Cyber Security in the IoT Age

Shashank Bajpai, Chief Information Security Officer, ACKO General Insurance Headquartered in Mumbai, ACKO General Insurance offers a diverse range of insurance services that include Car & Bike Insurance, Ola Insurance, Mobile Insurance, and many others.

We have very much entered into a new era of the Internet of Things(IoT) Age. IoT is everywhere around us; from Smart Homes, Smart Cars, Smart Devices to Control Systems in Manufacturing Industry & Point of Sale(PoS)Devices at various locations. These are all inter-connected and constitute the ever-growing reach of IoT. As far as the reach of the Internet of Things, there are more than 12 billion devices that can currently connect to the Internet, and researchers at IDC estimate that by 2020 there will be 26 times more connected things than people. According to Gartner, consumer applications will drive the number of connected things, while enterprise will account for most of the revenue. IoT adoption is growing, with manufacturing and utilities estimated to have the largest installed base of Things by 2020.

IoT technology is enabling both ease of access and ease of usage, and harnessing the technological evolution in telecommunication and driving financial inclusion. On similar lines, IoT Security is also evolving with new technologies & control processes deployed to secure the IoT. Hackers and fraudsters are also capitalizing on this new arena with numerous security breaches dominating the headlines lately. It has already been revealed that internet-connected televisions can be used to secretly record conversations, microwave cameras are being used for surveillance, and also, end users are no more immune to IoT attacks, with 96 percent of security professionals responding to a new survey expecting an increase in IoT breaches this year.

Even if end users personally don’t suffer the consequences of the sub-par security of the IoT, the connected gadgets may well be unwittingly cooperating with criminals. Last October, Internet service provider Dyn came under an attack that disrupted access to popular websites. The cybercriminals who initiated the attack managed to commandeer a large number of internet-connected devices (mostly DVRs and cameras)to serve as their helpers. A recently released research report for security and risk professionals concluded that there is no single, magic security bullet that can easily fix all IoT security issues.

A few of the key challenges to achieving a secure IoT can be outlines as below:
• Many IoT devices lack basic security requirements
• There is a plethora of IoT standards and protocols that create security blind spots
• The scale and scope of IoT deployments hinder visibility into security incidents

• There is a lack of clarity of responsibility regarding privacy and security.
"While ultimate security will likely remain elusive, we have to do all we can to add depth in our defenses and make it ever harder for adversaries to succeed in their nefarious endeavors"

We can expect further sophisticated attacks that leverage insecure IoT devices in the coming months and years. A world's leading research and advisory company placed security at the top of its list of top 10 IoT technologies for 2018. IoT security will be complicated by the fact that many 'things'use simple processors and operating systems that may not support sophisticated security approaches.

It’s also complicated as simple things connect to become a vast network that reaches everywhere. According to a report released by a premier research company,
• IoT security requires an end-to-end approach
• Encryption is an absolute must
• IoT security scenarios place a premium on scalability
• Security analytics will play a significant role in IoT security solutions
• IoT standards are important catalysts but still need time to mature

Based on analysis of several research papers and industry adoption,IoT security can broadly outlined into following key domains –

• IoT Network Security: Protecting and securing the network connecting IoT devices to back-end systems on the internet.

• IoT Authentication: Providing the ability for users to authenticate an IoT device, including managing multiple users of a single device(such as a connected car), ranging from simple static password/pins to more robust authentication mechanisms such as two-factor authentication, digital certificates and biometrics.

• IoT Encryption: Encrypting data at rest and in transit between IoT edge devices and back-end systems

• IoT PKI: Providing complete X.509 digital certificate and cryptographic key and life-cycle capabilities, including public /private key generation, distribution, management, and revocation.

• IoT Security Analytics: Collecting, aggregating, monitoring,and normalizing data from IoT devices and providing actionable reporting and alerting on specific activities or when activities fall outside established policies.

• IoT API Security: Providing the ability to authenticate and authorize data movement between IoT devices, back-end systems,and applications using documented REST-based APIs.

The continued evolution of IoT-specific security threats will undoubtedly drive innovation in this space; so expect newer IoT-specific security technologies to appear in the creation phase in the near future, many of which may align around vertical and industry-specific use cases such as connected medical devices or industrial applications.

While cyber security is well understood amongst computing professionals, the attraction of IoT is drawing interest from new comers from all quarters who are significantly less familiar with contemporary best practices or even the full implications of a breach. An insecure IoT product may not be the ultimate target but could provide the pivot point for an attack else where in the system. Cyber security is also a moveable feast; what is deemed secure today may not be so tomorrow. We can expect more of the same to apply as IoT applications emerge and mature. While ultimate security will likely remain elusive, we have to do all we can to add depth in our defenses and make it ever harder for adversaries to succeed in their nefarious endeavors. It’s imperative for today’s digital businesses to balance the business benefits that IoT - connected products can deliver with the recognition that these same devices have become an attractive attack plane for hackers and cybercriminals seeking to cause disruption and exfiltration of sensitive data.