Internet of Things: Complexity breeds risk

Suits The C-Suite
By Carlo Kristle G. Dimarucut

Posted on May 29, 2017

Technological developments in the past few years have resulted in massive leaps in work, communications and connectivity. There has been an incredible proliferation of personal devices; the size and cost of wireless technology has dropped tremendously; IPv6 makes it possible to assign a communications address to billions of devices; electronics companies are building Wi-Fi and cellular wireless connectivity into a wide range of devices; mobile data coverage has improved significantly with many networks offering broadband speeds; battery technology has improved significantly; and solar recharging has been built into numerous devices.

According to a recent EY (Ernst & Young) study, Cybersecurity and the Internet of Things, it is estimated that the number of connected devices globally will exceed 50 billion by 2020. However, with more and more devices connecting to the internet for storage and communications, a large new surface for security vulnerabilities will be available for unsavory individuals to take advantage of, representing major risks for consumers and businesses.

The Internet of Things or IoT takes the form of devices with sensors, analytics, and visualization tools that can be accessed from anywhere. IoT has the potential to enable and touch every aspect of our daily lives.

The actual commercial implementation of IoT is increasing. In the retail and merchandising sector, for example, current implementation includes warehouse automation and robotics, where fulfillment is driven by online and in-store customer demand. Smart shelves in stores can detect when inventory is low or when perishables are close to expiration. Inventory is replenished based on real-time analytics and forecast trends. The same applies to other industries as well. Power distribution companies utilize smart infrastructure, allowing them to remotely administer distribution devices, better match load demand with supply, and give customers real-time and granular energy consumption data.

Again, though, we should keep in mind that transitioning to these new applications for technology poses significant cybersecurity threats if not managed properly.

Cybersecurity is a business-wide issue and not just a technology risk. Technological integration and collaboration driven by opportunities offered by IoT will continue to increase in complexity -- this complexity breeds risk. The risk landscape of IoT is becoming increasingly opaque, with potential threats that are often completely unexpected and unforeseen.

As consumers, we should understand that the majority of IoT devices are amalgamations of old technologies that have been given new functions and communication channels. This means that these technologies, many of which use stripped down versions of known operating systems with new interfaces, may contain old vulnerabilities. For example, it is likely that the Wi-Fi CCTV you bought is running on an old version of Linux; or, that head unit with GPS installed in your car is running a stripped down version of Windows XP that may be unlicensed.

We should ask ourselves before buying into these technologies: Can we really address the security needs of these devices given how they can potentially drill holes in your personal and corporate network security?

Any IoT device can allow access to your personal or an organization’s network just like any computer. Exacerbating the situation is the fact that almost no one has access to the operating system layer of their Wi-Fi CCTV. If the device has been compromised, it stays compromised until the day it is replaced. This gives a malicious attacker the perfect platform for keeping a foothold in your network.

Additionally, it is not unusual to have hidden accounts and default passwords that have been set by the manufacturer to remotely update these devices. In fact, this vulnerability has comprised a majority of the issues that were highly publicized during 2016. To make matters worse, IoT device manufacturers are sometimes slow to respond. For example, critical vulnerabilities discovered by Cisco in Trane Comfortlink thermostats took a little under two years for the initial patch to be released.

Smart devices have the potential to hold information, from the mundane to the very confidential. This information can range from one’s diet plans to one’s current location. IoT devices will contain details on one’s personal life, often including banking details, e-mail passwords and other sensitive data. While the intent of an IoT device to gather data in real time is brilliant from an analytics perspective, a user may not be comfortable sharing that information with a third party. For example, your Wi-Fi CCTV may be just pointing at your front yard, but it is also sending the images to a server in another country in order for you to be able to view a streaming video on your smart phone. Not everyone might to be comfortable with that.

This is coupled with data from billions of devices. There will be plenty of opportunities for analytical organizations. These analytical frameworks will be able to quantify the business environment around the users but, at the same time, the monetization of this data can lead to privacy issues.

The question is: Do we feel comfortable in sharing our data with people who are invisible to us? Doesn’t it feel like a breach into our privacy?

Not everyone agrees on how to specifically address the risks posed by IoT in the home and in the enterprise. However, there are a few facts that people agree on.

First, not all organizations have the capability to fully test IoT devices. The onus is on the manufacturer to keep them secure. With devices having highly customized firmware, updates are difficult and often tied to the firmware. Therefore, service level agreements on security patching have to undergo strict scrutiny before committing your organizations to these devices. If the manufacturer abandons you, you have lost your investment.

Second, this also means that there is a need to treat IoT devices the same way we treat personal devices in the enterprise: with caution and away from corporate networks. Deployment of IoT devices necessitate that they are segmented from the corporate network.

Additionally, manufacturers need to talk about implementing security by design to all IoT devices as well as the creation of security standards against which we can measure IoT devices.

The key to developing a sound security strategy on IoT is understanding that attacks can never be fully prevented. Companies should advance their cyber threat detection capabilities sufficiently so that they can respond appropriately and proactively. The reality is that it is not a question of “if” but “when” and “how deep?”

Learning how to stay ahead in this new IoT landscape is challenging and takes time, but the benefits for the organization are considerable -- a sufficiently prepared organization will be able to exploit the opportunities offered by the digital world, while minimizing exposure to risks and the cost of dealing with threats.

This article is for general information only and is not a substitute for professional advice where the facts and circumstances warrant. The views and opinion expressed above are those of the author and do not necessarily represent the views of EY or SGV & Co.

Carlo Kristle G. Dimarucut is an Advisory Senior Director of SGV & Co.