Why is the IOT Catnip to Hackers ??
Posted by Bill McCabe
Why is the IOT Catnip to Hackers?
The latest developments in IoT security will protect the companies that use them from disastrous hacks
Rob Enderle writing in CIO Magazine May 20 about a new security certification for IOT products lauded the new offering and cited other measures that responsible IoT businesses must take to secure the future of their companies. His opinion piece couldn’t come at a better time.
Those of us watching the IOT “back door” swing open to hackers have been wondering how and when a product certification like this would become industry standard. Underwriter Laboratory’s Cybersecurity Assurance Program (CAP) just might work. But it’s only a start.
The three-level certification process, according to Enderle, will work fine as long as it’s subject to a “rigorous audit process.” However, he also agrees that using a remote network hub with security stopgaps in place (which is what most are doing now) won’t do a thing to protect wireless devices.
Where we are now, where we need to go
During the NXP/FTF Technology Forum 2016, a group of panelists was asked if the Internet of Things was secure yet. What do you think they answered? Yes, they said, no.
Here’s the rub—and the same thing that Enderle writes about: The connected devices in cars, homes, phones need to have specialty security hardware to stop many attacks. Another missing link, according to Global Business Development Manager Damon Kachur at Symantec, is the need to institute “a massive education process compelling security providers to educate consumers on how to operate their devices securely.”
Using cryptography, requiring several rounds of authentication per day, and manufacturers hiring hackers to break into their IoT devices before they put them on the assembly line—these were also solutions that Forum panelists came up with to secure the IoT.
Horror stories averted?
The stories with the highest profiles are those that see connected cars taken over and crashed; cell phones hijacked and set on fire; and that Target breach, when hackers stole credit cards from Target headquarters using the building’s HVAC systems to get in. What else do we need to do, besides work on certification processes and make sure that before we build the next IoT device, we’ve protected it from hackers?
It’s clear that businesses engaged in the IoT revolution need to make security “job one”. There are heartening signs that this indeed is the case. A recent Accenture paper on IOT security claimed that “businesses surveyed by the World Economic Forum identified cyber-attack vulnerabilities as their most important IoT concern.” And an article last month in Forbes reported that venture capitalists are now “following the money” to underwrite cybersecurity start-ups: “Boston-based Lux Research says investment in “cyberphysical” security startups rose 78% to $228 million in 2015, and will increase to $400 million this year. The report cites rapid adoption of IoT tech, with the potential threats it brings in the area of internet connectivity in cars, homes and factories.”
Businesses that are eager to make money on the IOT without being willing to spend the money on securing it will be increasingly prone to customer data breaches and other high-profile disasters that will close their doors—and slow the adoption of IoT devices—and spending—for years to come. Smart companies need to make an investment in securing their latest IoT game changing use-case or product-- or their customers and partners won’t want to make an investment in them.