Security in the Internet of Things Era
A problem is that companies often feel the pressure to meet rapid market demand and are quick to launch cutting-edge products, only to learn afterward of the security concerns via tests and the like. At that point, however, the security flaws are not easy to fix “because they’re built into the product, and built into the structure of the system,” Miessler says. “The [security concerns] really need to be addressed much earlier on.” Fortunately, Miessler notices that many companies are beginning to realize this now, rather than waiting until the price of fixing the errors will cost more.
But it can be challenging for large organizations to make necessary adjustments, as they’ve often worked for years to standardize existing processes. Established companies with long histories will often have certain momentums in place. And, “even if you have the ability to make [the necessary] changes, the expertise [and guidance] is not easy to find or readily available,” Miessler says. “It’s definitely hard to have it internally for most companies, so it’s a matter of finding the right people to guide that process, and it’s constant—almost every meeting having to do with the building of a system has to have that security context and frame of mind present.”
INVESTING IN PEOPLE, SERVICES, AND TECHNOLOGIES
Companies that wish to reap the benefits inherent in a connected ecosystem will be spending on reorganization, says Earl Perkins, research vice president for digital security at Gartner.
Among other things, they will have to train and educate security organizations to perform actions they haven’t in the past, including commanding devices to make physical alterations or changes in a designated environment. These are “not new to people like utilities and transportation, because they’ve done it for many years with industrial automation,” Perkins points out. “But it’s a new thing for consumers, or people at commercial institutions. They’re not accustomed to having a device that can open and close things, or raise and lower temperature.”
These organizations will have to figure out how the new devices will be accessed, how they will communicate with one another, and “how to protect the data that will be streaming through [them],” Perkins says. He predicts that another issue will be gaining access to the cloud from these various devices. Consequently, firms will likely shop around for services, as well as establish “gateways” to the cloud and the data.
Also important will be investing in the technologies that enable IoT security. If a company wants to monitor IoT traffic or use connected technology to keep codes updated, for instance, “those things are going to require purchases,” Perkins says.
What’s tricky is that not all IoT technologies are created equal and require different levels of security elements. Perkins divides them into “dumb, semi-smart, and smart,” and each of those categories has its own complexities—something companies should know about.
Perkins singles out Cisco, Intel, and GE as “anchor vendors” that will likely play a big part in solving the security concerns, and companies are sprouting to meet the growing demand.
Greenwave systems is just one software vendor that is working to connect IoT devices in one common ecosystem that works in harmony, according to Jim Hunter, the company’s chief scientist. The company provides a platform called AXON, which works to translate the languages of different devices so that they can work in a standard, IP-based language, Hunter says. This means companies such as Verizon don’t have to worry as much about integrating devices and getting them to work together.
Seebo is another vendor that is tackling the technology complications head on, by working to help established companies transition their products to IoT environments. According to Lior Akavia, cofounder and CEO of Seebo, “a common challenge that we see for many products is with software updates. When you deal with updates you are potentially exposed to new types of threats. If you do not do that well, a hacker may be able to replace the software with his own software.”
An important step to take during product development, Miessler says, is to identify the potential motives of hackers. “When we’re talking to customers we [ask], ‘Who’s going to attack you? What type of threat actors do you expect to face based on the device that you’re making?’” A producer of smart cars, for instance, might encounter several kinds of threat actors. One might be interested in disrupting the peace. “One motive would be to try to disable a car, or steer it into a ditch,” for instance. Such actors might potentially release a statement to the press describing their motives, but they aren’t likely to steal data. However, another type of threat actor might hack a car to extract a list of contacts, transactions, or geolocations, to target someone (possibly a celebrity or government official, for instance).
SAS Global Forum 2016: The Internet of Things Takes Center Stage
As speakers addressed the rise of the Internet of Things, SAS introduced Analytics for IoT, Customer Intelligence 360, and the Viya architecture.