IoT security: How to make the world safe when everything’s connected

This article first appeared on ZurichVoice on Forbes.com.

The Internet of Things (IoT) is poised to create the next big technological revolution. In the future, every device — whether it's a fridge, a car or an oilfield drill rig — will be connected and talk to other devices.

For instance, a fridge will be able to tell when it's getting empty and order groceries on its own. A self-driving vehicle might send a signal to a traffic light to request it change from red to green. An oil rig could inform a computer it's a month away from needing repairs.

Already many IoT-connected devices and systems are in use, including self-adjusting thermostats, mobile payment systems and light bulbs that smartphones can control. By 2020, 20.8 billion connected things will be in use, up from 6.4 billion in 2015, Gartner Research forecasts.

All of this innovation, though, comes with risks. The biggest threat? Hackers. With these devices connecting via the Internet, the more “things" that are online, the more entry points there will be to access — and disrupt — a system.

Uncovering vulnerabilities

Internet-connected devices often have so-called "vulnerabilities," which are weaknesses in the design or the configuration of a product that people with malicious intent can exploit, said Gerry Kane, Cyber Security Segment Director for Risk Engineering at The Zurich Services Corporation.

A 2014 study by Hewlett Packard found that 70 percent of IoT devices are vulnerable to an attack. Of 10 commonly used IoT devices, each had an average of 25 vulnerabilities, the report found.

Since vulnerabilities are usually only caught once a product is in use, they can't always easily be fixed. “That's clearly a huge issue," Kane said. “Not just because of the introduction of the vulnerabilities, but also because of the difficulty of removing those vulnerabilities once the devices are on the Internet."

For companies, the danger is that someone might hack into a system and gain control over a product or machine. Someone could assume the wheel of a self-driving vehicle and take it where the person inside doesn't want it to go. Or someone could access a thermostat and change the temperature of a building. Since these devices are also hooked up to a computer network, hacking them puts at risk the entire system and its data.

Information security must evolve with the times, Kane believes. “It's not just about data anymore," he said. “It's an accumulation of the bad things that could happen when there's a security breach. And consider the number of threat vectors that are brought into play by the Internet of Things."

Human error poses another risk. While these devices are supposed to operate on their own, they still need to receive instructions from people. The wrong commands could result in mistakes. 

“Human error is always big part of security breaches, even if it's not always done with malicious intent," Kane said.

Security from the start

Given the growing adoption of the Internet of Things, companies need to start thinking about ways to protect themselves from malfunctions and malfeasance. Here are some key tips:

• Make security part of the process from the beginning rather than waiting until after a new technology is implemented. Every part of a business should participate in the discussion —it's no longer just an IT responsibility, according to Kane. “All employees need to be aware of the risks involved, and they need to have some sort of training on how to be able to identify when things are going wrong and how to respond when they see things are going wrong," he said.
• Protection is about more than firewalls and security software. When a company is looking to purchase IoT devices, it needs to look closely at the risk assessment the supplier has conducted. Find out what vulnerability analysis that company has performed on its products. “Also think about testing a device for vulnerabilities yourself before putting a system in place,” said Kane.
• Discuss — and write down — all of the things that could go wrong and what you would need to do to address any issues. “You want to build resilience into your security program," Kane said. That means being able to identify when something is going wrong and having sound, tested plans in place and procedures to follow in order to respond to the incident, he said. The goal is to get things under control as fast as possible, minimize the damage, and restore normal operations.

The NIST Cybersecurity Framework, from the National Institute of Standards and Technology, outlines the five pillars of a good security program. They include: identifying what needs to be protected; protecting those assets; detecting threats; responding to threats; and, finally, recovering any lost information or assets.

In most cases, the benefits of IoT will outweigh the risks, but companies must address what could go wrong before something happens. “These are real business issues, not just IT issues," Kane said. “So talk about them throughout the organization and at the highest levels."