IoT Security Threats: Know and Prepare for Thy Enemy

The Internet of Things (IoT) is widely regarded as the third and most significant wave of the Internet. It  promises some amazing advancements in literally every industry, from healthcare to energy, to smart cities and smart homes, that will impact us all in ways we have yet to imagine.

As I’ve discussed before, however, IoT also presents new challenges to cybersecurity and privacy. It isn’t a question of if there will be negative IoT impacts, but when, how severe and how pervasive will those negative impacts be.

Untitled

It’s in that regard then that I share this article by Network World’s Colin Neagle.

5 IoT security preps

In his post earlier this week entitled, “5 ways to prepare for Internet of Things security threats,” Neagle recommends the following to prepare for the inevitable IoT cybersecurity challenges before us:

  • Don’t underestimate the security impact of the Internet of Things
  • IT and operations need to communicate when buying, deploying smart devices
  • Keep track of software updates for smart devices
  • Educate end users on the risks
  • Educate IT on the nuances of the IoT

All are helpful, but perhaps none more than the first. Understanding and comprehending what an organization is up against – and what is at risk – is the cornerstone to safely leveraging and operating in the IoT marketplace.

To be honest, it reminds me of something I learned in grade school: students don’t plan to fail, they fail to plan. It will be the same with enterprise and IoT. Successful organizations will not only have the vision to leverage IoT solutions and drive profitability for themselves and their clients, but those organizations will also recognize IoT threats coming around the bend and will prepare ardently and diligently for them, in response.

The Real Power of IoT is in the (Big) Data

It’s often said by folks who know about the Internet of Things (IoT) that within the next 5 years or so, 50 billion devices (give or take) will be connected to one another through the Internet. Generally speaking many believe that these devices will open up a world of innovation and creativity driving new solutions in smart cities, energy production, manufacturing, transportation and healthcare, to name a few industry sectors.

Screen Shot 2014-11-25 at 5.05.18 PM

 Infographic developed by Intel. See http://tinyurl.com/pzec2la

What is sometimes left out of the conversation, however, is the potentially more life-altering impact that the data created by all these devices will have on everyday life. Enter “Big Data,”  the enormous amount of information that will be generated by those billions of connected devices in our cars, our homes, our factories and our cities.

This nexus was recently made crystal clear in Howard Baldwin’s  Forbes article that discussed Big Data analytics and the value of the same in the IoT:

“…[O]nce the Internet of Things gets rolling, stand back. We’re going to have data spewing at us from all directions – from appliances, from machinery, from train tracks, from shipping containers, from power stations…” 

Forbes IoT and Big DataCiting Drew Robb in his Enterprise Apps Today article, How IoT Will Change Big Data Analytics, Baldwin said that, by way of example, “Duke Energy’s Emerging Technology office is thinking about how to take advantage of communication from buildings, vehicles, people, power plants, and smart meters.”

According to Baldwin, “As one of Robb’s sources noted, “Every enterprise needs to factor in how the Internet of Things is going to affect them and their business, and must respond by establishing the right infrastructure to support this level of Big Data and analytics. If they don’t, they will fall behind.””

There will undoubtedly be thousands of companies who figure out how to add connectivity to their devices. The real prizes, however, will go to those who understand how to successfully harness and analyze the big data created by those devices, making possible previously unimagined ways of doing things and living our lives. Now  is the time to begin that journey.

 

Financial Firms Spending $2 Billion More on Cybersecurity

We can now add U.S. banks, insurers, money managers and other financial companies to the growing list of organizations spending more to protect and guard against the growing problem of cybersecurity. As reported by the Wall Street Journal this week, “Financial-services companies plan to bolster their cybersecurity budgets by about $2 billion over the next two years, according to accounting and consulting firm PricewaterhouseCoopers.”

“While Internet breaches have hit everyone from big-box retailers to the U.S. Postal Service, banks and investment firms are in the spotlight because they have been attacked frequently and handle reams of sensitive client data, including millions of checking and savings accounts. Banks’ response has been to spend more. Citigroup Inc. ’s annual cybersecurity budget has risen in recent years to more than $300 million, people familiar with the bank said.” (Emphasis added).

