Hitachi

U.S.A.

Hitachi Group Global Network

Americas

Asia

Europe

Middle East and Africa

Oceania

Close

Privacy & Data Protection Challenges in the IoT
You are here: Home \ Internet of Things \ Privacy & Data Protection Challenges in the IoT
Privacy and Data Challenges in the IoT
Posted on Wednesday, March 16th, 2016 by

IoT Security Challenges

Connected refrigerators, home alarms systems and automobiles, OH MY!!

From toasters to medical devices, from utility grids to remote controls and from watches to construction equipment, these everyday items that we use to live, work, play and learn are being connected to the World Wide Web (WWW) in an unprecedented phenomenon call the Internet of Things (IoT).

 

Why is this a phenomenon you say?

These things, and millions more like it are part of our society, culture, and way of life and are woven into our everyday routine. We don’t think about the majority of them beyond the tasks for which we use them. Traffic lights, gas and electric meters and vending machines are on our mind when we need them and far from our mind when we don’t.

They are pretty much autonomous systems and rarely does one thing have anything to do with another thing… until now.

 

3 IoT Scenarios to Consider

 

  • What if your city manager wanted to optimize the flow of traffic across the city during both rush hours and certain occasions (parades, special events, construction, etc.)? All they have to do is put cameras near x% of the traffic lights to monitor the frequency and quantity of cars and trucks passing by that location. That data is fed back to a central data center to adjust the times and timing of the red, yellow and green lights across the city.
  • What if your car’s manufacturer wants to monitor the health of your car’s engine and provide you emergency road service should you have a mechanical malfunction? All they have to do is connect all the engine component sensors to a transmitter in your car. This transmitter will feed data to a central data center to monitor the performance of the engine components and notify you when your car needs service or (when necessary) send a tow truck to assist you when your car is disabled.
  • What if your home alarm monitoring company wants to enable you to see and know what’s going on back home via your smartphone when you are away? All they have to do is connect cameras and/or microphones in your home to their network to transmit this data (either live or via delay) to you wherever you are in the world via your laptop or handheld device.

 

All three scenarios would not exist without each having a connection to the WWW.  And what’s consistent across all three scenarios is the transmission, storage, and visibility of your data. While not ubiquitous, all three scenarios are currently operational across this country today.  What we should be concerned about is NOT the fact that there are little to no security measures in place to protect your data within and across these three (and many more) companies, but that the average consumers never requested protection of their data from their vendor(s)/supplier(s) to begin with.

 

5 IoT Security Concerns

 

  1. Private Data Availability

Are we concerned that three different companies (and many more) have access to our private data 24/7 and we don’t know how they are using it?

  1. Data Distribution

Are we concerned how they share this information with their partners as (sometimes) delineated in their EULA (End User License Agreement)?

  1. Location Tracking

Are we concerned that three different companies know where we are (or where we are not) at all times from the data that we allow them to collect about us?

  1. Source of Security Breach

Since all three companies’ content converge on our smartphone, can we obtain accurate attribution if (when) a breach does occur?

  1. Malicious Individuals

Are we concerned about bad actors who infiltrate one (or more) of these companies and track our movement and habits, all without our knowledge, until it’s too late?

 

This is not FUD nor is it the cyber scare tactic du jour. This is current industry news because there is precedence for all 5 security concerns. And the real question is not ‘how real the threat is or is not’; the real question is: are there demonstrable and tangible steps being taken to protect your data as the IoT industry begins to grow and scale? The answer to this question will tell you how at risk your data is across the current (and future) vendors of IoT devices.

If you ponder the level of effort and investment that IT software and hardware vendors have made into protecting their products (and their associated success therewith) you get a sense of the challenge ahead for automobile makers, parking meter manufacturers, medical device makers and hundreds of other manufacturers. As non-trivial as these tasks truly are, it’s how compelled the companies are to make this investment in protecting their IoT-enabled devices that will make the difference.

 

Questions and Tasks to Ask IoT Vendors & Manufacturers

  • So how will cybersecurity protection look across IoT devices as this industry grows and matures?
  • What level of protection can IoT devices manufacturers assure you and I about their product(s)?
  • How can you and I validate the level of protection that we receive from these companies as they collect, transmit and store our data…24 hours a day, 7 days a week?

These are non-trivial questions that are rarely being asked of IoT vendors, let alone verifiably answered.

Cybersecurity protection has always been an afterthought in the IT industry. From the dawn of personal computers in the early 1980’s to the cyber nakedness of laptops, smartphones and tablets today, it has always involved a third-party add-on and this has developed into an industry where a handful of cybersecurity products are protecting 100’s or 1,000’s of devices against 100’s of thousands to millions of threats from around the world… 24 hours a day, 7 days a week.

And now we want to impute this responsibility to industries (old and new alike) to protect our data and expect them to perform as good as the IT Industry that has been in the ‘data protection business’ for over three decades… this is a very large ask, yet the risk of doing nothing is even larger.

According to Cisco Systems, approximately 25 Billion devices were connected to the internet in 2015 and over 50 Billion devices will be connected to the internet by 2020. 100% growth of such a large number to begin with, in 5 short years is nothing short of a phenomenon.

It is a non-trivial task to ask manufactures outside the IT industry to harden their products from threats they’ve never encountered. It’s a non-trivial task to expect multiple vendors/suppliers to validate the security posture of our data within and between their networks, as they transmit, store and render it 24/7. It’s a non-trivial task to know if/when our data has been compromised within one or more of these IoT networks, how much of our data has been compromised and to know when the threat has been eradicated across the IoT vendor networks.

 

If you want to know how cybersecurity protection will look when IoT is running at full speed, take a look at how effective we are at data protection now while it’s just beginning to walk.

About author:
Llewellyn Derry is a Principal – Cyber Security Consultant at Hitachi Systems Security in Dallas, TX. Llewellyn has over 20 years of experience in the Cyber Security and Global Networking industry with Raytheon, NEC, Cisco Systems and AT&T. He holds the CISSP, CISM and C|EH certifications and is a member of the FBI’s Infragard Program and the US Secret Service’s Electronic Crimes Task Force.Llewellyn is also an Adjunct Professor teaching Cyber Security in the Masters Program at the University of Dallas, one of the few Universities in the country certified by DHS and the NSA.

Subscribe

Recent Videos

What is Penetration Testing?

What is a Vulnerability Assessment?

What is a Control Assessment?


More