The Internet of Things (IoT) is fast turning into an intrinsic part of the digital transformation for industries such as utilities, transportation or manufacturing. The market is expected to reach a value of $922.62 billion by 2025, becoming one of the biggest catalysts for new emerging technologies.
Although Industrial IoT (IIoT) adoption offers benefits ranging from automating and optimizing the business to eliminating manual processes and improving overall efficiencies, security continues to be an afterthought, one that creates risk that industrial organizations are ill-equipped to manage.
The Trickle-Down Effect
The lack of mature security frameworks and the breadth of security considerations are big barriers for the improvement of IoT security. Today, there is no common approach to cybersecurity in IoT, which leaves the door open for device manufacturers to take their own approach, resulting in undeveloped or underdeveloped standards to guide adoption of IoT security measures and best practices.
In many cases, manufacturers designing IIoT devices are challenged to integrate effective security controls into the product design, which results in devices having little to no encryption for securing data at rest or in transit. Because security is not built into the device at the onset, users struggle with securing them after they have been implemented, constantly leaving the door open to potential cyber-attacks, which could lead to operational downtime, loss of customer data and even end-user safety hazards.
This challenge becomes compounded as users come up against other complicating factors, such as:
- Complexity of the ecosystem – an IIoT ecosystem is an amalgamation of diverse, dynamic, independent, and legacy devices that intertwine communication protocols, interfaces, and people. Such complexity hampers the ability of IT security professionals to even start with the most basic cyber hygiene, such as changing default passwords, keeping an inventory of hardware and software components on the company network or patching applications regularly.
- Intricate monitoring and management – the more complex an environment, the more likely it is that IT administrators lack visibility, access, and control over one or more of its components. Moreover, the deployment of IoT devices on legacy infrastructures and non-IP based devices also exacerbates the IT administrators’ inability to monitor and control these devices.
- Lack of IoT security awareness and knowledge – the lack of understanding of connected devices and architecture security pose a significant challenge. Most organizations don’t have a full understanding of the risk and exposures they face to protect their devices or the real impact (both positive and negative) those devices have on their security posture.
Thinking of security as an afterthought is one of the most common mistakes when building or adding new connections. IIoT can be effectively disruptive if done properly when done poorly it creates unnecessary risks.
Industrial IoT Security – Partnering for IIoT Security Success
Many organizations don’t have the skills needed to maintain, let alone build their IIoT security architecture. For that same reason, they should consider partnering with specialists when moving into this space.
Managed security service providers (MSSPs) are adapting offerings to address the needs of complex IIoT environments. As IIoT devices have different application requirements, deployment conditions and networking needs than traditional enterprise environments, MSSPs are investing in specialized capabilities to understand how to configure devices for at-scale operations and to ensure that best practices are followed for both preventative and real-time maintenance.
Businesses considering partnering with an MSSP should take into account the expertise, resources, and services their potential partner will bring to the table. They need to look for a provider that will deliver leading-edge security features such as threat intelligence and monitoring, data correlation and device management and support, while also understanding the differences between monitoring traditional networks with these unique technologies. Leadership will also need to revisit policies and procedures on risk management through an IIoT lens and use audits and assessments as enablers for the application of relevant security controls.
The influx of IoT devices has opened up new entry points into enterprise networks that cybercriminals can exploit. Whether it is in a new connection or an extension of a legacy architecture, cybersecurity must be at the core of the IIoT implementation. Organizations will need to take a defense-in-depth approach to cybersecurity if they are to be better prepared to face the threats targeting IIoT. This starts by identifying the challenges their implementations present, from the increased complexity to awareness and management. The point behind IIoT is to create a seamless connection between people, devices, and networks and drive efficiencies on an industrial scale. If this is to be achieved, cybersecurity is the one guest that cannot be late to the party.
This article was originally featured in IoT For All.
In the first of our two-part series, we covered the unhygienic security practices and the impact of the modern healthcare ecosystem. This final installment digs deeper and provides useful recommendations for alleviating those risks.