WSJ Firms bolster Cybersecurity budgets

“Overall, the number of financial firms reporting losses of more than $10 million from cybersecurity incidents increased more than 140% from a year ago, according to the PwC report. Financial-services companies accounted for 34% of all breaches in 2013, almost three times the percentage of the public sector, which garnered the next highest reading, according to the Verizon 2014 Data Breach Investigation report.” (Emphasis added).

Considering the risks involved and the highly sensitive and private nature of the information handled, stored and processed by these firms, this is definitely welcome news. It is also, however, a sign of things to come and an unwelcome indicator of the current threat level that companies in all industries face. Cyberthreats are real, they are increasing, and they can be devastating to consumers and the companies who serve them. Organizations across the spectrum would be well served to conduct their own risk analysis and dedicate whatever resources are needed to address these threats and ensure to the best extent possible the privacy and security of the information they are entrusted with.

WSJ cyber spike graph

 

Are 3rd Party Vendors Our Biggest Cybersecurity Risk?

It’s happened again…

Following reports that the Target security breach was carried out by way of a breach at a third party (HVAC) supplier, now comes news that the Home Depot breach – that compromised more than 56 million consumer credit and debit cards – was accomplished by criminals using a third-party vendor’s user name and password to enter the perimeter of the Company’s network. This marks the second such vendor-accessed high-profile high-volume cybersecurity breach in the last twelve months, with a resulting unlawful disclosure of a combined two hundred million customers’ personal and confidential information.

Screen Shot 2014-11-12 at 10.46.43 AM

In both cases, compromised or stolen data from the vendor was used to penetrate the outward facing retailer’s cybersecurity defenses – once in, criminals were able to hack,  navigate, expose and capture personal information.

“The attacker is just going after access vectors that for whatever reason remain weak,” said TK Keanini, CTO at Lancope, in an email. “[ ]  Supply chain is ripe and attractive because 1) it often has more access than it really should to the firm; and 2) the firm grinds down these suppliers’ margins so low that suppliers then cut costs by cutting security spending: It is going to get a lot worse before it gets better.”

Unfortunately, these breaches are certainly not the last we’ll see that are vendor-originated. They do, however, fully illustrate the need for organizations to carefully and thoroughly vet their suppliers, including and perhaps especially those who provide products and services seemingly unrelated to technology or networking. Procurement, legal and IT should all be part of the vendor selection and on-boarding process to help best protect the organization, its assets, its reputation and its customers.

IoT Standards Movement Continues to Grow

The proliferation of standards for the Internet of Things (IoT) continued its growth today when the AllSeen Alliance, a “nonprofit open source consortium dedicated to driving the widespread adoption of products, systems and services that support the Internet of Everything,” announced that its group had expanded with the addition of nine (9) new companies and one new sponsored member.

dog hunter (IoT WiFi modules, control and sensor management solutions), FengLian (commercial WiFi and intelligent home product and support provider), ForgeRock(R)(identity relationship management solutions ), INSTEON (networking technology for the connected home), MobilityLab (next-generation enterprise mobility solution MobileSputnik), NETGEAR (global networking company), Organic Response (sensor-based lighting control system), Quanta Computer (Fortune Global 500 Company, the largest manufacturer of notebook computers) and VeriSign, Inc. (global leader in domain names and Internet security) have joined the initiative according to the press release. New sponsored member Korea Electronics Technology Institute also joined the group. The Alliance now totals 80 companies and 12 sponsored members.

“AllSeen Alliance members are collaborating to advance the seamless connection of a range of objects and devices in homes, cars and businesses by building out an open source software framework, called AllJoyn(TM). Through code that is available today and continuously updated through contributions by members and the open source community, AllJoyn acts as a common language for devices to interact regardless of brand and other infrastructure considerations.”

