11 April 2017 | Richard Newell
MA 2015 McKinsey report on the impact IoT will have on the world economy by 2025 highlighted industries where connected devices would add value. But a potential impact of $3.9 trillion to $11.1 trillion a year in 2025 masks risks that must be addressed.
At the 2016 Structure Security conference in San Francisco, Intel Security’s Scott Montgomery described an “enormous tug-of-war between convenience and privacy” in IoT with device manufacturers clearly not doing enough to pull on the privacy end of the rope.
AT&T, IBM, Nokia, Palo Alto Networks, Symantec and Trustonic are forming an IoT Cybersecurity Alliance to raise awareness of ways to secure the IoT ecosystem.
And standards may be coming. In January the Online Trust Alliance (OTA) released an update to its IoT Trust Framework, which includes 37 principles in four key categories: security; user access & credentials; privacy, disclosures & transparency; and notifications & related best practices. OTA sees this framework as the base for IoT certification programmes.
IoT security is still immature, but there are best practices that can be applied today to help protect systems.
1. Device authentication: Both the device software and hardware should be authenticated when accessing a network.
2. App access controls: Restrict which apps access a device and monitor data transmitted via standard mechanisms such as firewalls.
3. Life cycle management: Devices should ship with current software and be able to receive safe timely updates.
4. User access controls and credentials: Apply access controls and password policies to limit user access.
5. Data: Data in transit and in storage must be encrypted using up-to-date security and cryptography protocols.
Richard Newell CIO at IWMS provider Service Works Group