Now that you understand the Internet of Things (IoT), it’s time to talk about how security impacts it as a whole.
Firstly, when we talk about security, we are referring to how safe (or unsafe) a piece of technology is. Can it be manipulated? If so, what are the vectors of attack? Do I require physical access? Provided I can manipulate it, what can I do?
These are age-old questions in the world of Information Security. However, one of those questions is not as important when we concern ourselves with the IoT. Do I require physical access? Of course not. This is the Internet of Things. These are all little devices connected to the internet. So, what are the security impacts here?
When a toaster is only connected to mains, you can burn your toast if you leave it down too long. Now, when a toaster is connected to the internet. I can burn your toast even if I’m in Ireland and you’re in Hong Kong. Not too big a deal, though, no one cries over spilt milk (or burnt toast).
As the IoT develops, we are not only talking about toasters. We talk about critical applications of IoT, areas where the IoT could have an impact on life. These must be secure. We then imagine that there will be a certifying body or a standard which has to be met.
What has been done until now?
There are projects starting in this space, the Open Web Application Security Program (OWASP) being a good example (Klein Keane and Zdjelar, 2016). However, this is not stopping new products being released to the public. People are already purchasing goods which are connected to the internet and could be critical, without any certification.
OWASP seeks to define a “Top Ten” list of how to secure software. For the IoT, OWASP has defined a specific list. This list ranges from “Poor Physical Security” to “Insecure Network Services” (Miessler, 2016). The real question is who enforces this? Right now, the consumer. That may be you. We advise any consumers currently purchasing IoT products to do their research on its security. It’s the only way you can know for sure if it’s safe.
What is being done going forward?
Unfortunately, very little. It seems the industry is currently relying on older support systems (e.g Supervisory Control and Data Acquisition systems). These are systems which were invented at the dawn of automation. They will not cover all the bases. New legislation and industry standards are required.
The European Commission have started public consultations and produced conclusions (Digital Single Market, 2016). Of particular interest is document 7 (Internet of Things Factsheet Privacy and Security). Aptly named, this seeks to educate the commission on the security of the IoT. However, this was published on 28/02/2013 and we have yet to see a start on any laws.
Until a regulatory body is created, buyer beware. Now that you understand the impact of security, read some of our posts where we delve deeper into critical applications. We refer back to the security where necessary and assess the possible impact improper security could have on each specific application.
Klein Keane, J. and Zdjelar, S. (2016). OWASP Internet of Things Project – OWASP. [online] Owasp.org. Available at: https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project [Accessed 15 Oct. 2016].
Miessler, D. (2016). Top 10 IoT Vulnerabilities (2014) – OWASP. [online] Owasp.org. Available at: https://www.owasp.org/index.php/Top_10_IoT_Vulnerabilities_(2014) [Accessed 15 Oct. 2016].
Digital Single Market. (2016). Conclusions of the Internet of Things public consultation. [online] Available at: https://ec.europa.eu/digital-single-market/news/conclusions-internet-things-public-consultation [Accessed 15 Oct. 2016].
Image courtesy of Pixabay.