Screen Shot 2014-11-05 at 9.30.26 AM

 

Standards-making bodies such as AllSeen have been growing rapidly over the past few years, as the quest for common languages, rules, requirements and protocols tries to keep up with the advancements in technologies now driving IoT.  Other groups including but not limited to the Industrial Internet Consortium, the Open Internet Consortium, JCA-IoT, IoT GSI, GSC MSTF, Thread, and the International Organization for Standards are all attempting to develop commonalities to support and drive the interoperability of the estimated 50 billion devices that will make up the Internet of Things in our homes, cars and workplaces by 2020.

Company Culture and Cybersecurity are Critically Intertwined

How serious is your organization about securing and keeping private the consumer and other data you access, handle, store or otherwise process? Put another way, does your company culture emphasis and value the allocation of precious resources to fight cybersecurity threats?

These are particularly important and timely questions to ask, especially in light of recent well publicized data breaches affecting millions of Americans. According to a recent New York Times article, one of those breaches involving Home Depot was due at least in part to years of neglect and a lack of attention to vulnerabilities and warnings by former members of the company’s cybersecurity team. This alleged culture that stressed “selling hammers” over securing data left the company open to attack from malware that it says “had not been seen before and would have been difficult to detect.”

Several former Home Depot employees said they were not surprised the company had been hacked. They said that over the years, when they sought new software and training, managers came back with the same response: “We sell hammers.”

Screen Shot 2014-10-29 at 12.48.32 PM

Additional investigation (and litigation) will likely tell more about whether and to what extent company culture played an integral part in the data breach that ultimately compromised 56 million of Home Depot’s customers’ credit cards. In the meantime, however, all organizations – for-profit and non-profit – should be taking a long hard look at how they value cybersecurity. Is company culture deeply intertwined with a dedication to keeping data safe, or is the privacy and security of information ‘something for IT to worry about?’

Federal Regulation Coming Soon to the Internet of Things

It was really only a matter of time…to the extent that the Internet of Things (#IoT) isn’t already regulated by existing state and federal rules, the United States Senate now appears to be taking at least preliminary steps towards legislation that would specifically apply to IoT. According to an article published in The Hill today, “A bipartisan group of lawmakers on the Senate Commerce Committee wants Chairman Jay Rockefeller (D-W.Va.) to hold a hearing on the millions of new connected refrigerators, cars and other devices.”

“‘The so-called “Internet of Things” is “sparking a number of important policy questions” about security and privacy, Sens. Deb Fischer (R-Neb.), Cory Booker (D-N.J.), Kelly Ayotte (R-N.H.) and Brian Schatz (D-Hawaii) wrote to Rockefeller and ranking member John Thune (R-S.D.) on Monday. Congress should engage on the issue cautiously and constructively, in a bipartisan fashion, and we appreciate your leadership in examining this topic,” they wrote.'”

This is an important but not unexpected development, especially given the rash of recent highly publicized data breaches. It’s also not truly the first foray of the federal government into IoT, as the Federal Trade Commission (FTC) in November of last year held a public workshop on IoT privacy and security implications.

Read The Hill’s full article here, and stay tuned for more federal action on IoT to come.

Screen Shot 2014-10-21 at 12.58.20 PM

“Now is the right time for the Senate Commerce Committee to hold a hearing…”

Startups are Leading the Way in IoT…Is That a Good Thing?

According to the world’s leading information technology research and advisory firm Gartner, Inc., in just two short years 50 percent of Internet of Things (IoT) solutions offered to enterprise and the consuming public will originate in startups that are less than three years old. This means that “makers” (folks like inventors, tinkerers and entrepreneurs) as well as “startups” (fledgling businesses that are often technology-focused and have the potential for high growth) will be driving and shaping the IoT landscape in the coming years, not the large-scale dominant players we tend to think about (Cisco, GE, Google) with emerging market trends.

