We spoke to Allen Storey, Product Director of cyber-security company Intercede, about the threats inherent in the Internet of Things, and the steps which must be taken to protect consumers and companies against them.
TechRadar Pro: What are the main opportunities and threats to come from the IoT?
Allen Storey: The opportunities are almost endless.
As more and more devices become connected their ability to interact in smarter ways will allow for the provision of new and more personalised services e.g. monitoring my health via wearable technology or controlling my home heating, lighting and security system from my phone.
A number of these technologies are already emerging (just look at Hive), but as things become smarter and more connected they will break out of their silos (i.e. only communicating with their own service) and start to communicate with each other.
Imagine my self-driving car is told by my smart fridge that I am out of coffee and reroutes me to a supermarket on the way home from work to buy some. The world enabled by big data has only just begun!
The main opportunities go hand in hand with the main threats. As things become more connected the opportunity to hijack them for nefarious purposes increases.
Being able to send my son an electronic key to his phone to let him in the house would be beneficial on those occasions when he has lost/forgotten his key. However, I need to be sure that only I can send a key and only my son can receive and use it, otherwise it will become an easy target for thieves.
The greatest online threat at the moment is identity theft. Within the IoT that threat will extend to identity theft of a device as well as a person. Imagine that device is protecting an element of critical national infrastructure such as a power station… the threats therefore extend beyond those presented by the casual criminal to those of more concern such as organised crime and terrorism.
TRP: Who is in charge of regulating and setting standards within the IoT? Surely without a single centralised body, such as the GSMA in the telco space, there can never be uniformity?
AS: The internet has no single regulatory authority, but that does not mean there cannot still be standards. The internet itself is a good example of how multiple services and devices can communicate over a common network that nobody owns.
A number of major industry players see the benefit in securing the internet and have formed alliances to attempt to set vendor independent standards in this area (e.g. the FIDO alliance with members including Google, Microsoft, MasterCard, Samsung, Paypal, Visa and Intercede). Combined with government initiatives such as US NSTIC (National Scheme for Trusted Identities in Cyberspace), all this is showing that both industry and government have a desire and indeed mutual interest in providing solutions.
TRP: How can you secure the IoT?
AS: This is a heavyweight question with multiple parts to the answer best provided by specialists on each area, hence the need for collaboration within the industry.
Intercede believes a starting point has to be knowing who, or what, is connecting really is that which they claim to be. This is ideally achieved by means of a tamper-resistant digital identity that can be electronically verified online.
TRP: Do you think consumers and companies alike are aware of the security threats represented by the IoT? Whose job is it to educate consumers/companies about the IoT in general? Government, individual organisations, or is it the individual's own responsibility?
AS: It is difficult to look at a news site without seeing yet another story of a major organisation being hacked or passwords being leaked, and I believe that the public is beginning to understanding that passwords alone are no longer enough.
The consumer mind-set has not yet moved on to understand the security threat implicit in multiple connected devices, and the concern is that waiting until the problem occurs is too late. The industry needs to work together to ensure security is designed in from the start, not provided as an afterthought.
Education has to be a joint effort from industry, governments and academic bodies, as consumers generally want convenience first and security is much further down the list, so it is our job to help.
TRP: What is the best way to secure yourself or your company against security threats in the IoT?
AS: Don't bury your head in the sand and think it won't happen to you. Weaknesses in security systems will be exploited. Look at what and who will be connecting to what and determine a security strategy based around risk.
The level of security employed has to be appropriate to the risk, but starting with the basics of who and what are connecting is a good place to begin.
TRP: Which types and sizes of organisations are best suited to MyID?
AS: MyID is an extremely scalable product, from small to medium organisations with 500+ users all the way up to major government projects with millions of users.
TRP: Who is in charge of the MyID implementation? The device manufacturer, the individual or the company?
AS: MyID can be installed on-premise for those organisations wishing to take care of managing identities in-house, and it is also provided as a managed service by a number of Intercede partners for those wishing to adopt an IaaS (Identity as a Service) model.
TRP: Where do you see MyID in terms of the wider vision for the IoT moving forward?
AS: MyID is all about creating trusted identities for people and devices. Today these tend to be for employees and machines managed by large organisations, tomorrow it will be devices capable of interacting in a secure manner – be it a health band, a car or a fridge.
from TechRadar