However, containing the said issues or implementing privacy and security controls is challenging and not short of pitfalls. Fundamentally, privacy is a complex issue that jurisdictionally falls into different areas. There is no clear sense of the definition of “privacy.” What constitutes a privacy violation, who is responsible or accountable among the involved stakeholders in the event of a breach and so forth.
Also, the notion of “privacy paradox” is disconcerting and undermines the efforts to manage security and privacy. Privacy paradox implies that people’s privacy concerns and expectations are diverse and contradictory in terms of theory and outcomes and that despite people’s clearly expressed concerns about their privacy, there is a simultaneous lack of appropriate secure behavior (for instance sharing of sensitive information on social media).
Moreover, healthcare providers tend to prioritize health care utility and safety while manufacturers prioritize intended device features over security and privacy. The shortage of quality technical resources and the sheer difficulty in managing third-party environments such as the cloud or social networking healthcare promotion sites also hinder their efforts to create a sufficient cross-functional privacy and security team. Compliance is also expensive and IoT device constraints (limited power and resources) mean that privacy controls can slow down medical devices and reduce the usable battery life. In some medical devices such as pacemakers, critical functionalities cannot be updated immediately if a patch is available. These limitations further deter manufacturers from producing products with enhanced security and privacy features and manage them through the lifecycle of the product.
Nonetheless, it is inherently difficult to track the flow of PII/PHI data. Data may be collected and used in many systems throughout an organization and across the continuum of the healthcare industry, in hospitals, rehabilitation centers, insurance agencies, and so forth. The more places the data exists, the more systems an organization has to track, maintain, and protect. Even privacy-preserving mechanisms have their shortcomings. There is an inherent trade-off between information loss and confidentiality protection because the reduction in granularity results in diminished accuracy and utility of the data.
Regardless of the issues, regulations such as the FDA, HIPAA, the HITECH Act, GDPR, etc. are making inroads in preserving individual privacy and security. In addition to the existing principles as recommended by the regulations, we recommend the following practices that can help alleviate the risks:
- Privacy by Design – all applications (mobile apps, software, etc.) and devices whether they are “clearly” for medical purposes or “indented” for medical purposes must follow privacy by design principles. This also involves restricting the overcollection of data and employing privacy-preserving mechanisms on data stores.
- Accountability – Clearly defining data ownership and the responsibilities of the involved stakeholders in the event of a breach might help deter the unethical motives.
- Awareness Programs – consumers need to be educated on their rights, and how to make use of technology-assisted healthcare without undermining their privacy.
- Periodic Risk Analysis – this includes the “covered entities” (as defined by HIPPA) regularly reviewing their records to track access to PHI and evaluating the effectiveness of security measures put in place from risks such as unauthorized access, destruction, modification, or disclosure of data.
- End-of-Life Management – in recent times, several breaches have been attributed to poorly discarded medical devices that store PHI. Device manufacturers and healthcare providers must uphold procedures and policies that address issues that arise as a result of devices reaching their end of life.
- Third-party audits – medical devices must be tested for security and privacy issues by an independent third party and include provisions in the management cycle to address issues unfound during the audits. All such reports, if made public, can help healthcare providers make an informed choice and not rely on public databases that are strewn with vague information.
- Expanding the definition of “covered entities” – HIPAA only regulates the healthcare industry, and thus only applies to what the law considers “covered entities” and their “business associates.”. If the medical information is disclosed to anyone else, HIPAA would not apply. For instance, any information provided to a social networking site, or one’s employer, or a wellness app will often not be protected by the existing medical privacy regulations.
The modern healthcare ecosystem is undeniably rewarding to one and all. It dramatically improves the efficiency of healthcare services, optimizes healthcare workflows, and originates cutting-edging research that improves vitality. But it is also immensely complex and inherently insecure, with a high susceptibility to security threats, especially from threat actors whose primary intention is to either commit fraud, obtain non-prescribed drugs, or secure ransom.
A Privacy Nightmare?!
