What do babycams, onboard vehicle control systems, and electrical power grids have in common? The answer is that each of these types of Internet of Things device or system has been hacked. Sometimes the hacking was ethical, such as the way security experts showing how they could remotely interfere with Jeep brake and engine systems. Sometimes the hacking was designed to break the system, as in the infection of electricity substations run by the city of Kiev, capital of Ukraine. In the third type of attack, IoT devices were infected and recruited by hackers to launch a distributed denial of service (DDoS) on Dyn, a company that controls a large part of the internet’s domain name system (DNS) infrastructure. Indirectly, Dyn’s major corporate customers such as Twitter and Netflix were also impacted.
A Fundamental Lack of Data Security Thinking
The biggest data security issue for IoT devices is that security is not part of their design. Industrial devices installed years or even decades ago and now being connected to the web come from an era when industrial networks existed in glorious isolation and security was not even an issue. The small size and limited processing power of other devices now available, whether to enterprises or consumers, limits their possibilities to handle encryption or other data security functions.
Some devices are designed to be disposable, such as RFID tags on inventory, microprocessors manufactured into packing cartons, and certain medical products. Updates may be difficult or impossible, and such devices may also be simply thrown away in case of failure. However, that does not guarantee that any data, personal or business, that they have already gathered will be secure or protected against third-party snooping.
The Big Data Security Differences Between IT and OT
Business IT departments must understand that there are fundamental differences between the way they see data security for business systems, and the world of industrial IT or operational technology (OT). Business IT managers are used to relatively short product life cycles, for example, between 2 to 3 years for PCs. Vendors of business IT systems provide upgrades and patches to address security issues, and IT teams are expected to apply these corrections as soon as possible. Most business IT machines offer security functions and management visibility, allowing IT engineers to look inside and test the system.
OT differs from business IT in all these points. Industrial infrastructure is designed to last for decades. Controllers, sensors, and actuators run with precise timing that could be upset by introducing additional management functions and loads. Downtime often has huge costs, making it economically undesirable to take machines offline to upgrade their software or firmware.
No IoT Device Left Behind?
IoT data security is best handled at the design stage of products, rather than trying to bolt it on as an afterthought. Emerging IoT communications and data security standards may help IoT product designers to build data protection and privacy in from the start. For current offerings, IT teams and end-users will need to examine IoT connected products to see what data security is provided with them, and make their choice taking this aspect into consideration.
Industrial networks may also allow overlay network protection, in the form of a software-defined network (SDN), for instance. Instead of trying to add security to each device individually, which is risky at best, an SDN allows all such devices to be placed on different network segments behind firewalls and intrusion prevention/detection systems (IPS/IDS). In this “divide and conquer” approach, data security for each individual device can be ensured, while the overlay network and compatible security systems enable visibility and manageability overall.