Like all hardware, applications and services in the communications and IT world, the Internet of things (IoT) must be secure. Think about all those billions of devices connected in 10 year. Now think about all the rich, personal data collected on those devices, flying over networks, stored on virtualized servers, and accessed by various end-users of the data. We need to consider the security implications of IoT devices and the systems surrounding them. I postulate that the risks are greatest where sensor data are combined with customer information are stored in large volumes on enterprise servers (see Figure 1).
Suffice it to say there are security risks all along the IoT value chain from the device-side to the back-end applications and then to the presentment of the data to end-users. And it’s important for security experts to have involvement in the careful IoT planning, deployment and operational processes (if you are interested in learning more about how to implement security aspects for different IoT projects, please read the expert’s post in this blog).
But I believe the real risks exist where large volumes of data – sensor data coupled with personal information or asset information – are aggregated and analyzed on cloud-based or on-premises servers. These collection and storage points are treasure troves for would-be hackers. That being said, those implementing IoT projects for enterprises can readily conduct security audits and attempt to mitigate these security risks – the same types of security risks that exist in almost all IT and application deployments.
While there are security risks associated with the OS and applications on the IoT devices and on the end-user side, those risks generally involve a single device or end-user profile. The risks to the individual device or individual are generally more limited in these cases as potential data compromised would likely be limited in size and scope.
There are also security risks associated with core networks – carrier networks – and ancillary OSS/BSS systems associated with the provisioning and management of IoT and M2M solutions. No doubt there are security risks associated with the transfer of data along these networks and network elements, however, carriers in general build extremely high levels of security into their networks and ancillary systems. Even in cases where the ancillary systems are hosted off-premises by a third-party service provider, there are high levels of carrier-grade security built into the architectures.
Also interesting to consider are the security requirements for various IoT applications and different requirements by geography. For example, the security requirements for connected car data might be quite different than security requirements for public safety or government sector solutions. In addition, security requirements dictated by regulatory and legal codes in various geographies could differ significantly. These differing requirements certainly add complexities to multi-national IoT implementations.
Share your thoughts about IoT security. Where do you believe the greatest risks exist? What do you think are appropriate steps for enterprises to take in mitigating those risks?
Thanks and stay tuned for next month’s posting of my series here on Bosch’s IoT blog.