The Internet of Things (IoT) represents an unusual period in technology history. Most people assume that the functionality of IoT is similar to the traditional internet, which leads to a similar assumption around IoT security. By understanding the true nature of IoT and rethinking the approach to security, firms can mitigate a variety of threats. A secure foundation can be built through implementation of comprehensive security measures before a single device is activated.
With IoT, the technology does not adhere to traditional security patterns or even operate on a level-playing field. While the underlying network is relatively easy to secure (like the internet), smart devices and sensors create an ecosystem that is complex, widespread, and often embedded for years as with underwater seabed monitoring or smart highways. IoT deployments face a grave threat, one that rarely interferes with cloud and internet operations—infiltration before any device is activated. Hackers can infiltrate IoT-enabled devices (or even a single device) at any stage of development and deployment. A disgruntled worker could sabotage devices during design or manufacturing, criminals could steal a device shipment, reprogram the devices, and return the devices on their journey, a hacker could fake a device malfunction in an existing system, alter the device software and then bring the device back online—security personnel would simply assume it was a minor glitch.
Security is key to successful IoT deployment therefore it needs to be embedded in the core project architecture at the conceptualisation stage. Start with taking simple precautions and then scale up to bring about a multi-tier security system that protects from within and without. Many devices incorporate a subscriber identity module (SIM) to transmit data via a cellular network, rather than Wi-Fi or Bluetooth. IoT providers must ensure that only authorised personnel can change device configurations, and that requires an IoT-specific SIM card from the factory.
Understand what the entirety of your offers consists of and all the potential risk points. Control as much of your ecosystem as possible, using up-to-date best practices for your specific deployment. Finally, implement automatic and human directed processes to detect and resolve issues quickly, efficiently, and reliably.
Whitelisting involves very granular control over device and system access to achieve a closed ecosystem where only authorised personnel are allowed to participate. Whitelisting ensures predefined rules always are followed, even when new components or nodes are added. Traffic segregation is an added layer of security if whitelisting fails. It ensures that any device on the network cannot instantly communicate with any other device without being whitelisted. In this way, a single hacked unit is prevented from infecting an entire ecosystem. Knowledge and preparedness are key determinants for how successful any IoT security implementation will be, even when facing the unknown.
The writer is president, Aeris India. He is also chairperson of The Institution of Engineering and Technology – IoT panel for India