The word “IoT” (Internet of Things) has been a buzz word for several years now. It has become the era when more home electronics and cars are connected to the Internet, and many businesses see great opportunities here. At the same time, as you may already know, people have started asking whether those devices and cars are safe from online threats.
Eugene Kaspersky rephrased IoT as “Internet of Threats” in his interview by USA TODAY. It corresponds with the comments by Edith Ramirez, the Chair Woman of Federal Trade Commission at CES 2015 in Las Vegas. Truly, the thing has no way out from a cyber security aspect. No one has ever found the best solution to answer this BIG security issue, just like other typical cyber security issues we are facing now.
In actuality, IoT has been recognized as a “New Market” with its huge potential. According to this article in FORBES, Cisco stated its economic value would increase to $19 trillion by 2020, calling it “Internet of Everything.” Gartner estimates that IoT product/service suppliers will reach $300 billion revenue by 2020. IDC forecasts the market of IoT solutions will be expanded from $1.9 trillion in 2013 to $7.1 trillion in 2020, making it 3.7 times larger.
Gadgets which record personal biometric, health, and location information — such as globally-trending wearable devices — are also in the category of IoT. However, in terms of the degree, the risk they pose is not overwhelming.
Such devices are personal, but they are not consisting infrastructures for our lives and societies. In other words, you may effectively reduce the risk of data leakage on your own by stopping using a wearable device or a cloud service while you are working out. It’s totally up to you.
— Tom Gillis (@_TomGillis) March 6, 2015
On the other hand, real IoT mostly consists of systems or services traditionally called “M2M” (Machine to Machine). Those are the ones closely integrated (or expected to be integrated) with environmental/social infrastructure, thus cybersecurity is as highly critical as the critical infrastructure in question is.
For example, some of you might have heard about smart grids or microgrids. These are systems that manage the regional power consumption by balancing the electric power consumption at home and the electric power generation by wind/solar energy, or gas cogeneration systems. Smart meters are set to each home for this monitoring purpose. It is reported that Tokyo Electric Power Company has already installed thousands of smart meters. It would be possible to say that this is the very first step for deployment of a smart grid in the near future.
What can a cybercriminal do by abusing the mechanism? They could, for example, reduce or increase payment by giving wrong data of power consumption and/or generation to a smart meter.
It’s not hard to discover other possible scenarios of attacks on critical infrastructure. By taking over traffic control systems, one can panic traffic, intentionally trigger a car accident, or even disrupt public transportation systems. Those might affect our daily lives and economy as well.
There used to be some list of service-disruptions causes, including a bug/disorder in a software/system or a natural disaster. Now, we have added cyberattack on the list.
How to deal with #IoT and #sybersecurity of critical infrastructureTweet
We need to learn from incidents, then implement much safer mechanisms to IoT systems that operated as parts of social/life infrastructures. To be more precise, operators and developers of IoT systems should ask the following questions to themselves:
1. Do I prioritize ease of use rather than security?
It is important to decrease usability for attackers in order to increase system security. Ease of use for users means the same to attackers. Last year, it was reported that webcams used with default setting had posed a privacy violation. The incident tells us that device makers should keep security in mind. Please don’t forget to encrypt data and communication.
2. Do I believe that “read-only” systems are secure?
They are not secure. Applications are running in the memory regardless, so an attacker can find the way of intrusion. Networking devices are usually developed with Linux OS, and it is known that Linux OS has a lot of exploitable vulnerabilities. Once an attacker can hold control of the device, he can hack into the entire IoT system.
3. Do I believe that my devices will never be hijacked?
Any device is able to be hijacked. So, it’s highly important to monitor the health of the entire system, including connected nodes. It is also important to have any measure to detect anomalies with every node. Remember how Stuxnet penetrated into the Iranian facilities which should have been well-protected?
4. Did I cut testing cost?
Penetration tests are very important. Tests should be carefully organized in accordance with your system’s security requirements. It is strongly recommended to implement these tests in your normal development process.
5. Do I believe that security is not a requirement?
Security is one of the crucial requirements. Let’s think about it from the very start of planning/developing your system or service. Without sufficient security measures in place, IoT cannot be a part of secure life/social infrastructures.
If one’s answer for any of these questions is positive, it may become a really big problem not only for the man or company itself, but also for lots of other people.