infrastructures, often not having been built with a “secure by design and by default” philosophy and now difficult to retroactively secure. Some of this weakness is a result of dependence on relatively new technology, such as early long-life batteries. Many of the most high-security encryption standards, such as the Advanced Encryption Standard (AES) used by the US Military, are processor intensive and so rapidly drain batteries. As a result, IoT devices often compromise on security in order to offer other features, such as long lifetimes of sensors.
These vulnerable internet-connected devices can be a key backdoor for hackers trying to gain access to a corporate security system. In May this year, the United States fell prey to a brand-new type of cyber-attack which acted through wireless routers and exploited vulnerabilities offered up by IOT devices. This malware – known as VPNFilter – appears to have been tailored to play on the worst fears of corporations because it targeted supervisory control and data acquisition (SCADA) systems. SCADA systems allow organizations to control industrial processes, monitor real-time data, directly interact with industrial devices (IoT devices), and keep logs of events. SCADA systems are crucial.
The malware of 2018 sought to intercept SCADA communications. Modules of the malware were found to be capable of intercepting all traffic through selected ports, executing commands on connected devices (such as IoT devices), and even ‘bricking’ these devices (rendering them unusable). The consequences for corporations could be dire: data loss, device loss, and the complete arrest of operations. But the consequences of malware like this when coupled to other software such as ransomware, used in 2017 to hold the UK’s National Health System to ‘ransom’, would be catastrophic. A 21st century equivalent to the Great Train Robbery.
New generations of IoT technologies are beginning to address some of these key security vulnerabilities. A major new trend in IoT is low power devices, which communicate wirelessly via a Low Power Wide Area (LPWA) network. These devices are designed to spend most of their life in power-saving sleep states, only communicating wirelessly with central servers in order to respond to real-world events or accept instructions. This power-saving approach leads naturally to a cybersecurity advantage, which is that hackers are much less likely to be able to use these devices as backdoors than they would older “always-on” sensors. In order to break in through a low power device, a hacker would need to time their attack precisely so as to coincide with a rare period of communication between the sensor and the server. Of course, this can still occur, but these devices generally offer high security standards by default. The increasingly popular LoRaWAN protocol for wireless communication, for instance, builds in end-to-end encryption between a sensor and its controlling application on a server, enabling high security data transfer. While this technology remains in its infancy and may not be appropriate for all companies yet, it could present a long-term solution to many of the security issues plaguing the internet of things.
As logistics companies continue to introduce IoT devices into their business models, they must remain conscious of the additional cyber risk this entails. Simple steps, like making cybersecurity features a priority in the acquisition of IoT devices and banning employees from connecting their home devices to a corporate network, can help prevent the spread of unnecessary new vulnerabilities.
But is this a viable way forward? Universities don’t ban their students from using their own smartphones or laptops on a university network. Similarly, you shouldn’t have to ban a salesman from accessing a picture of a product on a corporate cloud storage platform from his own device. Instead, corporations employ rigorous background checks on these traditional devices, requiring them to be heavily vetted in terms of their network security status and anti-virus features. Perhaps the equivalent should be considered for IoT devices.
One interesting approach to IoT security is to segregate devices from the traditional network. Then, should IoT security be breached, the ordinary network remains secure. Perhaps a more sophisticated concept is that of network segmentation. Here, different IoT devices are partitioned into network zones, all of which are independently secured. The devices can then be managed, and granted access to the general internet if required but, should an IoT device be breached, the zone it belongs to can be isolated and held in quarantine, thus rendering only a small sub-population of IoT devices unsecure (and still not affecting the traditional network).
The future has rapidly arrived. Everyone, from large corporations preparing for IoT transitions to individuals looking to create modern home network systems, must embrace this technology with care, keeping the hug potential for security risk at the front of their minds. By maintaining high standards, visibility and regular security testing across an entire network, companies can get the best of both worlds, maintaining cybersecurity resilience while reaping the benefits of a more connected world.
– Jonathan Sharrock, Cyber Citadel.