The complexity and low-security maturity of the ecosystem primarily stem from the presence of diverse legacy and modern technologies that have significant inherent vulnerabilities (OWASP IoT Top 10) and contrasting security pre-requisites that cloud the prevailing efforts. Unhygienic security practices such as casual data sharing in conversations, social media, and chat groups also exacerbate the situation. Other, yet common issues that add to the complexity include:
- Unethical motives – selling PHI data to advertising agencies
- Acquisitions – consolidation of assets and practices is common in the healthcare industry and security is only as strong as the weakest link
- Inept and Garbled Privacy Policies – facilitate and encourage users to share data thoughtlessly
- Disclosure Exceptions – the government is exempted from privacy rules regarding national security by law. Therefore, healthcare providers occasionally do reveal sensitive information in good faith to uphold the safety and security of the public.
- Misrepresented Public Records – FDA requires physicians and healthcare providers to report issues with devices and in some cases, this is voluntary and cumbersome. Therefore, an issue gets tagged with another issue as a subsidiary to save up on the paperwork. This therefore results in not painting the complete picture of issues for a device accurately and hence physicians who reply on these publicly accessible reports to assess the safety of the devices prior to prescribing it to their patients may inadvertently prescribe an insecure product.
- “Intended for medical purpose” – there are situations in which a product is not conceived by its manufacturer to be used “clearly” for medical purposes, but “intended” to be used for medical purposes, such as wellness apps and wearables. This means that manufacturers of medical apps and devices that may incidentally be medical devices do not have to create them to the same security standards required for conventional medical devices according to the law.
- Unchecked and Uncontrolled
- Data collection: One might not realize it, but PII and PHI are often added to a mandated public database without one’s consent in the name of national interest
- Data usage by third parties – In an instance, it was also found that third-party analytical services could potentially link data from the ﬁtness and health applications to other applications that contain identifying information about the user, leading to Big-brother like surveillance
In gist, the ecosystem as a whole is an avenue for dire and far-reaching medical data privacy violations, the impact of which is manifold. It can lead to excessive fines and reputational damage for both healthcare providers and manufacturers in the event of a breach.
At an individual level, privacy violations can spring stigma, embarrassment, and discrimination, in turn resulting in unemployment, loss of health insurance and housing, and so forth. Patients may lose trust in their care provider, resulting in ineffective communication between physician and patient.
At a societal level, loss of individual trust may lead to unacceptance of medical assistive technologies, thereby hampering the efficient development and successful rollout of E-health technologies into society. Moreover, trust engenders individuals to participate in and support research if they believe their privacy is being protected (The equation is simple: higher quality data means higher quality medical care).
At a national level, it can also lead to an espionage-like situation as was evident with the Cambridge Analytica scandal. It may result in a situation where a private, for-profit, or a government organization knows and owns a lot of data about individuals, while the individuals do not know much about the company or government entity. This situation combined with unchecked usage of PII/PHI data by the data owners can inspire authoritarian intrusions into citizens’ private lives and unfairly scrutinize citizens based on opaque computer algorithms.
In part two we will cover the privacy enigma and conclude with best practices to preserve privacy.
The security implications of IoT range far and wide. With almost every conceivable thing connected to the internet, it’s hard to predict what is and isn’t a threat to its user’s data.
Have you ever thought about what IoT security actually means? Kudelski Security CTO Andrew Howard sat down with the #AskIoT podcast team from IoT For All to discuss how companies really should approach cybersecurity and what needs to be done by everyone involved to ensure the devices we use every day are as secure as possible.
Andrew’s interview follows these basic questions and a whole lot more:
- Which industry is most at risk to security threats in IoT?
- How do you handle building security into legacy systems?
- How should non-technical companies approach IoT adoption?
Do you want to listen to the podcast? Click the play button below.
Read the original article by clicking here.
The IoT market continues to grow, with investments expected to top $1 trillion by 2020, according to IDC. With the rollout of 5G, Ericsson forecasts that the number of cellular IoT connections is expected to reach 3.5 billion by 2023, and DBS Asian Insights predicts that IoT devices and services will reach an inflection point of 18-20% adoption in 2019 alone.
Security continues to be one of the greatest barriers to IoT adopters in 2019. Insecure components, prevalent malware and shortsighted attempts to apply traditional security measures to IoT networks act as formidable challenges to these adopters. Heeding to this new zephyr, threat actors are also adapting and innovating new attack services and hacking tools that will be more complicated and more difficult to detect and respond to. In accordance, we can anticipate a substantial increase in supply chain attacks, IoT botnets, and cryptominers alike.
