Internet of things (IoT) - challenges of new reality
The concept of IoT is based on the ubiquitous spread of the Internet, mobile technologies and social media, while the idea itself is supported by our desire to make the world easier, simpler, more productive and safer in the broadest sense.
Manufacturers of consumer devices and industrial equipment, automakers and service companies, software and network equipment developers — all of them are working to create a huge IoT ecosystem that presents many smart, network-connected devices. Manufacturers from a wide variety of industries are attracted by the potential of IoT and the ability to meet the needs of consumers.
For example, General Electric uses the Internet of Things for preventive maintenance of jet engines and to predict potential malfunctions before they even show their full potential. In addition, monitored flight data minimizes fuel costs and increases efficiency.
')
ThyssenKrupp Elevator serves over 1.2 million elevators worldwide.
The possibility of preventive, proactive maintenance, realized through the introduction of IoT technologies from Microsoft, guarantees a high time between failures, and the company has already noted a decrease in the number of calls to the technical support service.
The ability to create additional sources of income through the sale of value-added services (VAS) and the use of innovative business models, such as (Product-as-a-Service, PaaS). The rolls-hour contracts (Power-by-the-Hour), practiced by Rolls Royce, allow operators to purchase engines that pay a fixed amount per flight hour, rather than prepay for the entire engine at once.
According to a study conducted by IBM in conjunction with the Ponemon Institute, on average, data leakage costs companies $ 3.79 million. Strengthening security reduces these risks.
The Internet of Things opens up new markets and provides new opportunities for building partnerships. For example, Google is working to create software that will help automakers develop unmanned vehicles.
This is especially important for those manufacturers who do not maintain contact with users after the sale of the device. For example, Intel has added an intelligent system for vending machines, thanks to which manufacturers will be able to sell packaged 2-in-1 applications, offer discounts and implement loyalty programs to increase sales.
Given the number of players involved in the ecosystem (OEMs, service providers, cloud service providers, independent software developers, etc.), it is essential that all elements in the ecosystem are protected in order to eliminate the possibility of failures. Reliable protection provides business with benefits due to the continuity of customer interaction processes.
From tiny sensors to huge machines, the Internet of Things (IoT) and the industrial Internet of Things (M2M - machine-to-machine) are expanding at tremendous speed. So, Intel considered that 10 years ago there were only 2 billion smart objects associated with the wireless world, and IDC estimated the number of connected devices by 2020 already at 200 billion.
Why should consumers and producers be prepared in connection with such a dramatic expansion of the network of connected devices?
Virtually any connected device, starting with a smart TV, fitness tracker or home security system and ending with printers, car systems or light bulbs with network control, sooner or later was hacked. Below we give a few illustrative examples of such hacks:
More than 8,000 people were victims of a hacker attack when hackers from the Anonymous group invaded the infrastructure of the European space agency and kidnapped the names, email addresses and passwords of people who were then published as three data dumps on justpaste.it
Symantec uses specially-tuned Rasberry Pi computers to draw attention to the underlying vulnerabilities in fitness trackers. Security experts have found that some of these devices allow attackers to easily track the location of trackers.
Security experts at Proofpoint found that during the 2014 holiday period, an Internet-connected fridge was used to send more than 75,000 spam messages and phishing emails.
Hacker and cybersecurity expert Chris Roberts from One World Labs in Denver, USA, managed to hack the on-board entertainment system on the plane and, according to an FBI order from April 2015, intercept control of the aircraft.
An advanced railway signaling system designed to control the movement of all trains in the UK can also be hacked, which could potentially lead to serious consequences - Professor David Stupples told the BBC about this. Network Rail, which is testing a European rail transport management system, has confirmed that there is a potential threat.
