Secure by Design: Cybersecurity and Internet of Things
By now, we all are quite aware of what Internet of Things (IoT) is. Internet of Things or IoT could be simply defined as a network of interconnected devices or things which are embedded with software, sensors and connectivity function that facilitate collection and exchange of data and help in automating several day-to-day activities.
IoT devices are making everyday lives easier, as users have to worry less about the home appliances that they could have left on back at home or groceries that they needed to restock or setting the right ambient temperature at home or office ahead of their arrival. Home automation, smart appliances and lighting as well as solutions like Amazon Dash Button are all a form of IoT solutions that are connected via Internet and allow users to control and manage the tasks remotely. In the entire process, they generate and transfer a lot of data. Data which if not exchanged and processed securely could lead to cybersecurity breach, resulting in thefts and even destruction.
Despite their vulnerability to cybersecurity and data breaches, IoT devices are hugely favoured and adopted across the world for performing various functions owing to their ability to connect to internet, help manage things and functions remotely and improve performance and efficiency. The adoption rate is such that the world is projected to have 20.4 billion connected things by 2020, according to a report by Gartner1. This is huge, especially when we compare the numbers with the world population, which as of November 2019 is 7.7 billion2.
While controlling the adoption and use of IoT devices is neither advisable nor possible, adding security functions and protocols as a standard right from the time they are developed can help in improving their security quotient significantly. This approach to security of IoT and connected solutions is dubbed ‘Security by Design.’
What is Security by Design?
As the term suggests, it is an approach in which developers presume and predict the security vulnerabilities, design strategies to tackle the vulnerabilities and then use these strategies as guidance while developing connected hardware and software solutions, embedding security protocols in the architectural design. The resultant connected solutions come with in-built security features.
Why your regular smart home appliances or connected devices like printers need cybersecurity features you ask?
Well, these devices are connected to internet, sharing links with various other connected devices including your home or office security systems and other devices that manage your personal life activities or your business-critical processes. Without any security feature at all, they function as an open gateway for the hackers to gain access into your network; whereas, an outdated and weak security function can still allow an attacker to exploit a tiny anomaly and penetrate inside your system.
A classic example of this is the hacking of a North American casino through an Internet-connected thermometer, which was placed in an aquarium of the casino’s lobby. Once inside the casino’s network, the hackers accessed the high-roller database of gamblers and source it out to the cloud via the same thermostat.
Why is Security by Design gaining traction?
Companies are at a heightened risk of a cybersecurity breach facilitated by connected devices on their network. They host several IoT devices including sensors, surveillance cameras, connected office equipment and more, many of which would lack a proper encryption mechanism. Such devices could play the lead role in a potential cyberattack that an organisation might face. And well, we all know by now that data breaches and cyberattacks are costly affairs. They not only cause financial dent but also result in reputation/brand damage, which can have a long-lasting and sometimes even a fatal impact on your business.
All these years, manufacturers have not been very concerned about the security and encryption aspects of their devices and neither have governments or users given a thought about it until the recent cyberattacks like the Mirai and Stuxnet, both of which took advantage of open, unprotected IoT devices. The attacks showed world governments and users the vulnerabilities that their systems possess and gave them an insight of the catastrophic impacts an uncheck infiltration like these could have.
Such concerns have now prompted the governments to form more tight cybersecurity and data protection regulations.
Governments across the world have taken a serious note of the cybersecurity incidents and have rolled out or are in the process of introducing strict regulations around IoT devices and their cybersecurity functions. Some examples of the efforts include the rollout of the EU’s GDPR and the announcement of the UK’s IoT security Code of Practice in 2018 as well as the upcoming launch of the California Consumer Privacy Act in 2020.
Such regulations and related initiatives around the IoT security are pushing manufacturers to embed security features in the devices and software right at the development stage in order to comply with the regulatory requirements. They are adopting measures like utilising secure Software Development Life Cycle principles to avoid vulnerabilities in IoT solutions and are making adjustments to make the solutions adhere to the principle of least privilege and restrict access to authorized entities.
With the 20.4 billion IoT devices that the world is projected to see by 2020, the threat of cybersecurity breach multiplies several folds and entities cannot risk being attacked via a tiny thermostat placed in the corner of their premises somewhere. So, Security by Design should be a default process while developing IoT solutions.