Dubai: The Internet of Things (IoT) may be the ultimate two-edged sword. Even though it opens up new and exciting opportunities, it also poses a serious threat to security.
But industry experts also expect IoT to fuel economic growth, contributing as much as $11 trillion per year to the global economy.
But what is IoT? It refers to the growing network of computing devices embedded in everyday objects, which enables them to send and receive data over the internet. These devices can include clocks, cameras and home security devices.
Last year’s WannaCry ransomware attack shut down computers in 150 countries and a massive denial-of-service attacks in 2016 known as ‘Mirai’ caused US-based internet-infrastructure provider Dyn’s domain services to become unreachable, resulting in intermittent service outages for its clients. WannaCry is the name of the malware that was released on the internet in March 2017 by a hacking group known as the Shadow Brokers. The group claimed that it was stolen from a repository of US’ National Security Agency hacking tools. The malicious malware encrypts data on computers and demands payments to restore access.
What will happen if IoT devices are infected with ransomware and hackers get full control? Although threats have proliferated, security technology is advancing rapidly, said Chen Lifang, a board member at Huawei Technologies and a member of the company’s Global Cyber Security Committee.
According to research firm International Data Corporation, 10 billion devices are connected to the network now and expected to connect 29 billion devices by 2020.
Lifang said that the IoT can actually be secured at three main levels — the devices that collect and generate data; the network through which that data is transmitted; and the platform where data is eventually sent for storage and processing.
Lockdown these three targets and the risks would diminish greatly.
“Securing the IoT starts with the things themselves. Security can be engineered into the silicon chips inside each device in a way that renders them impervious to tampering. This makes devices much more secure and enables a range of defensive measures against hackers,” she said.
Lines of defence
The IoT uses small and low-power devices that lack the processing capacity to run the kind of full-blown operating system that would ordinarily guard against attack.
But newer operating systems have been optimised for IoT, Lifang informed.
Moreover, she said that they can support two-way authentication that verifies the identity of both the transmitting and receiving entities.
On a power grid, for example, she said that an electric switch will accept instructions only from a trusted control system, while the system accepts readings only from trusted devices.
“The second line of defence exists on the network itself. As connected objects transmit their data, the traffic is scanned for anomalies such as unusual payloads or packets sent in the wrong sequence. Suspicious devices are isolated, preventing one bad device from infecting the network.
“The third line of IoT defence takes place on a platform such as the cloud, where data generated by devices is stored and managed. While many defence mechanisms are available at the platform level, the main goal is to secure applications and the data they generate. One example would be apps that allow bank customers to check their account balances online,” she said.
This can be done in two ways, she said, adding that communications are authenticated with digital signatures that prove the communication is genuine. “They’re also protected by digital keys that encrypt the data. For example, a wearable blood pressure monitor might wirelessly send a patient’s data to an app in the cloud, where it is stored, analysed, and used to improve both the monitor’s functioning and the patient’s health.
The monitor uses a secure chip and a secure operating system while the app that runs on the monitor then uses a digital signature to ensure that the messages sent from the device to the cloud are not intercepted, and are in fact genuine. “Encryption based on the digital key protects the data on its way to the cloud, then keeps it secure once it is stored there. Without question, securing the IoT will pose major challenges,” she said.
For example, many device manufacturers are small companies that lack the resources to engineer security into their devices or distribute patches quickly, if devices are compromised. However, manufacturers can build their own secure devices using software development kits. “The IoT is sometimes portrayed as inherently vulnerable, and in the past, many connected objects were not made secure because they didn’t need to be. Times have changed, and securing the IoT has become a paramount issue,” she said.
Fortunately, defensive capabilities exist to ensure privacy, reliability, and resilience, says Lifang. Deploying those capabilities correctly is the first step toward making a secure IoT a reality.