Carl Leonard, Principal Security Analyst at Forcepoint, talks about the Internet of Things and its implementation in the workplace.
Tell us about yourself and your company Forcepoint...
Forcepoint is transforming cybersecurity by focusing on what matters most: understanding people’s intent as they interact with critical data and intellectual property wherever it resides. The company’s uncompromising systems enable companies to empower employees with unobstructed access to confidential data while protecting intellectual property and simplifying compliance. Forcepoint protects the human point for thousands of enterprise and government customers in more than 150 countries.”
In my role of Principal Security Analyst my objectives are to influence research activity within the global Security Labs team to ensure that we publicise the depth of knowledge at our disposal.
I am a contributor/author to annual Threat Reports, Predictions reports, Industry Drill-Down reports and blogs. I am a podcaster and conference speaker having presented at RSA USA, InfoSecurity Europe, eCrime and others. I regularly advise business leaders on how to solve the challenges of current and future threat landscapes.
The report also said that one of the main factors stopping people implementing IoT were security concerns - have you seen evidence of that? And, if so, how can it be combatted?
One of the key barriers to success with the Internet of Things will continue to be security. The race to get products into the market to gain an edge over competitors has seen a proliferation of wireless devices that connect effectively, but are otherwise cheap, small and expendable as they feed data into our digital ecosystem. Ensuring these devices are genuinely secure from cyber threats and vulnerabilities has been an afterthought at best, with many developers dismissing these precautions almost entirely. If the implementation of the IoT is to be a fully functional success, this issue has to be avoided. This can be done in three ways:
• Bring transparency to the standards and protocols that govern how a new technology works so the developers who depend on them can understand where risks reside
• For businesses including new technologies into their supply chain or operations, vulnerability assessments should be best-practice
• Continued sustainment of the Internet-of-Things requires active maintenance rather than deploying and forgetting about any device
Businesses need to appreciate that the wide scale adoption of IoT devices, coupled with these devices often being both easy to access and unmonitored, has made them an attractive target for cybercriminals wishing to hold them to ransom or obtain a long-term, persistent presence on the network. As the number of IoT devices has grown and interconnections have multiplied, so has IoT malware, which nearly doubled from 2015 to 2016.
Going forward, the biggest emerging concern we’re seeing is ‘the disruption of things’. The internet of connected things offers access both to massive amounts of critical data, and to disruptive possibilities. A clear example is connected refrigerated trucks – malware could be used to interfere with a network of these vehicles to raise temperatures, spoil food and disrupt social infrastructure. The option will also be there to build a larger, more powerful ‘botnet of things’ to extract data or demand ransom from targeted victims.
As it stands, we don’t feel that the IoT industry is actively learning from previous security missteps, such as the one stemming from the discovery that smart meters installed by utility companies in Spain could be hacked to under-report energy use. If not appropriately addressed in the near future, this kind of poor protection against tampering could eventually lead to the systematic shut down of power across a wide area. We will then also see integration of a man-in-the-middle (MiTM) attack into an IoT network. As more connected devices, such as home personal assistants, have financial data associated with them, they become more attractive and lucrative targets for attackers.
How important is the Internet of Things to business in the world today?
IoT opens up a world of possibilities to reduce production costs, increase accuracy of monitoring, bring competitiveness to the innovators, and make our lives easier. It is as important as machine learning, automation and the cloud in that it will revolutionise how we do business and how we conduct our daily lives.
What do you think has been the key to the IoT becoming fairly successful?
The key to IoT’s success is cheap devices, ease of roll out, and large choices in the marketplace as vendors compete to be “first to market”. IoT manufacturers don’t have to be “best in market” as they can quickly establish themselves with a strong foothold in the rush to market. Unfortunately this means that security features are often lacking or poorly thought through. Given the importance of IoT devices in handling huge amounts of data and being essential to safe function in industrial settings and in a consumer environment, it is critical to embed security into the devices, their transmission of data, and access to the devices. Unfortunately this is not always top of the list in the purchaser’s buying criteria.