How to Know Whether IoT Devices Are Safe
As IoT adoption soars—an October 2017 Vodafone study(link is external) found that 84 percent of organizations are expanding the use of the IoT and 95 percent see benefits—the challenges and risks related to the IoT grow exponentially. Integrators must ensure that IoT devices deliver maximum results with maximum protection.
Making Connections Count
The risks associated with the IoT are growing. According to Gartner(link is external), worldwide spending on IoT security will reach $1.5 billion in 2018, a 28 percent increase over 2017. Yet companies deploying IoT systems often fail to follow security best practices. “Coordination via common architecture or a consistent security strategy is all but absent,” notes Gartner Research Director Ruggero Contu.
At the heart of the matter, says Renil Paramel, senior partner at consulting firm Strategy of Things(link is external) and a former Gartner analyst, is a recognition that IT security and IoT security are very different beasts. Failure points can reside in devices, in embedded firmware, and in connectivity software. “Failure points could also occur on the cloud if data is transmitted and stored remotely,” Paramel explains.
Beyond the Device
”IoT security requires a multiprong approach,” Paramel continues. Integrators should analyze a variety of vulnerability points, including the OS, firmware, patching policies, communication protocols, and APIs. “An end-to-end-perspective, from the device level to connectivity and the cloud, is essential.” Overlaying all of this with a focus on physical security, including who has access to IoT devices, and how they can be accessed, is equally important.
Understanding the technical architecture of the IoT system and device is also critical to identifying vulnerabilities. Case in point: Although major chip makers adhere to industry standards for security, protocols such as Wi-Fi, Bluetooth, Zigbee, and Z-Wave can make devices discoverable and hackable. “’Understand how a breach can pass through these devices and the extent of damage possible,” Paramel advises.
“We no longer have things with computers embedded in them. We have computers with things attached to them.”
Bruce Schneier
“Integrators and resellers must do their homework,” Paramel concludes. “They need to ask questions about security and standards. They need to understand what precautions a vendor has taken, which certifications a manufacturer has earned, and how security updates take place, such as over the air or locally.” Only then, he adds, is it possible to know whether they truly have an end-to-end security strategy in place.