From Internet of Things to Internet of Threats

Smart houses, smart cities, smart irrigation, and smart routing- the Internet of Things (IoT) has ingrained itself into every aspect of our daily life.

Though the moniker was coined by Kevin Ashton in 1999, the concept of transferring data through appliances and staying connected to the internet dates back to the 1980s. It all started with a group of university students’ attempt to track the number of Coca-Cola cans in the vending machine. What was an attempt to save them the trips to an empty vending machine subsequently progressed into the internet-connected toaster and to the internet-connected anything.

However, despite two decades of IoT expertise and 14.4 billion globally connected devices, many of them lack basic security mechanisms. For example, the Mirai Botnet attack, one of the largest DDoS attacks, led to internet outages by compromising IoT devices that used default usernames and passwords. While basic security begins with enforcing complex passwords and configuring perimeter-based VPNs and firewalls, the new threats within the realm demand newer security techniques and strategies. So, before heading over to a more immersive IoT experience, it is essential to take a step back and evaluate where the $478.36 billion industry stands in terms of its digital security hygiene.

IoT and IT security

The third industrial revolution goes down the pages of history as a hit with the rise of semiconductors, mainframes, and personal computing. This was followed by the fourth industrial revolution, dubbed Industry 4.0 or 4IR, which has been growing beyond its predecessor since the 21st century. Among the various technologies that have been blurring the lines between digital, physical, and biological segments, the Internet of Things can be considered one of the important technologies in the 4IR. However, this interaction between the virtual and physical worlds by IoT was supported by technologies like the internet, cloud, and the fifth-generation technology. With these developments, anything as small as a pill to something big as an airplane could be transformed into IoT.

One of the main drivers behind the proliferation of IoT is the flexibility and scalability the cloud promises. With the advent of the cloud, there is no restriction on the number of devices that can be connected and data that can be stored. Therefore, it comes as no surprise that a company is as vulnerable as the size of its cloud footprint. In addition to the umpteen security vulnerabilities, these data silos are also expected to address privacy concerns. Privacy has become a topic of global interest, necessitating businesses to demonstrate their capability of securing the data they collect. Today, every nation has a data privacy regulation of its own and businesses are liable to abide by them. The 2021 ‘Verkada Hack’ that allowed attackers access to live feeds of over 150,000 cameras provides compelling evidence for the need to begin an IoT security strategy.

To begin with, companies must limit access to their cloud services by implementing Identity and Access Management (IAM) solutions that will ensure the right access to the right resources. Built on the concept of ‘Identity is the new perimeter,’ IAM solutions can notify IT admins if confidential data is shared or an employee with elevated access adds unwarranted super admins. Within the 14 billion IoT devices, tonnes of data packets get exchanged. Once access to corporate resources are defined, businesses could go ahead with identifying the firm’s crown jewels and encrypting them. However, IT enthusiasts predict that quantum computing will soon break the encryption barrier. As a result, it is advised to go beyond the wall of encryption and opt for solutions like Enterprise Content Management (ECM), Data Loss Prevention (DLP) technology and Intrusion Detection Systems (IDS). While systems that use ECM extend the concept of content management by providing a secure repository for data, DLP assists network administrators in keeping track of confidential data transfers.

IoT and Artificial Intelligence

The amalgamation of Artificial Intelligence and IoT has given rise to the Artificial Intelligence of Things (AIoT). While IoT devices help collect data, AI is fed with these data, giving an ‘intelligent’ touch to the concept of connectivity to deliver a sophisticated IoT.

Intelligent connectivity has facilitated data to be accessed anytime from anywhere via any device. Currently, AI has transformed into the role of being a guide for businesses to detect intrusions so that vulnerabilities can be tracked in real time and contained quickly. Moreover, Machine Learning (ML) aids businesses in detecting attacks by learning from historical threats and formulating solutions that can neutralize the threat before it hits the systems. With more innovations and research, IoT devices will soon be capable of analyzing traffic patterns and flagging those with the characteristic of a potential threat or an attack.

