Tim McElwee is a leading cyber security expert and CEO at ZitoVault whose mission is “Safeguarding the Internet of Things.”

In our conversation with Tim we got great information about securing the Internet of Things, where the threats are coming from, how you can protect yourself in your home with your own consumer IoT products, and how enterprises should be thinking about security.

ZitoVault Banner

Help us understand the importance of security. What is the objective of someone attacking an IoT system?

Cyber attackers are typically after information and disruption. Information on corporate data, intellectual property, financial information, personal information, and now it is getting to the point where the question you want to ask is, “What do attackers wish to do with this information?”

There are many classic possibilities ranging from data theft, to financial gains, to disruption. With the Internet of Things connecting a projected 50 billion devices by 2020 according to Cisco, cyber attacks now open up new and dangerous possibilities of causing physical harm on a wide scale.

As we grow with technology, and if you look at who are initiating cyber attacks, the majority are for criminal or terrorist activities.

We see a lot of publications about how communities are threatened by terrorists and other bad characters who are stealing things like credit card numbers or hacking into security systems.

However, it is much broader than that. At the national level, terrorists are looking to disrupt critical infrastructure. A recent power outage in the Ukraine was linked to cyber attackers compromising an industrial control system. At an enterprise level, attackers are after competitive information and intellectual property. At a personal level, they are looking for private information that can be used against us or sold back to us.

For example, you log into your home security system to enable or disable your alarm. But if I compromise your home router, I can monitor your home network and potentially control devices connected to it, including your home security system.

Broadly speaking, a hacker can piece together information about your IoT devices in your smart home, and gain knowledge about your habits and your behavior. In an industrial enterprise scenario hackers can gather insider information about your manufacturing usage and capacity. Both cases can be exploited detrimentally to a person or an enterprise.

On a personal level, someone targeting a high-net-worth individual can gather public information available online and combine it with private information from IoT devices, and carry out an identity theft attack.

So in general, having security is not just to protect the provider of the information like when transacting a payment. It is also about moving it back to protecting businesses and people, from information loss, personal attacks, or physical attacks.

Security is becoming a major part of the entire IoT ecosystem as the proliferation of technology makes our daily life activities more convenient. We no longer open our garage door from the button that the vendor gives you, or even the one that’s integrated to your car. We now open the garage door, control lights, enable our alarm system from our phone.

This is great, but as we do more and more things through IoT, users, device makers, and service providers have to be more prudent when it comes to security.

IoT Security

By getting inside of a smart home, hackers can gain access to the data and devices inside that home. The same goes for a business, a hospital, or government entity.

What do you see as the top security issues for the Internet of Things?

A recent study by HP showed that 70% of the best selling IoT consumer products lacked adequate security measures. That becomes a real problem when an IoT device enters somebody’s home or office network, and is not secure.

The other thing is security patches and updates. When was the last time you did a software update on your iPhone? Last month maybe? Apple along with Microsoft, probably are the best in the industry at keeping phones and consumer devices current to prevent security attacks and fix bugs.

The problem is, can you remember the last time you updated the software on your home WiFi router?

The problem is, can you remember the last time you updated the software on your home WiFi router? When you have devices that are central to security, like routers, and you do not have a scheduled security patch pushed out on a regular basis, they become the weak link in your defense.

Additionally, many IoT devices are not inherently secure because IoT device makers are under time and cost pressure to rush to market, with security as an afterthought. So the threat is substantially increased

If you can breach an IoT device, you can use that as a pivot point to get into higher value devices with more sensitive information. The problem is just as real for your home as it is for an enterprise, a power grid, a water supply, or a nuclear facility.

To give you an example of the scope of the problem. One of the biggest challenges that even large enterprises face, is they do a vulnerability scan, they know what the vulnerability is, but 80% of the time companies do not take the necessary corrective action to solve the problem.

Another example in the infrastructure space such as a power grid, or wind or solar field, is that these systems use legacy devices. Those devices have a long life span of over 10 years, many of them send data unencrypted in the clear, and lack the ability to perform over-the-air software upgrades, to address security vulnerabilities.

When should security be addressed during the product development cycle?

