FEATURE

The security issues of

the Internet of Things
Colin Tankard, Digital Pathways
Colin Tankard
The Internet of Things (IoT) was first envisaged in the last century, but interest has
picked up in the past 15 years or so. It is a vision whereby potentially billions of
‘things’ – such as smart devices and sensors – are interconnected using machine-to- easier and remotely activated cameras
machine technology enabled by Internet or other IP-based connectivity. and other networked security equipment
will help to improve physical security.
A recent study by the McKinsey Global implemented as operations management Other benefits are higher operational
Institute estimates that the IoT will have systems get connected to networks. The efficiency, more safety and comfort, and
a potential economic impact of $3.9tn- IoT holds much promise for the energy, lower cost of operation as systems pass
$11.1tn per year by 2025 across nine utilities, medical devices and transport data freely back and forth.
settings – homes, offices, factories, retail sectors, which will see the highest levels
environments, worksites, human health, of adoption in the near term, according “The IoT holds much promise
outside environments, cities and vehicles.1 to SANS, as well as smart buildings. for the energy, utilities, med-
Estimates vary widely regarding how ical devices and transport
many IoT devices will be connected, but Smart buildings sectors, which will see the
an often quoted statistic is from Cisco, highest levels of adoption
which estimates that 50 billion objects Smart buildings are those in which the in the near term”
and devices will be connected by 2020. various systems, such as lighting, heat-
ing, ventilation, air conditioning and The EU has identified further develop-
Potential benefits security, are connected. In terms of secu- ment of smart buildings as an impera-
rity, connected alarms, sensors and track- tive for achieving its goals of a proposed
There are many potential benefits from ing devices will make threat detection improvement in energy efficiency of 27%
embracing the IoT. Verizon estimates
that currently some 10% of organisa-
tions have adopted IoT extensively and
that, by 2025, those that do so will be
10% more profitable than those that do
not. They will be better empowered to
innovate, disrupting both established
players and new entrants, and will afford
their customers better experiences, see
accelerated growth and improved per-
formance, and will be able to improve
safety and reduce risk. For example, IoT
will enable new ways to protect inven-
tory, equipment and machinery, even in
remote locations or over large areas.
According to a recent survey by the
SANS Institute covering organisations of
all sizes, 66% of respondents are either
currently involved in or are planning to
implement IoT applications involving
consumer devices, such as smartphones,
smartwatches and other wearables. Smart
Figure 1: Nine settings identified by the McKinsey Global Institute and their global impact by 2025.
buildings systems are increasingly being

