Enterprise IoT Requires New Security Agenda
What are the possible threats for enterprises when we talk about Internet of Things (IOT) security?
The scope of threats and risks from the Internet of Things to enterprises ranges from as small as a scenario that poses a minor disruption to day-to-day operations, to a scenario that significantly affects the enterprise’s core business operations to a point where the enterprise’s ability to fulfil its commitments is at risk, and the enterprise’s reputation is at stake. Looking at it one way, an IoT security threat has the potential to affect at least one or more of the enterprise’s stakeholder community – employees, customers, partners, associates, and perhaps the wider community as well.
For instance, research firm IHS Automotive estimates that globally, 23 million cars currently connect to the Internet in some capacity. By 2020 that figure is expected to rise to 152 million. With an abundance of connectivity options and integrated control systems currently part of the modern vehicle, manufacturers are becoming aware of the need to secure these systems—particularly with the introduction of over-the-air upgrades to the devices that control the actual operation of the vehicle.
How would a hacker gain access to enterprise IoT devices?
There are several possibilities, depending on the enterprise sector. Take the case of an industrial control system environment where the scale of equipment is huge – especially if we consider a critical infrastructure production facility – making them expensive to be put in place and also hence having a long operational lifecycle. Often, the deployment of such infrastructure will be old and potentially unable to support current best-practice security mechanisms.
If a serious security flaw is discovered in the infrastructure, it’s often impossible to update the system with an approved patch (if there is one available) without halting production. Technicians need to schedule maintenance windows months in advance to avoid outages, and this sluggish response makes the infrastructure exposed and vulnerable to cyber-attackers armed with modern technologies.
In the case of the automotive industry, over-the-air upgrades to software are gateways for cyber-attackers to gain access to vehicle systems, giving them opportunity to introduce malicious software or settings.
Broadly in an IoT architecture, cyber-attackers can exploit the system across three common domains, including application, network and device domain. In the application domain, passwords can be accessible in plain text in the application domain. Eavesdropping or masquerading as a user can reveal data and identification tokens or identity data and personal user information. Attacks on the network domain, including the core network infrastructure and access network, can occur by exploiting vulnerabilities in protocols such as Global System for Mobile communications (GSM), impersonating devices or inserting rogue devices to gain unauthorized network access, and making DoS attacks against network components.
At the device level, attacks can be targeted against end-user devices, such as televisions and household appliances, or industrial devices and systems, such as smart meters and control systems. Many devices depend on hard-coded access keys, making them vulnerable to brute-force attacks and spoofing. SCADA systems and IP Gateways tend to leave default passwords.
How are IoT security solutions different from traditional security solutions?
By design, IoT devices exchange data back and forth to a centralized cloud and may be connected to several other distributed devices and systems. Many devices are at the edge of an enterprise’s network and outside the enterprise’s existing security perimeter and sometimes directly connected to the internet. This is very different from traditional computing devices which often operate in an enterprise’s security perimeter and network, and where security solutions are limited in scope.
Implementing an effective IoT security strategy requires a detailed understanding of the assets to be protected and the security mechanisms employed, as well as the types of data being dealt with. For example in Industrial IoT, operational and security requirements in the production of oil and gas differ significantly from those in the automotive or retail industries.
Companies today are excited about the IoT as they clearly see a lot of potential there. Security concerns aside, what excites you most about IoT?
The Internet has proven to be a great invention and tool to mankind. If we then think of the application of the Internet of Things, it becomes more exciting. The value of IoT is immense and far-reaching – across people, all kinds of organisations and practically every entity. The IoT will drive new innovations and new opportunities by bringing every object, consumer, and activity into the digital realm, and we’re working with businesses in every sector to establish use-cases and demonstrate value.
The IoT furthers the promise of the Internet – it will create numerous interconnected environments where businesses will collaborate with one another to make daily experiences simple, useful, delightful and personal to people, with traditional products companies able to innovate by adding related services and diversifying their revenue streams. Incredible solutions and innovations will be possible in the field of healthcare thanks to IoT, potentially benefiting millions of lives. The IoT will pave way for newer education solutions, helping countries further improve literacy among their people. There are many such reasons for excitement, and they apply to every industry.
The IoT will also expand and enhance consumption of products and services, driving the economy and all the benefits that come with it like jobs, investment, creativity, innovation, and so on. As per the Accenture report “The Growth Game-Changer: How the Industrial Internet of Things can drive progress and prosperity”, by 2030, the Industrial IoT can contribute US$14.2 trillion to world output by 2030. The same report states that IIoT can add US$37 billion to India’s GDP in the next 15 years under current conditions. However, by taking additional measures, such as improving the telecommunications infrastructure, this figure could grow to US$47 billion for India.
Many big and innovative security vendors are venturing into the IoT space. How is Accenture trying to be different?
Accenture helps IT and business leaders develop and implement a security approach that ties security to business goals, combats a widening variety of threats, and embraces emerging technologies to support the enterprise’s pursuit of new digital business opportunities. Our experience helping corporations and governments across the globe use security to both defend the enterprise against malicious threats and enable the enterprise to operate new business processes while maintaining acceptable levels of risk, stands us in good stead in this industry.
We offer a broad range of information security services from strategy and risk management through enterprise and extended enterprise security, cyber security and managed security. We integrate security into all of the clients’ business processes, enabling them to protect customer data and critical infrastructure and applications while reducing costs and improving efficiency. We also work closely with other members of the digital Ecosystem to find the best way to address security concerns in the IoT, from the silicon up to the network and beyond.
Accenture’s deep industry expertise, business process acumen, broad spectrum of security services and not just IoT, coupled with expertise and experience from our industry partnerships are reasons why clients choose to rely on Accenture. Our advanced research and technology through our Accenture Technology Labs provides fresh insights to help our clients harness emerging technologies and trends, and address current and future security challenges.
In addition, Accenture actively adds technology, consulting and strategy capabilities organically and inorganically in order to best serve our clients. Our recent acquisitions of FusionX and Cimation strengthen Accenture’s Security practice in the areas of cyber-attack simulation, threat modeling, cyber investigations, security risk advisory services, and process automation, information technology (IT) and industrial control system (ICS) cyber security respectively.
(This interview was first published on www.cxotoday.com)