Stuxnet is the first computer worm that is capable of intercepting and modifying data flow between programmable logic controllers of the SIMATIC S7 brand and the workstations of the Siemens SIMATIC WinCC SCADA systems. In June 2010, the Stuxnet virus managed to infiltrate the computers of the Iranian nuclear power plant in Bushehr, Iran, with the result that the total number of computers infected by the worm was 60% of all infected systems in the country. Later it became known that the virus was developed jointly by the intelligence services of the United States and Israel. They successfully infected the computer system of Iran’s nuclear program (confirmed by Hillary Clinton).
More and more cars are gaining access to the network today, but what if the car becomes the target of a hacker attack? Wired journalist Andy Greenberg figured it out on his own experience when driving his car, Jeep Cherokee, was intercepted at 110 km / h on the highway in saint louis.
The same security researchers claim that today, about 471,000 cars can be hacked from virtually anywhere in the world - for this the attacker only needs to know the IP address of the attacked car.
In the case of the Internet of Things, the thing or object itself becomes one of the main elements that need to be given maximum attention. Whether it's a car, a smart meter or a health tracker, they all suddenly become involved in networking, and some of the IoT devices can serve critical infrastructure — water mains, power grids, health care systems, or transportation — making them a potential target for industrial espionage, DoS -attack (Denial of service - denial of service) and other hacker attacks. To prevent damage, security mechanisms must be provided at the design stage so that the transmitted information can be controlled in motion and control exactly who gets access to it.
As an example, the case of hacking radio nanny Foscam, information about which was published in 2015. The object of the hacker attack was the family who used the wireless IP video nanny Foscam, while the hacker gained control of the camera and watched the movements in the room in which it was installed. An even greater danger could be that intruders gain access to industrial and corporate systems, as has already been demonstrated in some cases.
Given the huge amounts of information generated by the connected devices, priorities should shift towards protecting the data that is really important. The first step in creating a security infrastructure is to research the types of threats encountered. In addition to phishing, DoS and DDoS attacks and physical invasion in the era of gadgets, hacking applications are widely used. Today, special automated hacking tools are on the market, many of which are distributed free of charge. The fact is that, unlike centralized web environments, mobile applications exist within a non-regulated ecosystem of a mobile device. The unprotected mobile application code (the one that you download when you install the application, for example, from the AppStore or Google Play.) Allows attackers to easily and naturally modify these applications and use them to their advantage.
As a result of such attacks, nine out of ten organizations (90%) experienced negative consequences for their commercial activities, including delays in the development of products or services (31%), a decrease in the productivity of their employees (30%), a decrease in consumer confidence (28%) and a certain pressure (24%). All this points to very significant negative consequences of data leaks, which negatively affect both corporate reputation and the overall performance of companies, as well as the confidence of their customers in the industry.
The first important step in ensuring the security of a device is to ensure that the user really is who he claims to be, and indeed has the right to access this device. The authentication procedure is an important aspect when working with connected devices. For example, when we open our smart car with a mobile phone, we want to be sure that no one but us can do it.
But in fact, cars do not always have good protection, as you might think! Australian security researcher Silvio Cesare (Silvio Cesare) has demonstrated a vulnerability in an electronic car lock device, as a result of which he managed to turn off the alarm and get into the car, leaving no evidence for the police behind him. At the same time to gain access to the car, he used the simplest software-defined radio system (software defined radio) and antenna, with which he could intercept and send wireless signals.
Equipment vendors must also be authorized to access a remote device. The manufacturer of the electric vehicle Tesla notifies drivers of the availability of a firmware update and when this update will be downloaded. Thus, the driver understands that the update was received directly from Tesla, and that this is not an attacker's attempt to enter the system. For more reliable authentication, biometric data is increasingly being used, such as fingerprints or retinal scans, which make it possible to reliably confirm that we are exactly who we claim to be.
An analysis of the situation shows the need for an integrated and scientifically based approach to ensuring the security of the Internet of Things:
Risk assessment - it’s important for a developer to understand all potential vulnerabilities. The assessment methodology should cover privacy, security, fraud prevention, cyber attacks and theft of intellectual property. Risk assessment is by no means a simple task, as cybercriminals are in constant search and gradually master all new and new types of threats. And since there is no universal solution for neutralizing these threats, at this stage it is recommended to invite a security expert for consultation.