AI is a profound technology, and with its vast potential untapped, it possesses a realm of opportunities in the future. As various industries continue to pivot their work towards unleashing the creativity of AI, CISOs sure have the mammoth task of bringing IT security to the forefront. With 6G and the massive traffic that falls into the AI systems, it is essential to upgrade the IT security regime and have a decentralized approach. 6G use cases require a stricter security strategy, and with the Internet of Everything (IoE), it would be a challenge to operate and install distributed AI, privacy, and endpoint security solutions. With the advent of new technologies, there exist the forever concerns about security and privacy. Therefore, it is necessary to evaluate these technologies and their ability to fit in the business context before jumping on the bandwagon. As privacy and compliance take the lead on security practices, further research and innovation into these technologies will determine how IT security hygiene will shape up in the future.

The Domino Effect

From analyzing environmental conditions to storing data from smart meters, with the advent of IoT, data exchange across various spheres is no longer considered impossible. However, while it promises efficient data communication, a slight vulnerability, when overlooked in any one of the devices, could result in the downfall of an entire network. Following the adage that you can’t protect what you can’t see, the checklist for ensuring a secure IoT layout encompasses having comprehensive visibility into the IoT structure. As businesses look out for technologies that enable them to maintain device inventory and have visibility into the corporate’s device status, having Network Access Control (NAC) solutions in their repository is something they could consider.

The Virtual Private Network (VPN) has long been the staple security technique for businesses. Unfortunately, the ability to mask malicious activity through piggybacking and the rise of TLS (Transport Layer Security) encryption that hides the traffic between the hacker and their victim have made these perimeter-based defences futile. IoT devices operate in harsh and remote environments, thereby necessitating solutions without perimetric constraints. Owing to this, businesses have begun including some form of network segmentation in their security strategy. Introducing granularity into the concept, Zero Trust Network Access (ZTNA) technology, a subset of Secure Access Service Edge (SASE), reduces the attack surface by authenticating identity irrespective of their location. Implementing a SASE model in your enterprise will enable IT admins to define how much of the network can be made available to the corporate endpoints. Once the IoT devices are taken stock of and identified, a unified endpoint management (UEM) strategy will help companies achieve visibility into the connected endpoints while also implementing baseline security protocols.

Vulnerability in the Owlet WiFi Baby Heart Monitor, termed one of the worst IoT security of 2016, is a perfect example of how devices made with the right intention can take a dangerous turn if in the wrong hands. Security must be a top priority for appliance manufacturers and Original Equipment Manufacturer (OEM) vendors so that these episodes do not recur. However, one must remember that while manufacturers are expected to consider security as important as their reliability, depending on them for timely patches shouldn’t be the sole approach.

Way Forward

Without a doubt, loT promises numerous benefits at the business level. However, companies need to choose their loT based on the outcome they foresee for their business. The evolution of highly intelligent Als and the rise of super-fast telecommunication technologies like 5G are spearheading the already exponential growth of loT. Recent surveys are a testament to this with studies predicting the number of globally active loT devices to reach more than 55.9 billion by 2025.

As the Internet of Things begins to handle critical infrastructures for healthcare, energy and the military, businesses cannot afford to take a backseat in terms of security. Unsecured devices could leave enterprises vulnerable to data thefts, physical damage, revenue loss, reputational damage and more. While loT operates on multiple levels of endpoints, networks, and the cloud, businesses will need to invest in multiple security levels to guarantee a threat-free environment. The challenges that each industry faces would be unique, and it is important that businesses choose solutions that are flexible.

About the Author

Apu Pavithran is the founder and CEO of Hexnode, the award-winning Unified Endpoint Management (UEM) platform. Hexnode helps businesses manage mobile, desktop and workplace IoT devices from a single place. Recognized in the IT management community as a consultant, speaker and thought leader, Apu has been a strong advocate for IT governance and Information security management. He is passionate about entrepreneurship and devotes a substantial amount of time to working with startups and encouraging aspiring entrepreneurs. He also finds time from his busy schedule to contribute articles and insights on topics he strongly feels about.