The rapid advancements in the number and adoption of IoT devices brings with it increasing convenience in our everyday lives. At present, every UK home owns at least ten IoT devices, and this is expected to grow to 15 per household by 2020. Further, with an estimated 2.3 billion connected devices powering our smart cities, the power of IoT is revolutionising the world around us, with the potential to have an annual economic impact from US$3.9trn to $11.1trn worldwide by 2025, according to The McKinsey Global Institute.
However, as the development of IoT devices continues to accelerate, and we continue to adopt IoT into our smart homes, smart offices and smart cities, we must place data security at the core of device design. Over the past year, we have seen many IoT-borne attacks and breaches make headlines. At the start of June, 700,000 routers were globally classified as vulnerable to the VPNFilter malware, which is designed to inject malicious payloads into web traffic and collect users’ passwords and sensitive information. Similarly, a North American casino recently learnt that even an innocent looking internet-connected device, such as a fish tank, can cause tremendous damage if it is not properly secured. By hacking the tank’s PC-connected sensors that were used to regulate food, temperature and cleanliness, cybercriminals acquired 10GB of sensitive data from the casino’s network.
Secure by design
As internet-connected devices continue to power key infrastructure in smart cities around the world, the need to secure devices and our data is critical. As IoT networks expand across cities, so does a range of vulnerabilities which can be exploited by cybercriminals. Whilst smart cities are designed to provide ultimate productivity and efficiency for citizens, the risks can be serious if cybersecurity is neglected. With possible threats including identity theft, ransomware attacks on smart buildings and sabotaging attacks on critical infrastructure, such as power grids, water supply and traffic control, systems need to be secured on every layer possible.
We believe that security should fundamentally be incorporated during the design phase from deep chip level right through to the cloud using well-researched cryptographic building blocks and applying secure software development practices. In other words, security should be treated as a primary design parameter. Any system should be able to quickly detect any inconsistencies and threats before there is any opportunity to cause significant damage. With this, once an attack is detected, the system should immediately be able to isolate infected devices to contain the attack, and fix the vulnerability by patching affected devices.
Regulations to ensure security
Whilst IoT devices should ultimately be secure by design, there is also a need for some level of regulation to help ensure that IoT device manufacturers face repercussions if they compromise on security to save money. Most IoT device makers do want to provide their customers with secure products, but the battle between security and profitability means that often compromises are made.
The biggest challenge that the industry faces today is defining a standard level of security for manufacturers to adhere to, due to the varied and fragmented nature of the IoT market. We believe that best practice is to provide a simple, cost-effective solution for the IoT industry, which can then be backed by regulation.
The future of IoT
Despite its challenges, the future of IoT is bright, and governments around the globe are recognising and supporting this. Earlier this year, the UK government introduced a five-year £1.9bn security initiative – the Secure by Design review – to better secure IoT devices around the country. It is fantastic to see that the review has been developed in collaboration with device manufacturers, retailers and the National Cyber Security Centre to address the number of glaring vulnerabilities in smart devices.
By providing established guidelines to address the challenges that the IoT industry faces, and ensuring security is embedded from the start of the design process, IoT manufacturers, customers and retailers will be able to reap the benefits of better connected, smarter and more protected devices.
Asaf Ashkenazi, previously Vice President of IoT Security Products at Rambus, is a cybersecurity expert with over 15 years’ experience in the field.