Ensuring safety at the design stage - the key point is that the safety of the device must be considered at the design stage. This includes endpoint security and preventive measures, including the creation of tamper-proof hardware and software.
Ensuring data security - strong authentication, encryption, and secure encryption key management should be used to protect information stored on the device and at the time of its transfer.
Life cycle management - ensuring security should not be viewed as a separate process that is sufficient to perform once and forget about it. It is imperative that devices used in the Ecosystem of the Internet of Things be protected throughout their life cycle, no matter if it is a standalone product, or some system, for example, integrated into a car.
Over time, consumers will take the convenience of the Internet of Things for granted and will be fully confident in its safety. In addition, other benefits of the Internet of Things will be realized: an increase in efficiency in various industries, a reduction in costs for the healthcare industry, the introduction of energy-saving technologies in cities. However, the issue of security remains key. His decision is in the hands of professionals.
Already developing for IoT and want to dive deeper into the topic, or are you just starting your acquaintance? Join our closest webinars on:
Manufacturers of consumer devices and industrial equipment, automakers and service companies, software and network equipment developers — all of them are working to create a huge IoT ecosystem that presents many smart, network-connected devices. Manufacturers from a wide variety of industries are attracted by the potential of IoT and the ability to meet the needs of consumers.
Cost reduction
For example, General Electric uses the Internet of Things for preventive maintenance of jet engines and to predict potential malfunctions before they even show their full potential. In addition, monitored flight data minimizes fuel costs and increases efficiency.
')
ThyssenKrupp Elevator serves over 1.2 million elevators worldwide.
The possibility of preventive, proactive maintenance, realized through the introduction of IoT technologies from Microsoft, guarantees a high time between failures, and the company has already noted a decrease in the number of calls to the technical support service.
New sources of income
The ability to create additional sources of income through the sale of value-added services (VAS) and the use of innovative business models, such as (Product-as-a-Service, PaaS). The rolls-hour contracts (Power-by-the-Hour), practiced by Rolls Royce, allow operators to purchase engines that pay a fixed amount per flight hour, rather than prepay for the entire engine at once.
Reduced litigation and reduced data leakage costs
According to a study conducted by IBM in conjunction with the Ponemon Institute, on average, data leakage costs companies $ 3.79 million. Strengthening security reduces these risks.
New opportunities for creating partnerships
The Internet of Things opens up new markets and provides new opportunities for building partnerships. For example, Google is working to create software that will help automakers develop unmanned vehicles.
Improving customer relationships
This is especially important for those manufacturers who do not maintain contact with users after the sale of the device. For example, Intel has added an intelligent system for vending machines, thanks to which manufacturers will be able to sell packaged 2-in-1 applications, offer discounts and implement loyalty programs to increase sales.
Business Continuity
Given the number of players involved in the ecosystem (OEMs, service providers, cloud service providers, independent software developers, etc.), it is essential that all elements in the ecosystem are protected in order to eliminate the possibility of failures. Reliable protection provides business with benefits due to the continuity of customer interaction processes.
Surrounded by clever things
From tiny sensors to huge machines, the Internet of Things (IoT) and the industrial Internet of Things (M2M - machine-to-machine) are expanding at tremendous speed. So, Intel considered that 10 years ago there were only 2 billion smart objects associated with the wireless world, and IDC estimated the number of connected devices by 2020 already at 200 billion.
Why should consumers and producers be prepared in connection with such a dramatic expansion of the network of connected devices?
