News flash: to help fight California’s drought, Samsung is offering a $100,000 prize to the innovator who creates “the most effective use of IoT and ARTIK [Samsung’s IoT platform] technology for reducing water consumption by individuals or municipalities.” When the average reader of this news headline needs no explanation of what “IoT” means or what this contest is about, we know IoT, or the Internet of Things, is for real. There are already an estimated 25 billion connected devices around the world, according to expert estimates.

There are many benefits of IoT, including enhanced productivity, accurate and timely medical services, and better quality of life, just to name a few. But there are also many risks such as potential invasions of privacy, ethics violations, lack of standards, and more.

In this post, I will focus on one of the biggest challenges: Security in the IoT. Let’s use the Samsung ARTIK Challenge as example: what if the winning solution was hacked, the water conservation formula was altered, and all the Internet-connected water pumps, sprinklers and faucets were turned on instead of shut down?

While there isn’t one single solution that will eliminate IoT security risks, a review the components of IoT and the associated security risks suggests to me two Internet infrastructure upgrades that can help mitigate some of these risks.

Components: What Are the Things in the Internet of Things?

Gartner’s definition of IoT is simple: “It is the network of physical objects that contain embedded technology to communicate and sense or interact with their internal states or the external environment.” We came across a visual from a Celent report which summarizes the concept very well:

Now let me highlight the security risks associated with each of these components:

1
• The status data itself can be compromised
• The reporting process communicated via the Internet can be interrupted/hacked

2
• The data itself can be compromised
• The wrong data can be fetched/fed

3
• The identity of the physical object can be compromised: Data can be fetched from or fed to the wrong objects; or the wrong object can be programmed to take action
• The embedded software may become obsolete
• Software updates may be compromised

4
• The analytics process can be interrupted/hacked

5
• The severs can be hacked
• Analytics programming can be compromised

6
• The communication process via the Internet can be compromised/redirected

All the network, hardware and software security risks we face today will get even more complex and will have an even bigger impact as more and more things become interconnected. IDC estimates by 2016, 90% of all IT networks will have an IoT-based security breach.

Infrastructure Upgrades that can mitigate risk

Among the many Internet security strategies, I see two that have significant potential: the CrypTech Project¹ and DNSSEC.

• The CrypTech Project: Making the Things at the Fringe More Secure The CrypTech Project is about making hardware secure via cryptography—so when you are communicating to a piece of hardware via the Internet, you know you are communicating with the right piece of hardware. Since the Internet of Things is made up of billions of things, or hardware, it’s critical to maintain the integrity and the identity of every individual piece of hardware. The mission of the CrypTech Project is to create an open-source cryptographic engine for hardware that everyone can use. Since it is open source, anyone contribute to it, making it easier to upgrade and keep current and effective. CrypTech is working to create an open, common standard, which is particularly important with IoT due to the complexity of the ecosystem and the need for interactivity. The project is already close to delivering a working prototype, which is a significant achievement. When implemented, the project promises that no part of its architecture, data stores, or message passing systems will be un-encrypted.
• DNSSEC: Making the Internet at the Core More Secure DNSSEC (Domain Name System Security Extensions) is an Internet security protocol that enables authentication between the origin of a communication and the destination; in other words, it ensures that a communication intended for one destination cannot be diverted to another destination (as in a “man in the middle” security attack). In the IoT world, communications across web sites, applications, and devices are happening constantly. When we look up a DNSSEC validated web site for an IoT software update or to perform IoT analytics, we know we are accessing the right site—because DNSSEC guarantees that anyone trying to redirect us to a different location/site will fail. This is the kind of security we need. Protection against “man-in-the-middle” attacks are going to be even more critical as the number of connected devices across connected networks explodes.

Everything Is Changing—From the Fringe to the Core. Are You Ready?

According to IDC, over 50% of IoT activity is centered in manufacturing, transportation, smart city, and consumer applications, but within five years all industries will have rolled out IoT initiatives. Verizon predicts by 2025, best-in-class organizations that extensively use IoT technologies in their products and operations will be up to 10% more profitable due to expected efficiency gains. In the United States, the FTC has declared that the only way for IoT to reach its full potential for innovation is for it to earn the trust of consumers by demonstrating that it provides the protection they expect. Security is at the heart of this protection.

As we explore the many possibilities and benefits IoT brings to our increasingly connected world, security must always be part of the business requirement and not an afterthought.

¹ Afilias provides monetary support to the Cryptech project