11
September 2015 Computer Fraud & Security
 FEATURE
by 2020, potentially 30% by 2030, under
the Energy Efficiency Directive set out in
June 2015. It states that new buildings
now use half of the energy that they did
in the 1980s owing to the use of new,
smart technologies.
The US is also focusing on this sector,
aiming to increase energy efficiency in
buildings as well as reduce energy costs.
It passed the Smart Building Acceleration
Act in May 2015, which it is hoped will
be a catalyst for increasing the transition to
smart building technology across the coun-
try, in both the public and private sectors.
Security issues
While the IoT holds much promise,
many security issues have been uncov-
ered. Owing to the wide range of sectors
involved and their impact on everyday
life, such security issues can have seri-
ous consequences, causing damage,
disruption to operations or, in some
scenarios, even loss of life. In a smart
building – where systems ranging from
HVAC (heating, ventilation and air
conditioning), lighting and door access
controls, to video surveillance and eleva-
tors, are all interconnected – a security
threat that is exploited to disrupt power
or lighting could cause loss of life if it
were something like a hospital. In office
buildings, a door access control that is
hacked could provide an intruder with
unauthorised access. Issues with IoT
devices are far from hypothetical: one
example of a threat is the Stuxnet worm,
which has been seen to be able to dis-
rupt industrial control systems, causing
extensive damage.
“A different stance needs
to be taken. Security needs
to be built into products by
design. It cannot be bolted
on afterwards”
A range of security risks have been uncov-
ered in the devices themselves that make up
the IoT. OWASP has identified the top 10
such issues involved with IoT devices:2
12
Computer Fraud & Security
Figure 2: Device-level IoT security vulnerabilities. Source: HP Fortify.
UÊ ˜ÃiVÕÀiÊÜiLʈ˜ÌiÀv>Vi°
UÊ ˜ÃÕvvˆVˆi˜ÌÊ>ÕÌ i˜ÌˆV>̈œ˜É>ÕÌ œÀˆÃ>̈œ˜°
UÊ ˜ÃiVÕÀiʘiÌܜÀŽÊÃiÀۈVið
UÊ >VŽÊœvÊÌÀ>˜Ã«œÀÌÊi˜VÀޫ̈œ˜°
UÊ *ÀˆÛ>VÞÊVœ˜ViÀ˜Ã°
UÊ ˜ÃiVÕÀiÊVœÕ`ʈ˜ÌiÀv>Vi°
UÊ ˜ÃiVÕÀiʓœLˆiʈ˜ÌiÀv>Vi°
UÊ ˜ÃÕvvˆVˆi˜ÌÊÃiVÕÀˆÌÞÊVœ˜vˆ}ÕÀ>LˆˆÌÞ°
UÊ ˜ÃiVÕÀiÊÜvÌÜ>ÀiÉvˆÀ“Ü>Ài°
UÊ *œœÀÊ« ÞÈV>ÊÃiVÕÀˆÌÞ°
This is echoed by recent research
undertaken by HP Fortify, the findings
of which are shown in Figure 2. Overall,
it found that 70% of the most com-
monly used IoT devices contain security
vulnerabilities and there are an average
of 25 security concerns per device.
Among the reasons for this is that
many IoT devices are not developed
with security in mind. Many contain
embedded software, often proprietary
firmware, which is problematic to patch
and upgrade, leading to vulnerability and
configuration management issues. Many
devices do not undergo any kind of secu-
rity review. According to SANS, just 52%
of IoT devices undergo security evalua-
tions or testing prior to production.
Solving the security
challenges
To solve the security challenges of IoT
devices, a different stance needs to be
taken. Security needs to be built into
products by design. It cannot be bolted
on afterwards. There are moves, such
as the position being taken by the US
Food and Drug Administration regard-
ing medical equipment, to encourage
manufacturers and facilities to ensure
that appropriate security safeguards are
built in from the start of the design
process, as well as to remain vigilant
regarding new risks and threats as
they are uncovered. This is especially
important since it has already been
demonstrated that implantable medical
devices such as pacemakers and defi-
brillators can be remotely hacked and
exploits such as changing dosage levels
of insulin pumps have been accom-
plished from a distance of up to 300
metres. As well as this, the University of
Michigan has shown that the majority
of hospital devices use Windows XP or
Windows 95 operating systems, which
are extremely vulnerable to computer
malware, and many monitoring systems
use open wifi connections that can be
hacked.
Building in security by design means
that controls need to be introduced at
the operating system level, should use
the device’s hardware security capabili-
ties and should extend right up through
the device stack to the applications it
deploys.
September 2015

In order to address security through-
out the device lifecycle, from the initial
design to the operational environment,
software vendor Wind River states that
there are five essential requirements:
1. Secure booting – the authenticity
and integrity of software on a device
should be verified via a digital signa-
ture attached to the software image
and verified by the device to ensure
that it has been authorised to run
on that device and that there are no
runtime threats or malicious exploits
present. Only then will it be allowed
to load.
2. Access control – mandatory or role-
based access controls should be built
into the operating system. If compro-
mise of any component is detected,
access to other parts of the system
should be minimised as much as pos-
sible. This will help to minimise the
effectiveness of any breach of secu-
rity.
3. Device authentication – a device
should authenticate itself at the
point at which it is plugged into the
network, prior to receiving or trans-
mitting data. Machine authentica-
tion only allows a device to access a
network based on credentials that are
stored in a secure storage area.
4. Firewalling and IPS – each device
needs to have a firewall or deep
packet inspection capability for
controlling traffic, but this requires
that protocols are needed to identify
malicious payloads hiding on non-IT
protocols. And these protocols need
to be industry-specific since – for
example, smart energy grids have
their own set of protocols governing
how devices talk to each other.
5. Updates and patches – the ability to
deliver software updates and patches
to thousands of devices in a way
that conserves limited bandwidth
and intermittent connectivity of
embedded devices, while ensuring
that there is no possibility of func-
tional safety being compromised, is
a necessity.
September 2015
Figure 3: Top controls currently in place for securing the IoT. Source: SANS Institute.
Essential steps
It is unlikely that security will become
an over-arching requirement in the
design process any time soon. There are
also standards that need to be developed
before this happens and it is also likely
that some form of regulation or specific
industry pressure will be required in
order to force manufacturers to place the
necessary emphasis on security.
Organisations should look to limit
what is allowed in the workplace, con-
sidering the risks versus the benefits, and
look at how systems are interconnected
and therefore how risks such as malware
infections can be spread.
“Systems will need to be
used to link physical and
network security together
to enable a total view of
incidents, enabling man-
agement to make decisions
regarding the threat posed”
Organisations also need to find a way
to enforce data protection policies on
all devices in use and to control what
data people can access. Identity and
access rights should be tightly managed
in order that all devices and connec-
tions are authenticated and authorised,
and controls should be placed on what
FEATURE
information can be viewed and how it
is communicated and stored. All data
held on devices or in transit should be
encrypted to safeguard it from unauthor-
ised access or loss. In terms of devices
that are lost or stolen, device manage-
ment tools that extend to remote data
wipe should be considered, especially
for consumer devices that are personally
owned.
For devices used for business opera-
tions, systems will need to be used
to link physical and network security
together to enable a total view of inci-
dents, enabling management to make
decisions regarding the threat posed and
how it can be controlled. This requires
that all IoT devices are managed the
same way as other equipment connected
to the Internet and the network. All
activity should be closely and continu-
ously monitored to look for anomalies
from normal baseline behaviour and
organisations should ensure that all
devices are correctly configured and are
operating properly.
Where anomalies are uncovered,
organisations need to have workflow and
escalation procedures in place so that
those in charge of security are alerted
promptly to any potentially serious secu-
rity threat or incident. This will help
greatly in the time taken, and therefore
cost, for remediating problems. It is
13
Computer Fraud & Security
 FEATURE

