IoT back to basics, Chapter 3: Security and data governance
In the first article in this series I talked about how the Internet of Things (IoT) is placing greater demands on data storage, networking, processing and analytics.
In Chapter 1 I set the scene and called out a number of technologies and related IT issues that I think are becoming increasingly important in order to help organisations deal with the data processing and analytics element of IoT: infrastructure, in particular edge analytics (see Chapter 2); security and data governance; data processing including in-memory technologies, NoSQL and Hadoop; advanced analytics, and data integration and messaging.
In this instalment in the series I’m going to talk about security and data governance: while not necessarily the most important element in every IoT project, they should always be given serious consideration.
It’s probably no surprise that security and governance are incredibly important considerations when it comes to the IoT. Ensuring that users of IoT systems and smart devices remain safe and secure – which requires that their data stays protected and carefully governed – is vital if businesses and public sector institutions are to initiate successful IoT projects. There isn’t just the risk to a user’s privacy, and the possibility of big fines from regulatory bodies when things go awry, but also the issue of reputational risk and the commercial consequences of confidence in your brand being undermined.
Indeed security should be high on the agenda in all areas of IT. A targeted and sustained ransomware attack on the NHS, in May last year, was just one example of how sophisticated some of the hackers – and their malware – have become. At a machine data analytics conference last year, the chief security officer at Travis Perkins, a British builders’ merchant and home improvement retailer, told us that his organization had faced 3,851 ransomware attacks in just one month last summer.
The problem is that the IoT increases the potential ‘attack surface’ – there are more connected devices and gateways, and hence more areas of potential vulnerability.
Many existing technologies and data governance methodologies can be used in the era of IoT. The challenge with IoT is that far broader attack surface, giving those with nefarious intent greater opportunity to wreak havoc. Some sensors – ‘things’ – are relatively dumb and therefore unlikely to bring much gratification to hackers. There’s not a huge amount of twisted satisfaction to be gained from interrupting temperature or wind-speed readings from a sensor in a wind turbine, for example.
But when you consider that IoT also includes the likes of connected vehicles, wear-at-home medical devices, industrial and hospital equipment, you can see why security is such a vital consideration.
For instance, in 2015 a group of researchers from the University of California, San Diego, discovered a serious weakness in vehicle security that allows hackers to take remote control of a car or lorry, thanks to small black dongles that are connected to the vehicles’ diagnostic ports.
These are common in both cars and lorries, fitted by insurance companies and fleet operators, as a way of tracking vehicles and collecting data such as fuel efficiency and the number of miles driven.
But the researchers found that the dongles could be hacked by sending them SMS text messages, which relayed commands to the car’s internal systems. The hack was demonstrated on a Corvette, where the researchers showed they were able to apply the brakes or even disable them (albeit as long as the car was at low speed).
You can imagine the repercussions of such a hack as we move ever-closer to driverless cars.
There have been other worrying security lapses around IoT that give pause for thought. In 2013, for instance, the US Federal Trade Commission (FTC) filed a complaint against TRENDNet, a Californian maker of home-security cameras that can be monitored over the Internet, for failing to implement sufficient security measures.
TRENDNet’s cameras were hacked via the Internet, leading to the display of private areas of users’ homes on the Web, and allowing unauthorized surveillance of adults as well as children going about their usual daily lives. As well as an invasion of privacy, there was the potential that such covert surveillance could be used to monitor the comings and goings of the occupants of a premises, and hence give rise to further criminal activity once the hacker knows when there is no one at home.
Clearly, some IoT initiatives have different risk profiles to others. For instance, ‘white hat’ hackers last year demonstrated that they had been able to hack into a smart domestic appliance network and turn off ovens made by the British company AGA. Being able to turn them on and adjust the temperature would be more dangerous, but the ramifications are still worrying.
Another penetration testing company discovered that hackers could remotely compromise a connected kettle with relative ease and thus potentially gain unfettered access to a person’s wireless network, from which they could change DNS settings and monitor all web traffic for access to bank accounts and other sensitive data.
It’s obvious that the companies involved in implementing IoT need to be just as sophisticated about their security processes and protocols as the most sophisticated hackers – but time and again we have seen companies outsmarted by either ‘white hat’ or, worse, ‘black hat’ hackers.
The potential security risks around the IoT are very real.
Organizations contemplating the benefits IoT projects could confer on them and their customers (or in the case of local or federal government, their citizens) would be wise to consider security and data governance very carefully indeed. Authentication and authorization technologies are likely to be necessary. Data masking (removing attributes that would enable a hacker to identify specific people and their habits, for instance) may also be called for, and in some cases even mandated by law.
Ensuring privacy is also an issue. While some consumers or citizens are quite happy to share various data with organizations, others are not. It behooves organizations to ensure that they ask users to ‘opt in’ to IoT-related projects or systems, rather than opting them in without explicit consent (even if they subsequently offer an opt-out).
Companies that don’t, run the risk of ostracizing customers and even running afoul of auditors and legislators. If potential fines are not sufficient to deter some companies from taking security and data governance seriously, the potential reputational damage certainly should be.
In Chapter 4 in this series I’ll look at the role of in-memory technologies, as well as NoSQL and Hadoop, for data processing and storage in the IoT era.
OTHER ARTICLES IN THE ‘IOT BACK TO BASICS’ SERIES