The Internet of Things (IoT) is a system of interrelated computing devices, mechanical and digital machines, objects, animals or people that are provided with unique identifiers and the ability to transfer data over a network without requiring human-to-human or human-to-computer interaction.
Cue the creepy Terminator music.
The machines are talking among themselves and no longer need us to accomplish their tasks. Effectively, any device with an IP address that connects to the internet is a part of these interrelated devices.
Like many internet related things, this interconnected network continues to evolve at breakneck speed. New devices for both consumers and industry seem to be released every week.
Consider this list:
- Nest thermostats
- HVAC systems that can request service
- Electric meters that can trim your peak usage by shutting off your A/C during peak hours
- Refrigerators that can create shopping lists
- Cars that self-report problems – think OnStar
- Utility control and distribution systems
- Smart TVs
- Amazon Echo or Google Home
- Baby video monitors
With so many devices connected to the internet, one would think that security would be top of mind in the design process. Unfortunately, that’s not the case. A quick Google search for “Internet of Things breaches” returns these alarming stories:
- Data breaches through wearables put target squarely on IoT in 2017
- Large-scale IoT security breach coming in 2017, Forrester predicts
- Top five biggest threats to IoT security – Computer Business Review
It’s clear that while the efficiency and convenience provided by IoT devices is appealing, security should be a big concern when deploying these devices.
5 Questions to Ask with IoT: Putting the “S” in IoT
How do we put Security – the “S” into IoT?
After the initial research – become a reporter. Answer five basic questions:
1) Who – Who will be using the device? Who will be accessing the device? Do they need to have access? If they need access, are there ways to control the level of access?
2) What – What data will the device be collecting – and is ANY of this data Personally Identifiable Information (PII)? If so, you could be held liable if this data is breached. What will be done with this data? What happens to the data when it is no longer needed?
3) When – When will this device be in use? When will data be collected? When will data be purged (if ever)? When is the device accessible and can the access window be controlled to only the times it is needed?
4) Where – Where will this device be used and does that pose a security threat? Where can people access the data from and can this be controlled via access control policies? Where will data be stored? Where will data be transmitted? Where is this device connected – should it be segregated on a separate network away from sensitive data?
5) Why – Why is this device being used – is it necessary? Why does it need to be used – is there another more secure option?
Answers to these questions can help determine a security strategy around IoT devices. These devices are here to stay and their proliferation will only increase. Taking time to plan their use can help prevent you from falling victim to a breach.