essential that all procedures and process-
es are documented, completed in a com-
pliant way and an audit trail is generated
to provide evidence of the effectiveness
of actions taken.
Figure 3 illustrates the controls that
organisations currently have in place for
controlling IoT devices in the workplace
according to the SANS Institute.
Remain vigilant
While it could be said that the IoT is still
in its infancy, IoT devices and increased
connectivity are being seen across a wide
range of sectors. Many will be familiar
with consumer-oriented smart, highly
connected devices and these are invad-
ing the workplace. Organisations are still
grappling with the BYOD phenomenon
that has an increasing array of person-
ally owned smartphones and tablets
being used for work purposes, creating
headaches for many in terms of manag-
ing them and controlling what sensitive
data can be accessed. Now this is being
extended to wearables such as smart-
watches and health and fitness monitor-
ing devices.
But the industrial IoT holds the great-
est promise, offering to improve produc-
tivity, ease safety issues and reduce opera-
tional costs in a wide range of scenarios
and industries.
Organisations would be well advised
to thoroughly research the risks
involved in each scenario in which IoT
devices are deployed and to communi-
cate with employees, partners and cus-
tomers about security and privacy risks,
especially, where sensitive data is at risk.
This should include both consumer
devices that they wish to purchase and
use to interact with corporate informa-
tion, as well as how devices used, for
example, in smart buildings should
be closely monitored and maintained.
One point of failure in a hyper-inter-
connected network can initiate a chain
of events that could have catastrophic
consequences.
The IoT appears to be an unstoppable
force and the rising tide of devices can-
not be turned back. Until security issues
are solved, organisations need to be
vigilant, ensuring that they weigh-up the
security risks against the benefits to be
gained, putting appropriate controls and
policies in place, and keeping a constant
eye over what is connected to their net-
works and how devices are performing.
About the author
Colin Tankard is managing director of data
security company Digital Pathways which
specialises in the design, implementation
and management of systems that ensure the
security of all data whether at rest within
the network, mobile device, in storage or
data in transit across public or private net-
works.
References
1. Manyika, J; Chui, M; Bisson, P;
Woetzel, J; Dobbs, R; Bughin, J;
Aharon, D. ‘Unlocking the potential
of the Internet of Things’. McKinsey
Global Institute, June 2015 Accessed
Aug 2015. www.mckinsey.com/
insights/business_technology/
the_Internet_of_things_the_value_
of_digitizing_the_physical_world.
2. ‘OWASP’ Internet of Things Top
10 Project’. OWASP. Accessed Aug
2015. www.owasp.org/index.php/
OWASP_Internet_of_Things_Top_
Ten_Project.

Big data – the future

of cyber-security or
its latest threat? Cath Everett

Cath Everett, freelance journalist

Everyone seems to be talking about big data lately. The much-vaunted ability
to analyse large diverse data sets very quickly really does appear to have become
the hottest of hot tech topics over the past few years. In fact, big data, despite
being such an over-used term, has even managed to worm its way into main-
stream public consciousness – mainly because of the insights it has been able to claiming that information security is big
afford by finding patterns in what often appears to be unrelated information. data’s killer app. But is there any truth in
such hyperbolic statements? And if so,
what is this future likely to look like? As
Killer app the computer press recently extolling the usual, views are mixed.
In an industry context, meanwhile, a technology’s virtues and dubbing it the According to Peter Wood, chief execu-
raft of glowing articles have emerged in future of cyber-security – or alternatively tive of information security consultancy

14
Computer Fraud & Security September 2015