Over the years, we have seen analysts forecast the total number of connected devices from 2 Billion to 50 Billion. The reality is that we don’t know how large these numbers may be.
Dubbed the Internet of Things (IoT), the extent of their application is endless, limited to only our imagination. But this tsunami-sized trend to add intelligence and connectivity to devices does pose several risks related to security and privacy.
IoT carries the potential to transform any community around the world into a ‘SMART community’, creating a new era for urban living. Smart cities have the potential to revolutionize the way one lives and conducts business.
An IoT infrastructure as huge as a smart city would produce invaluable data for a multitude of businesses. However, security is often overlooked when companies rush to design and deliver products to a fast-growing market.
Here is a list of top five Internet of Things vulnerabilities as per The Open Web Application Security Project’s (OWASP) that sums up most of the concerns and attack vectors surrounding this category of devices:
1. Username enumeration
2. Weak passwords
3. Account lockout
4. Encrypted services
5. Two-factor authentication
It is interesting to note that almost all of the above factors pertain in some way, Identity Governance, which is a key element which must be addressed in securing an IoT ecosystem.
If you ask, ‘how resilient are these IoT platforms to cyberattacks?’ the answer is mostly that these platforms haven’t matured sufficiently yet.
The need of the hour
Identity management on the IoT network is different from the workforce or customer identity management. It demands a different and scalable solution with end-to-end encryption to minimize the risk of rogue devices and Man in the Middle attacks. With IoT, security is too important a feature to treat as an afterthought.
Currently, while IoT frameworks do have some level of security, it is insufficient to handle sophisticated and highly probable attacks. This means that the risk of hackers and eavesdroppers is huge.
We have seen recent examples of how a breach within the network can have massive repercussions to the overall IoT ecosystem. The Mirai Botnet attack in 2016 led to a wide spread Distributed Denial of Service (DDoS).
The Mirai program identified vulnerable IoT devices through a table of 60 default username and password and later logged in to infect the devices.
The hacking of implanted cardiac devices in 2017, was the best example of how IoT within healthcare is vulnerable. These cases clearly depict how the health and wealth of people can be at risk due to a shortcoming in IoT security. As we are getting more and more dependent on connected devices, this risk, quite simply put, is unacceptable.
On the need of developing a security culture – One solution that has stood out over the years is Public Key Infrastructure technology or PKI
How can a vast proliferating ecosystem of connected devices, many of them too small to include sophisticated security measures, deliver adequate protection at the user AND device level through effective identification and encryption of the data they generate, transmit and store?
How can organizations harness the power of IoT to its full potential without compromising security? These are some of the questions which are addressed by using PKI to secure the IoT framework for smart city and other initiatives.
How does PKI fit within IoT?
PKI can serve as a technology paired with a set of rules, policies, and procedures – all based around the principle of Digital Certificates to provide a framework to identify a device, and simultaneously protect and encrypt the data transmitted between them.
Fundamentally, IoT needs to adhere to robust security policies where the identity of every endpoint is established and validated in a fool-proof manner That’s where PKI comes into play.
The first step in securing IoT with PKI is to onboard each individual connected device by issuing a Digital Signature certificate to that device. Then, these certificates must be stored securely in a fool-proof and standards compliant piece of hardware which is where it becomes important to work with chip & device manufacturers.
Finally, the signature must be used and validated between any user/device and device/device communication across the IoT ecosystem.
With increasing use of connected devices and optimistic estimations on the growth of connected device networks, security is perhaps more important now than ever. While the uses cases and benefits of IoT are experiencing exponential growth, so is the risk and consequence associated with a single breach of large IoT ecosystem.
It’s imperative for governments and other organizations to take this into account and ensure that adequate steps are taken to address these risks.
As a global foundation for management of transaction integrity, non-repudiation, occurrence, and encryption, PKI is optimally placed to supplement any IoT framework to ensure a generally higher level of security which can go a long way in the future.
(V Srinivasan is Founder Chairman at eMudhra. Views expressed above are his own)