IoT — Security concerns and adoption challenges

Zakir Rangwala, country head at ESS Distribution, says Internet of Things (IoT) has been hitting headlines for past couple of years, both in India and globally.

In case of India, the estimates of the number of connected devices go shockingly high, thanks to our 1.3 billion population and therefore the amount of devices we own. However, what lies behind these headlines and numbers is, first, old security concerns being wrapped in a new package, and second, the ground reality of actual deployment of IoT by governments, businesses, and people.

In cyber security industry we tend to complicate definitions which do not necessarily help the purpose of better explaining the security concerns and outcomes of breach. If by IoT we simply understand a much more connected world, a growing trend of connecting everything around to the internet, it won’t be that difficult to point out the security concerns:  more connections means more exposure.

Going by more sophisticated definition,  IoT is the network of physical objects – buildings, devices, vehicles, smartphones, TVs and other items – embedded with electronics, sensors, software and internet connectivity that makes it possible for these objects to gather and exchange data. It is a concept that describes a future where our everyday physical objects or devices will be able to connect to the internet, gather, process and exchange data. Here we come to another concern: more data means more attention from cybercriminals.

Combine both, and here is a simple conclusion: IoT is vulnerable and there is no single way to secure it. Here is where the complications start.

An ideal scenario of Internet of Things (IoT) would be a smart home with various devices working together for the best user experience. As you wake up in the morning, a smart coffee maker will automatically start brewing your coffee. As you walk down the stairs to the kitchen, a smart bulb will automatically light itself detecting your presence in the stairway, the smart air-con will start after detecting your body temperature data derived from your smart watch.

Then you will take your smartphone and monitor CCTV cameras installed in the house making sure all is in place and newspaper have been delivered. Amazing concept, although looks like a distant future for most of the homes in India, even provided the “Smart City” and “Digital India” initiatives turn out to be successful. However, we in India today have many of those smart devices, including cameras, coffeemakers and baby video monitors connected to Wi-Fi widely sold in the market.

Let’s look at all this from a security standpoint. On the brighter side, IoT will definitely change the way we perceive technology. It will not only make our lives and work easier but may bring live saving to the new level: there are such smart devices that can be implanted to a patient’s heart and monitor and send signals/data to a nearby device, which will then process and recommend the necessary action for the patient.  On the other hand, if all this data is accessed by a third party with wrong intentions, it can be manipulated and misused. Over the years, we have seen cybercriminals’ intentions evolving from just “having fun” to gaining profits. Big profits.

For me as a common Indian security scenario in automobiles and machines handling money (ATMs, payment kiosks, POS terminals) sounds scarier than an alleged coffeemaker scenario. Car manufacturers have already anticipated smart vehicles that can communicate with each other and exchange data on the go. This is revolutionary looking at the benefits of such a technology.

Imagine a smart car collecting traffic data for your route from oncoming cars to understand the ETA for you and recommending an alternate route if necessary. Or this: according to multiple studies, 60 percent of car collisions can be avoided using GPS time and positioning with a half second warning and 90 percent collisions could be avoided with a full second’s warning these cars will also be capable to assess the health of different car components, send the data to a server on the cloud and then recommend necessary action for the car owner or even fix certain faulty components by itself.

However, this data can be manipulated if an untrusted third party gains access to it and, your car’s GPS time and positioning data can be compromised without your knowledge to send you wrong information and warning signs which could end up in a collision. In a different scenario, the components in the automobile that are healthy can be accessed and manipulated.

We live in a world full of security vulnerabilities, with humans being the biggest security vulnerability. A famous quote from Dennis Huges of the FBI goes: “the only secure computer (device) is one that’s unplugged, locked in a safe and buried 20 feet under the ground in a secret location”. With multiple devices we own communicate with each other by exchanging data, we become even more vulnerable. As for bad guys in cyber world, they are going to explore more opportunities to access our data in order to obtain some financial gains. Whether getting access to a coffeemaker or baby monitor or home security camera is more or less difficult than gaining access to a PC’s operating system we will come to know as soon as some reliable statistics on IoT breaches becomes available.

The deployment of IoT is still a bog question despite Indian government has already drafted a “Policy on Internet of Things” that aims at creating IoT ecosystem in the country to “leverage India’s strength as a leader in the global service industry through suitable promotion and supportive mechanisms”, despite IoT start-ups mushrooming in the country (some of them are quite promising at least from a consumer perspective). The adoption of IoT at the enterprise level has not reached the point where we could talk about securing the new type of infrastructure in India.

As I have previously mentioned – people are still the biggest security vulnerability, therefore educating people about security in general, about data security and privacy should be the priority in our country. People are and probably will remain the weakest link in the security chain, the most vulnerable access point, no matter whether we are talking about personal or enterprise security.  In India and globally companies, invest billions of dollars in setting up security infrastructure and more recently drafting security policies. The latter do not necessarily reach the very basic level – the people, employers.  Security experts often joke that people not understanding the technology and necessary safety measures are the biggest security nightmare ever!

Nevertheless, as our feedback from the enterprise sector suggests that some Indian organizations are already implementing IoT, here are some necessary security outlooks that need to be considered to avoid the kind of security risks IoT pose. The Internet of Things is all about users and vendors, users need to be constantly updated always about the latest security threats to their own devices. At the same time, businesses need to guarantee that connected things are not exploited via maliciously modified applications and confidential information is encrypted making it difficult or not at all possible for third parties cto access this information in order to change or steal it.

Zakir Rangwala, country head at ESS Distribution