“Conventional wisdom is that the growth of the Internet of Things is driven by large enterprises. As is always the case, there is an element of truth in conventional wisdom and major consumer goods companies, utilities, manufacturers and other large enterprises are, indeed, developing IoT product offerings,” said Pete Basiliere, research vice president at Gartner. “However Gartner’s Maverick research finds that it is the makers and the startups who are the ones shaping the IoT. Individuals and small companies that span the globe are developing IoT solutions to real-world, often niche problems. They are taking advantage of low-cost electronics, traditional manufacturing and 3D printing tools, and open- and closed-source hardware and software to create IoT devices that improve processes and lives.”

It’s exciting to think about the innovation and creativity happening in these small companies and the IoT solutions they will generate in medicine, smart city management, manufacturing and other fields. However, since many small and emerging companies often lack the critical resources to fully secure their services or products, and since 8 of out 10 entrepreneurs who start businesses fail within the first 18 months (Forbes, Sept. 2013, from Bloomberg), it is somewhat concerning, as well. For IoT to ultimately be the success so many want it to be, and for IoT solutions to positively impact people’s lives, trust in providers will be key. If IoT providers don’t stay around for long and/or they don’t protect consumers and keep their private data secure, confidence in IoT will erode before the many exciting innovations even have a chance to come to market, fulfilling the promise of the technology.

Screen Shot 2014-10-14 at 1.02.56 PM

 

http://www.gartner.com/newsroom/id/2869521

The Internet of Everything (IoE) is Changing Education…For the Better?

“Educators need to embrace [the] ‘connected student…’ They need to leverage mobile phones to collect data to interpret students’ behaviors and habits, create personalized teaching plans and remove the need for examinations, replacing them with ongoing assessments…”

This is the vision of an Internet of Everything (IoE)-transformed education system, as set out in this interesting piece on ZDNet by Cisco’s Contributing Blogger on IoE (see below screen shot and link to full post).

You might or might not agree with this fascinating and provocative take on IoE and what education can or perhaps should be, but technology is clearly changing our traditional approach to educating our children. The idea here is that the Internet of Everything (IoE) – a future where every device is connected and can talk to other devices, enabling instant access to information and data and reliable unified communications – will evolve how we educate students towards an immersive, collaborative, interactive, real-time, hands-on type of learning designed to better connect the act and process of education to students’ application of knowledge in jobs and in life.

“Thanks to technology, education is evolving from a linear knowledge-transfer model, to a more collaborative, engaging process. Rather than a bottlenecked route for information to come from set textbooks, students are able to use the internet to discover their own sources of information to add to the overall learning process.

The push towards connected learning is designed to prepare children for their professional lives, which will demand an ever-increasing familiarity with, and proficiency in technology.”

This transformation is happening today in Australia, South Korea, the UK and in places closer to home like Cleveland, Ohio. So buckle up and get ready for more IoE driven change – the Internet of Everything is happening now in a community near you.

Screen Shot 2014-10-07 at 5.05.16 PM

http://www.zdnet.com/lessons-in-the-internet-of-everything-7000034293/

Thread Protocol Aims to Address Interoperability Challenges of IoT

Key players in Internet of Things promote Thread protocol at Google campus

One of the main challenges confronting a future of a seamless, secure IoT is the likelihood that not every device will be able to talk to every other device. Think of this as VHS versus Beta – if your Nest thermostat won’t ‘talk’ to your Ford F-150, then your truck can’t tell your house that you’re almost home so the temp can be lowered! I know, that would be a disaster, right?

Ok, maybe not. But what if the medical device implanted in your mom’s abdomen that gives her life saving medicine doesn’t ‘talk’ to her cell phone or her doctor’s servers? Now that is a problem.

To ensure that devices will talk to one another and be interoperable, there are a number of movements occurring to standardize platforms or languages, if you will. One of these is Thread, the aim of which is to allow up to 250 devices to communicate and operate with one another, bringing Thread-enabled devices into one harmonious IoT environment.

Check out the attached article for more information, and stay tuned for more developments re: Thread and other movements to help enable IoT communication regardless of make or model.

Screen Shot 2014-10-01 at 1.29.34 PM

John Ansbach on IoT, Cybersecurity & the Technology Trends of Tomorrow