What is the current state of Internet of Things security? Such a seemingly simple question is tricky to answer given the fluidity of the term and the number of industries IoT touches. But the uncertainty that question evokes mirrors topics many organizations are grappling with as they deploy ever more connected devices. Already, many are struggling to keep track of all of the IoT devices surrounding them — whether it’s an internet-connected robot on the shop floor, a connected medical device in a clinic or a smart TV in a boardroom. While traditional IT-based strategies to secure IoT deployments in many cases fall flat, as Gartner has noted.
While critics dismiss security as the thorn in IoT’s side, the level of awareness of the scope of the problem is steadily improving — as it did with cloud security. At present, virtually all companies make at least some use of cloud computing. The widespread adoption indicates the security concerns that slowed cloud adoption in the beginning largely faded as cloud security has matured.
While many early Internet of Things security efforts have faltered as a result of lack of awareness or fragmented cybersecurity strategies, a more holistic approach is emerging. To learn more Internet of Things security — which often spans from the edge to the cloud, we spoke to Jo Peterson, vice president of cloud services at Clarify360 a digital enterprise consulting firm, who will be taking up the subject at the IoT Security Summit 2018 in October.
Can you tell me about your role and how Internet of Things security factors into it?
As the vice president of cloud services, I’m responsible for defining and executing the cloud strategy for Clarify360. Working closely with our leadership team and our enterprise clients, our consultancy acts as a sourcing bridge in the cloud computing and edge computing space. Our goal is to help clients address, plan for and procure their growing organizational demands for cloud and edge computing services as well as security products related to those services.
Can you share a project you are currently working on involving Internet of Things security?
Our firm works with a technologically advanced global contract research organization that serves pharmaceutical and biotech companies looking to outsource their clinical trials process. They were early adopters of IoT, primarily because they believed IoT devices could eliminate several common clinical research problems. The goal of the team was to collect patient data in between medical visits to give their clients greater insight into the effects of the treatment being studied. In addition, collecting the data automatically would alert researchers to a potential problem, whether it involves a patient safety or noncompliance matter, before it affects the rest of the study. Security is a front-burner concern with any type of connected device, particularly when personal health information is being transmitted. We looked at every aspect of the project through the lens of security and worked with the client to bring solutions to the table which would create an Internet of Things security framework that included:
- Authentication of medical devices connected to the cloud.
- Protection of data to meet strict HIPAA and HITECH regulations.
- Reduction of patient data exposure on devices via applications and in the cloud.
- Sharing patient data securely across trusted stakeholders.
What do you think about using blockchain for security?
It makes sense. An IoT network works off a centralized authority model. IoT devices don’t inherently make security decisions outside of this central authority. This means that when a single node is infected, it can often affect the rest of the network. Based on a blockchain-based model, IoT devices on a network won’t be able to be compromised after a single node is successfully attacked. A hacker would need to take over the majority of the network to gain any significant traction.
What needs to be considered when implementing blockchain for device authentication?
Security in IoT has to be implemented at various layers: the supply chain, the chip, operating software, software, device, network and the system level. Using blockchain implementation to store data that has been secured with physical unclonable functions (PUFs), derived keys and attributes provides an assurance that data has not been tampered with, in addition to providing traceability and transparent auditing capabilities. Consider your roadmap in advance. Decide if you’ll deploy blockchain in unpermissioned areas (public), consortium areas (partially unpermissioned) and permissioned areas (private).
How do you manage the problem of having a variety of different devices and standards?
IoT is an evolving technology. There really is a need to develop a multifaceted technology approach to IoT security, management, and privacy. We’re starting to see that happen quickly
As someone with extensive knowledge and experience with IoT security, do you have any advice for companies who want to secure their networks?
The way to think about IoT security is really no different than the best practices put in place with a primary network. The attention and intention attributed needs to be the same.
- When feasible, update all passwords and use multi-factor authentication.
- Avoid hard-coded passwords.
- Closely govern permissions for devices.
- Consistently update privacy policies for controlling apps and backend services.
- Turn off any functionality that’s not needed.
- Enable encryption whenever possible.
- Update firmware and software.
- Remove devices when they are no longer updatable or secure.
Who are you most looking forward to meeting at IoT Security Summit 2018?
Honestly, there are so many interesting sessions it's hard to pick just one speaker. Really looking forward to Abhi Dugar’s talk: Blockchain for Internet of Things Security.
Jo Peterson will take the stage at IoT Security Summit at the Fairmont Dallas from 15–17 October 2018.