Virtually any connected device, starting with a smart TV, fitness tracker or home security system and ending with printers, car systems or light bulbs with network control, sooner or later was hacked. Below we give a few illustrative examples of such hacks:
More than 8,000 people were victims of a hacker attack when hackers from the Anonymous group invaded the infrastructure of the European space agency and kidnapped the names, email addresses and passwords of people who were then published as three data dumps on justpaste.it
Symantec uses specially-tuned Rasberry Pi computers to draw attention to the underlying vulnerabilities in fitness trackers. Security experts have found that some of these devices allow attackers to easily track the location of trackers.
Security experts at Proofpoint found that during the 2014 holiday period, an Internet-connected fridge was used to send more than 75,000 spam messages and phishing emails.
Hacker and cybersecurity expert Chris Roberts from One World Labs in Denver, USA, managed to hack the on-board entertainment system on the plane and, according to an FBI order from April 2015, intercept control of the aircraft.
An advanced railway signaling system designed to control the movement of all trains in the UK can also be hacked, which could potentially lead to serious consequences - Professor David Stupples told the BBC about this. Network Rail, which is testing a European rail transport management system, has confirmed that there is a potential threat.
Stuxnet is the first computer worm that is capable of intercepting and modifying data flow between programmable logic controllers of the SIMATIC S7 brand and the workstations of the Siemens SIMATIC WinCC SCADA systems. In June 2010, the Stuxnet virus managed to infiltrate the computers of the Iranian nuclear power plant in Bushehr, Iran, with the result that the total number of computers infected by the worm was 60% of all infected systems in the country. Later it became known that the virus was developed jointly by the intelligence services of the United States and Israel. They successfully infected the computer system of Iran’s nuclear program (confirmed by Hillary Clinton).
More and more cars are gaining access to the network today, but what if the car becomes the target of a hacker attack? Wired journalist Andy Greenberg figured it out on his own experience when driving his car, Jeep Cherokee, was intercepted at 110 km / h on the highway in saint louis.
The same security researchers claim that today, about 471,000 cars can be hacked from virtually anywhere in the world - for this the attacker only needs to know the IP address of the attacked car.
Secure interfaces
In the case of the Internet of Things, the thing or object itself becomes one of the main elements that need to be given maximum attention. Whether it's a car, a smart meter or a health tracker, they all suddenly become involved in networking, and some of the IoT devices can serve critical infrastructure — water mains, power grids, health care systems, or transportation — making them a potential target for industrial espionage, DoS -attack (Denial of service - denial of service) and other hacker attacks. To prevent damage, security mechanisms must be provided at the design stage so that the transmitted information can be controlled in motion and control exactly who gets access to it.
As an example, the case of hacking radio nanny Foscam, information about which was published in 2015. The object of the hacker attack was the family who used the wireless IP video nanny Foscam, while the hacker gained control of the camera and watched the movements in the room in which it was installed. An even greater danger could be that intruders gain access to industrial and corporate systems, as has already been demonstrated in some cases.
- Variety of types of connections. There are a lot of ways to connect, the most common of which today are mobile cellular networks, Bluetooth and WiFi, but relatively new network technologies such as LoRa, UNB, PLC, BTLe short-range, Weightless, LTE-M and ZigBee. Each new network technology, along with opportunities brings with it new threats.
- The variety of industries. Taking into account the ubiquitous spread of the Internet of Things - from large-scale industrial systems, such as wind parks, to wearable devices - there is its own ecosystem everywhere. Security models may differ, but they have at least one common feature: in all these cases we are talking about collecting huge amounts of data. And the more complex this information is, the more sensitive it is to hacking.
Mobile threat
Given the huge amounts of information generated by the connected devices, priorities should shift towards protecting the data that is really important. The first step in creating a security infrastructure is to research the types of threats encountered. In addition to phishing, DoS and DDoS attacks and physical invasion in the era of gadgets, hacking applications are widely used. Today, special automated hacking tools are on the market, many of which are distributed free of charge. The fact is that, unlike centralized web environments, mobile applications exist within a non-regulated ecosystem of a mobile device. The unprotected mobile application code (the one that you download when you install the application, for example, from the AppStore or Google Play.) Allows attackers to easily and naturally modify these applications and use them to their advantage.
