Protecting Data on IoT’s Rocky Road

By Greg Hoffer

What is the Internet of Things?

To different people, the connected devices that make up the Internet of Things—IoT—can mean a lot of different things. They can be wearable devices that track fitness to home security gear that can be controlled and monitored from afar; they can be smart kitchen appliances or smart automobiles; they can be industrial machinery or medical equipment. Just about anything that has a function that can be measured is being outfitted with the means of connecting to the public network.

The combination of fad (who doesn’t need a smart toaster, right?) and utility is driving rapid growth in the IoT space right now. The technology analyst firm Gartner says that the market for connected devices will increase at a 31.7 percent compound annual growth rate (CAGR) through 2020 at which time it is expected there will be between 20 billion and 30 billion installed IoT end points. And each of those devices will be collecting information and transmitting that information. A lot of information.

By some estimates 2.5 quintillion bytes of data are generated every day. Some of that information may be regulated data or data that is of high operational value for an organization. Such data demands a great deal of protection to ensure its integrity from moment of capture until it is put to use. Yet the devices that are collecting and transmitting this information are, as a whole, shockingly unreliable and unsecure.

And yet, despite these troubling findings, organizations continue to rush headlong into the world of IoT asking these machines to collect mission critical data, process payments, locate individuals, monitor function and behavior… and then send that sensitive personal and corporate data on a very perilous journey.

The poor security endemic to IoT devices should come as no surprise to anyone who has been paying attention. For more than a decade remotely accessible devices have been at the center of a number of troubling events, including viruses that disrupted operations of the Davis-Besse nuclear power plant in Ohio in 2003, shut down manufacturing operations at Daimler-Chrysler plants in 2005, allowed a teenaged hacker to disrupt train service in Poland in 2008, and were found to be the focus of Russian hacker groups attacking U.S. public infrastructure.

But it was in October of 2016 that the degree to which the IoT was vulnerable to malicious actors was exposed when the largest botnet ever known—mostly comprised of millions of compromised IoT devices—was used to launch a massive denial of service attack on Domain Name Service (DNS) provider Dyn, bringing online activity for many popular private, public and commercial web sites and operations to a screeching halt.

In the months following that attack, attention has turned to the neglected issue of protecting data and devices, with some calling for governmental intervention and the imposition of strict security regulations on device manufacturers. In the meantime, what can be done to better protect the integrity of IoT devices, networks and the data that travels along that perilous road?

Simple measures that are standard operating procedure in other aspects of network operations should be applied to the integration and deployment of IoT networks as well, including making sure that vulnerabilities are identified and patched on a continuous basis; default and weak passwords on the devices themselves are replaced with strong passwords; encryption is used whenever possible to protect devices and data in transit from the device to its destination; state-of-the-art security and privacy policies and processes are employed on the systems used to store and analyze the data; operational contingencies established should the networks themselves fail; and authentication and access management set to guard against neglect and abuse of trusted access.

Securing the Internet of Things, and the data that is collected and transferred by billions of connected devices does not require that we invent new tools and techniques—merely that we apply the lessons we’ve already learned to a new model. It may not be easy, but it’s possible… and necessary.

About Greg Hoffer

Greg Hoffer is Vice President of Engineering at Globalscape where he leads the product development teams responsible for the design and engineering of all of Globalscape products.

More About Greg