Security of the Internet of Things (IoT) has been the hot press topic in recent times. It’s if that we the collective users and technologists had the epiphany and mass realization that our “things” are not necessarily secure.
IoT is a broad collection, from a device and hardware perspective it is a collection including everything from the homeowners NEST thermostat, to the control systems used in industry, from the lowly NodeMCU to large control systems like Honeywell’s Experion® Process Knowledge System (PKS) or Allen Bradley systems. IoT is also a collection of data, stored locally and in the cloud, concatenation of the data collected from individuals or corporate systems all with the intent of providing relative, accurate data for decision making. Therein lays the real issue, securing IoT devices and data is not and in the foreseeable future will not be a one size fits all model. Good news…. It need not be!
Meetings and groups and consortiums will over time develop agreed upon standards on security and interoperability all with direction towards a panacea which we know will be part of an ongoing war between the user community and the nefarious (defined as unethical) hackers who we all feel could better spend their time productively within our community. These efforts will be ongoing, in a fledgling industry (not really but the buzz indicates so) there will be many interim steps as well as many publicized events of breaches.
Knowing the vulnerabilities and wide net that IoT has and will encompass lets us categorize and address security issues in a logical manner beginning with the cliché low hanging fruit, working towards the nirvana of encapsulated secure interaction of devices and controlled accessibility to collected data.
From that wide net view of IoT we have to secure the following elements, each which will need to be addressed in both separate and combined fashion as elements become part of larger and growing systems and networks of collected data and useful output.
Sensors – the simplest core units may not need any special attention, for instance the 2N3906 transistor used as a temperature reading device has no individual method or need for securing its data, however the system to which it is connected, Arduino, Raspberry Pi, or an Edge server with 1000’s of connected sensors will need to be addressed and addressed at many levels. Data collection devices – this includes smart phones, the microcontroller, microcomputers including those mentioned previously to large specialized devices that are both storage and network enabled passing data to larger repositories
User Devices – from smart phones, dedicated displays, tablets, laptops to most any computing device as a point of entry. These devices are the portals to entry, the link to the network. We all know the ongoing issues with phone security as well as the security of devices when left to the induvial user (not accounting here for corporate policies) With more sensors and data collection, remnants of that data is left behind in memory and files all with varying degrees of sensitivity and
Network – including Ethernet, Wifi, Bluetooth, xbee, zigbee and a plethora of developing low voltage – long distance protocols and hardware. Each of these presents it’s own unique vulnerability and course of action. The network arena with various IPSEC strategies and specialists is well known well addressed and constantly on alert. There will certainly be ongoing work and the continuing war between the white and black hats, but we are not starting from a position of ignorance here.
Storage – public storage, in that last media darling buzz word, cloud and cloud storage, past the network component challenges of secure backup, archival, physical and network security rolled into one. We all assume cloud datacenters to be secure, but those assumptions often are where we experience learning in the future. Current issues surrounding the integrity, backup, replication and longevity (archival) are ongoing, addressable and preparatory for the future growth and onslaught of data.
Reporting – tools and people using the collected data, this is where the real useful nature of IoT lays, taking all of that collected data and developing the trends, truths and evidence to assist personkind with improving life , business and condition. The integrity, accuracy and controlled accessibility of both people and connected tools are the primary concerns. It can be viewed as we view HIPAA, who should have access and are there specific privacy concerns of this aggregated data. We have many frameworks for datasets that can be applied to reporting and the eyes which view the reports, now is the time to segregate and apply the appropriate measure.
Consumer devices are combining and crossing the elemental lines described above from smart home devices, smart TV and phones to the explosion within the makerspace community and the popularity of cheap microcomputers and controllers, all of which in similar fashion to the user devices above leave security in the hands of the end user. Which creates a range of user applied security, from those who take it seriously, know the latest vulnerabilities diligently addressing and patching, to those who never change the default password. Education and training, along with some harshly learned lessons are all that can be systemically addressed at the individual level.
Our data must be considered in similar vein to small children, never leave it unattended, watch it carefully and be a diligent caretaker / caregiver.
We will long be hearing about security issues with the IoT and IIoT ( industrial internet of things) , there will be events , there will be news and there will be times of panic. Vast is the foreseeable landscape of profit, benefit and knowledge, we will together forge ahead, knowing those people and the issues they create, we will be both proactive and sometimes reactive. Nothing about data security is easy, the effort is active and underway on many fronts, IoT and all it contains has a bright future as long as we continue the work and the hard work of staying a step ahead.