As a result of such attacks, nine out of ten organizations (90%) experienced negative consequences for their commercial activities, including delays in the development of products or services (31%), a decrease in the productivity of their employees (30%), a decrease in consumer confidence (28%) and a certain pressure (24%). All this points to very significant negative consequences of data leaks, which negatively affect both corporate reputation and the overall performance of companies, as well as the confidence of their customers in the industry.
The need for double action: confidentiality vs authentication
The first important step in ensuring the security of a device is to ensure that the user really is who he claims to be, and indeed has the right to access this device. The authentication procedure is an important aspect when working with connected devices. For example, when we open our smart car with a mobile phone, we want to be sure that no one but us can do it.
But in fact, cars do not always have good protection, as you might think! Australian security researcher Silvio Cesare (Silvio Cesare) has demonstrated a vulnerability in an electronic car lock device, as a result of which he managed to turn off the alarm and get into the car, leaving no evidence for the police behind him. At the same time to gain access to the car, he used the simplest software-defined radio system (software defined radio) and antenna, with which he could intercept and send wireless signals.
Equipment vendors must also be authorized to access a remote device. The manufacturer of the electric vehicle Tesla notifies drivers of the availability of a firmware update and when this update will be downloaded. Thus, the driver understands that the update was received directly from Tesla, and that this is not an attacker's attempt to enter the system. For more reliable authentication, biometric data is increasingly being used, such as fingerprints or retinal scans, which make it possible to reliably confirm that we are exactly who we claim to be.
Principles for Protecting the Internet of Things
An analysis of the situation shows the need for an integrated and scientifically based approach to ensuring the security of the Internet of Things:
Risk assessment - it’s important for a developer to understand all potential vulnerabilities. The assessment methodology should cover privacy, security, fraud prevention, cyber attacks and theft of intellectual property. Risk assessment is by no means a simple task, as cybercriminals are in constant search and gradually master all new and new types of threats. And since there is no universal solution for neutralizing these threats, at this stage it is recommended to invite a security expert for consultation.
Ensuring safety at the design stage - the key point is that the safety of the device must be considered at the design stage. This includes endpoint security and preventive measures, including the creation of tamper-proof hardware and software.
Ensuring data security - strong authentication, encryption, and secure encryption key management should be used to protect information stored on the device and at the time of its transfer.
Life cycle management - ensuring security should not be viewed as a separate process that is sufficient to perform once and forget about it. It is imperative that devices used in the Ecosystem of the Internet of Things be protected throughout their life cycle, no matter if it is a standalone product, or some system, for example, integrated into a car.
The benefits of a fully connected world
Over time, consumers will take the convenience of the Internet of Things for granted and will be fully confident in its safety. In addition, other benefits of the Internet of Things will be realized: an increase in efficiency in various industries, a reduction in costs for the healthcare industry, the introduction of energy-saving technologies in cities. However, the issue of security remains key. His decision is in the hands of professionals.
Already developing for IoT and want to dive deeper into the topic, or are you just starting your acquaintance? Join our closest webinars on:
- Can This Code Be Trusted? ("Can you trust this program?")
Time: April 20 (Wednesday), 04:00 pm CET
Host: Stephen Helm, Sr. Product Marketing Manager, Crypto Management - Gemalto
Reference for participation: www6.gemalto.com/e/51442/webcast-6319-201859/63n6k9/294289732 - The Hybrid-Cloud Cocktail - What is the Right Mix For You? ("Hybrid cloud - how best to mix?")
Time: April 21 (Thursday), 05:00 pm CET
Host: Falco Christow, Product Manager, Crypto Management - Gemalto
Reference for participation: www6.gemalto.com/e/51442/webcast-6319-201861/63n6kc/294289732
Source: https://habr.com/ru/post/281619/
All Articles