We predict that device manufacturers will put an increased focus on security in 2019 versus previous years, but the number and scope of attacks will continue to rise. Microsoft reports that more than 90% of consumers want manufacturers to step up their security practices, and 74% would pay more for a product with additional security built in. This demand will drive innovation and increased adoption of trusted hardware and software systems. It will also force manufacturers to adopt and adhere to industry recommendations for data management and privacy, bring about increased awareness of supply chain security management and so forth. Manufacturers will also look to include bug bounty programs and responsible disclosure programs for manufactured and deployed devices to improve the security of their products.
Alternatively, consumers will also pay heed to IoT security governance and adopt processes and technologies that assist in the governance of the IoT landscape — an amalgam of several technologies comprised of the cloud, device, mobile, edge devices and so forth. For instance, they will look for IoT monitoring systems and platforms for better visibility and management, data protection technologies for better security and privacy, cloud protection technologies and active threat detection technologies.
Moreover, consumers and manufacturers alike will invest heavily in technologies that assist them in determining the maturity of their security programs. Companies will also look to cyber-risk insurance to safeguard their business from formidable cyberattacks nonetheless.
Furthermore, as IoT security products and services innovation and adoption gains momentum, assisting technologies, such as machine learning, artificial intelligence and blockchain, will make strong and forced inroads into IoT security products, assisting in building improved trust, threat detection, identity management, and data and device management at scale. But, to a large extent, government regulations will bring about a culture of shared responsibility for protecting the IoT landscape.
This article was orginally featured in IoT Agenda.
The fourth Industrial Revolution, or Industry 4.0, is well underway. Emerging technologies such as artificial intelligence, augmented and virtual reality, wearables and autonomous vehicles are making sizeable advancements and becoming a part of everyday lives and business.
These emerging technologies all create a lot of data, data that needs to be protected. Connected medical devices transmit sensitive patient information and are also responsible for keeping people healthy and alive. Connected power plants and other critical infrastructure transmit sensitive information and are also vulnerable to attacks. The list goes on. Not only are these technologies creating large amounts of data that require protection, they also require protection for the intellectual property (IP) fueling them. Augmented and virtual reality companies are creating helmets and goggles for civil and construction employees straight out of Iron Man. And there are states out there that are not above stealing this kind of IP, which raises the stakes as many of the world’s electronic components come from those states, adding extra pressure to manufacturers to keep devices secure.
This creates two situations where data, whose value is exponential to criminals, needs to be given extra precaution when securing both it and the devices producing and transmitting it, as well as protecting the intellectual property making them work. Data in transit and data at rest in these situations require heightened security through greater encryption and IoT security as well as high-assurance data protection environments to secure it when not in use.
IoT security efforts should focus on developing a dedicated plan to secure the IoT devices, especially given how an IoT architecture — with its disparate protocols, software and hardware — differs from the traditional enterprise network. Integrating IoT devices into enterprise networks will require new risk management strategies and updated operational security strategies with the level of protection for a given asset greatly depending on its use case and the criticality of the application it supports.
It is therefore essential for enterprises to establish a clear vision of the business need for IoT devices, validate the technologies with stakeholders (including security professionals), assess the risks, deepen their technical understanding of how the IoT system really works, and validate system operations and feasibility.
To be most effective, IoT security has to be a shared responsibility. Many security incidents could be avoided if developers and manufacturers were aware of the risks they face on a daily basis, considering not just those that affect IoT devices, but also those that affect the IoT environment as a whole and develop products accordingly. But connected devices are typically designed to be low-cost and built for a single purpose — not with security at the forefront. They often have limited memory and computing power, which means they can’t be protected by traditional endpoint security. Therefore, enterprises must fully vet new IoT devices to understand how much security is built in. For example, the device may have strong embedded encryption, or it may have a USB port. The administrative password might be “password,” providing an open invitation for misuse and abuse.
Finally, it should be noted that is impossible for every IoT system to behave securely at all times within every context. A good rule of thumb and a sound approach for enterprises is to always adopt an evolving security posture.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.