The Internet of Things is creating completely new requirements in the area of cyber security, both in the IT and OT sectors. In order to identify as many vulnerabilities as possible, it is necessary to examine not only individual application areas and devices, but the entire IoT ecosystem. This includes internally used devices and applications (including operating systems, communication paths, connected devices) on the one hand, and all external devices on the other. It is not always easy to gain an overview of this, but it is the only way to generate protection as comprehensively as possible. Modern security technologies must be able to protect against hacker attacks, manipulation, espionage and impersonation.
What makes implementing IoT security so difficult is that the networked “things” often use simple processors and operating systems that are not (yet) capable of implementing the security solutions, some of which are highly sophisticated.
Distinction between private and industrial applications
A fundamental distinction can be made between private and industrial applications for the Internet of Things. In the private sphere, it is mainly everyday objects that are networked for more convenient and intelligent use. For example, intelligent building automation systems can be installed or devices can be implemented that contact the user via the Internet when certain events occur.
In the industrial sector, the main focus is on connecting machines and systems in such a way that entire industrial processes can be automated. Production processes thus become more efficient and less expensive. The Internet of Things is an elementary component of the so-called Industry 4.0. With the IoT and Industry 4.0, the self-organization of industrial processes becomes possible through the direct communication of machines, plants, goods and people. It is no longer just individual production steps that can be automated, but entire value chains that can be made much more efficient.
Rising security concerns
In light of recent cyber security cases, the importance of IoT device security is increasing. The growing market for IoT gadgets has become a challenge for businesses. Dangers lurk, as can be illustrated by the example of one company, especially when used in conference rooms, executive suites and even within a low-cost building security camera system. According to Craig Young, a cybersecurity researcher at Tripwire, a major cause of the problem is that firmware is not regularly updated.
Keeping this in mind, researchers at the University of Michigan were recently able to hack into the Samsung SmartThings platform and control an entire home automation system. Companies are informed of the security threat, but often install new devices and often ignore or postpone patching the device.
How to secure IoT devices
Larger IoT companies, like Belkin, seem to be taking up the cause and responding to firmware issues, or at least acknowledging the growing problem. The best way to ensure data protection and combat botnets is to have devices authenticate against other systems, configured to use secure unique (one-of-a-kind) IDs and passwords. In some cases, it may also be possible to implement encryption keys to protect device identities. Specific IoT devices with this capability in this regard include so-called closed-circuit TVs or DVR devices. Other methods that can be used include the use of SSL certificates. Researching appropriate products and implementing these capabilities will be a good starting point for improved IoT security.
Due to the increasing amount of IoT devices, attackers can now generate massive DDoS attacks against businesses and organizations. With a proper risk assessment plan, it will help to combat the traffic before it reaches the organization. A proper and active risk response plan (Risk Response Plan) can combat DDoS traffic before it reaches the organization. In addition, IoT devices can use hardware-based Trust Anchors. These use a trusted boot process to ensure devices operate in a known secured state and keep content private.
While IoT devices offer great benefits, it is critical to stay educated, informed and prepared for security threats against an individual and an organization in this area.
IoT and data protection – these special features must be observed
The Internet of Things poses many risks for the protection of personal data, according to many surveys and studies. But why is that actually the case? What makes data protection in IoT solutions particularly difficult? User companies should know this in order to be able to prepare a data protection impact assessment (DPIA) in accordance with the General Data Protection Regulation (GDPR).
Lack of data protection and privacy
Only three in five (59 percent) companies say they encrypt all data collected through IoT and used for analytics – despite existing IoT security budgets. Consumers are not impressed with the IoT industry’s efforts, as 62 percent of respondents believe security needs to be improved. In terms of the biggest areas of concern, 54 percent fear a lack of privacy from connected devices, followed closely by unauthorized access, such as hackers controlling devices (51 percent), and a lack of control over personal data (50 percent).
IoT data protection requires special measures
Data protection plays a major role in IoT. For example, data protection certificates would increase trust in smart home products. Data protection certificates would increase trust in smart home products.
The General Data Protection Regulation (GDPR) ensures uniform data protection requirements, but this does not mean that the same data protection measures are required in all areas. With regard to the security of processing (Article 32 DSGVO), the measures are to be selected “taking into account the state of the art, the implementation costs and the nature, scope, circumstances and purposes of the processing, as well as the varying likelihood and severity of the risk to the rights and freedoms of natural persons.”
What to pay particular attention to in IoT data protection.
What data protection measures to take in IoT in particular now, in addition to IoT security solutions:
- Information and consent: Processing of personal data in IoT is only permissible if it is based on the informed consent of users or a legal obligation. However, this includes in particular that manufacturers provide comprehensible information about functions and data flows. With many IoT solutions, however, it is not even technically possible to request or grant consent, and functions and data flows are not transparent for the user. This must change.
- Data control: Users have sovereignty over the data that is collected or stored; they must be able to identify individual data processing functions and also switch them off. In many IoT solutions, such options are neither provided for nor technically feasible for the user. This must not remain the case either.
- Protection against profiling: in many cases, users can be identified directly or indirectly, for example through device identifiers and user registration for a specific device. IoT data can thus lead to user profiles and tracking, and often location data of devices and their users are collected, stored and analyzed without the consent and knowledge of the data subjects.
- Protection of sensitive data: The data that IoT solutions process are often classified as special categories of personal data, yet the data is not encrypted. Examples of such data include, in particular, health data, which is evaluated not only by classic fitness trackers, but also by all IoT devices with corresponding apps. Even more widespread is the processing of location data, which allows conclusions to be drawn about individuals and their behavior
If these are not averted, high risks for the data subjects must be expected; without countermeasures, a data protection breach is then present. So there is still a lot to be done in IoT data protection.