In general, thinking of security and privacy early in the process is better than trying to figure out how to add security later down the road. Depending on what the product is delivering, the sensitivity of the information, or the sensitivity of the environment, would naturally raise the importance of security.

That’s not to say that you should necessarily incorporate security at the immediate commencement of a project, but you should have the plan to be able to adopt security.

Today, you may not need it, but as the company grows, and your technology and devices evolve, you might say “This is a really sensitive environment.”

Our adage is that it is always better to have security and not need it, than to need security and not have it. So you’ll want to have the security system baked into the project.

To give you an example. We have a Texas Instruments environmental temperature gauge. It’s for our office, and we want to know when the temperature goes up and down. Does that really need to have security? Well, does it connect to the network? Does it connect to the internal systems here? If it does, then you might want to enforce a security policy.

If you put that same temperature reader inside a nuclear power plant, you’d want to have a stronger security policy. You want to have secure tunnels, you want to have encryption, you want to build a monitoring solution, you want to verify the device has the same profile on day one as the present day.

Think about security as a fabric that you have in place so that when you need it, you activate certain security capabilities for your environment. If you start with a platform, and a fabric, you can have the fundamental security components built in and based on that add additional functionality.

Do you have a framework or checklist that can be used to plan for securing an IoT project?

We do. We’ve authored a blog post with easy tips to help consumers with securing IoT devices in their home. We also have internally developed a set of best practices.

There are a lot of good security resources available on the web. The Cloud Security Alliance gives guidelines for early IoT adopters to consider in enabling security for their devices. The Industrial Internet Consortium has released a reference architecture for you to look at. The FBI has also issued consumer protection and defense recommendations for IoT.

With any IoT project it’s very important to have secure connections. A secure encrypted tunnel from point A to point B, eliminates the ability to breach that connection in the middle.

Detecting an indication of change early, and taking steps to contain it, is a major step in remaining secure.

You also should consider adding security measures to protect the integrity of the software and firmware on your IoT devices, as well as the cloud portal they communicate with.

Taking it a step further, consider partnering with a security technology provider that allows you to monitor in real-time the security postures of your IoT devices, and detect anomalous behavior and security threats very early on.

Detecting an indication of change early, and taking steps to contain it, is a major step in remaining secure. Our goal at ZitoVault is to provide secure tunnels, coupled with advanced monitoring, and the ability to detect attacks, and proactively respond quickly.

And that’s for any IoT device. That could be for a thermostat, alarm system, wearable, or an insulin injection device that’s embedded into your body. Those IoT medical devices play life critical roles, and today they’re unsecured.

Dick Cheney’s pacemaker is a good example where the pacemaker itself, used unencrypted data transfer that was susceptible to a hacker’s overriding its safety operation.

In closing, is there anything else you think is important to the conversation around securing the Internet of Things?

Strong security measures are imperative for the Internet of Things to gain the trust of consumers and businesses, and lead to its wide adoption. Security is going to make or break the Internet of Things.

You have to be aware that while the IoT is delivering a high level of usefulness and making our lives more convenient, it also creates room for a lot of vulnerabilities to our privacy and safety in our personal and business lives.

If you are a business, an enterprise, a consumer, or a small business owner, you need to be aware that there are millions of attacks happening every minute. They are coming from centers around the world, where they have facilities with two or three thousand hackers targeting information.

The threats around our information, are not necessarily for using it today, but for using it for a bigger attack down the road. There is a real awareness that needs to go out about protecting our security and privacy.

The Internet of Things is now an integral part of our healthcare systems and critical infrastructure. . These provide life-sustaining platforms that we take for granted. The smallest hole in that fabric could shut everything down, leading to loss of power, water, and compromising our safety.

If we are going to replace humans in a system, the technology that we deploy needs to be reliable, robust and trusted.

 

The Internet of Things series is brought to you by Treeline Interactive and is authored by Tim Homuth and Joe Austin. Our objective is to provide you with information about the rapidly evolving field of the Internet of Things by bringing you interviews and insight from industry leaders. If you have any questions, insight, or suggestions for articles please email us at IoT@treelineinteractive.com.