Cyber security in the IoT smart home and city
Cyber security in an Internet of Things (IoT) requires an underlying smart network. The proliferation of smart devices and their interconnectedness means we need to take a multi-faceted approach to protect our homes, businesses, and communities from increasingly sophisticated hacks and thefts.
CONNECTED HOME, CONNECTED CITY
Think about how many connected devices are in your home.
- Smartphone (or 2 or 3)
- Personal desktop or laptop computer
- Kindle or e-reader
- Smart watch or fitness device
But that’s just the beginning. It’s increasingly common for TVs to be connected to the Internet as well as the set top box. And what about a smart electricity meter? And the smart fridge with Internet connection?
Now you can buy devices to automate many of the functions in your house and control them from your tablet from almost anywhere. Going to be home unexpectedly early? Trigger the heating to come on a bit sooner and be guaranteed a warm welcome. Or if you’re going to be late, maybe you need to program the set top box to record the game you were hoping to watch.
And yet when anyone talks about cyber security, pretty much all conversation gravitates to the PC and the protection of personal and financial details. We download anti-virus software on our PCs, our banks ask us to safeguard our browsing with their own overlay protection, and we remain vigilant to the threat of the cyber fraudsters.
But what about all those other devices?
When was the last time anyone downloaded anti-virus software for their fridge or their television? Keeping the software on all of your devices up to date is a layer of protection that is too often ignored.
And your own smart home doesn’t stand in isolation. The home next door is probably just as smart as yours. And what are all the companies and local authorities in your community getting up to as IoT pace picks up? Before you know it, all the smart homes and devices together create smart cities.
Smart homes and smart cities are no longer the future, they’re a reality. According to ABI Research, somewhere in the region of 400 million smart home devices have been shipped already -- and that’s a lot of devices to keep protected. The research group Business Intelligence says the annual rate of growth is currently around 67% and that we will reach some 1.8 billion devices by 2019. Smart energy devices will lead the way but home security systems will not be not far behind.
THE INTERNET OF THINGS
The Internet of Things will be by far the largest device market in the world. Business Intelligence forecasts almost 25 billion devices installed by 2019. In fact BI says shipments in that year alone will be close to 7 billion with business and government leading the way.
But from a security point of view, this burgeoning market has a major problem. The IoT lacks a common set of standards and technologies – and commonality is usually central to the approach of security systems.
Indeed, a quick look at the data underlying the numbers tells us that cyber security on the IoT is what the Hollywood studios and Chiefs of Staff would refer to as a “clear and present danger”.
The U.S. government has clearly indicated that it’s aware of the risks, with departments including the Federal Trade Commission holding workshops to discuss consumer privacy and security issues created by IoT. A stated priority reported in Information Week in October 2014 is to bring “enforcement cases against deceptive business practices in the Internet of Things”.
Today, according to HP
- 90% of devices collect at least 1 piece of personal information either via the device, the cloud, or its mobile application
- 80% of devices (or their cloud or mobile app element), fail to require complex passwords
- 70% connect using unencrypted network services
Former computer hacker Kevin Poulsen – who has since worked as a consultant to the U.S. Government – once announced his own law of computer security. His view was that “information is secure when it costs more to get it than it is worth.” His law can be interpreted to mean that actually nothing is safe. It will be compromised, and it’s only a matter of time and money.
Governments and national security chiefs are well aware of this situation and realize that smart cities, with a host of interconnected devices, many of them with little security, collectively represent something of very great value.
The smart city is an obvious target for malicious hacking. For instance, turning all the traffic lights in London red would cause unimaginable chaos. Attacks on smart cities can also be motivated by:
- Monetary gain
- Making a political statement (known as hacktivism)
- One State’s aim to disarm another
But anti-virus style protection is not the answer anyway. The vast majority of “successful” virus attacks are what are known as “Zero-Day” exploits.
Anti-virus software works by recognizing the signatures of a known virus in all its variants. But when a new virus is developed and “released” it is not recognized, and on “zero-day” machines are at their most vulnerable. The A-V companies do their best to catch up, release their updates to combat the new threat and so the protection spreads – at least until the next zero-day attack.
SECURITY REQUIRES A MULTIFACETED APPROACH
Symantec’s Brian Dye told the Wall Street Journal that anti-virus software is ineffective because it only catches 45% of attacks, but this quote was simplified. The point is more complex. Attacks and attackers have become more sophisticated, and we live in a cyber security arms-race where attacks are averted only to be replaced by something else.
The route to true cyber security is through a multi-faceted approach, where firewalls block, but where intelligent network-based appliances also comb and monitor the network for unusual behavior from within.
The majority of attacks on businesses happen because employees do something, often but not always, unintentionally. It can be as simple as an infected USB key being inadvertently inserted into a company LAN. The same thing can happen in the smart home, too, so both companies and individuals need to protect themselves from this kind of attack.
In the battle against malicious software, discovery is often more important than prevention, and once discovered, isolation and remediation become critical. Network-based systems that monitor for the command and control protocols of rogue software can achieve this -- whether at a micro level in a home network or within the enclosed network of a smart city.
We need to ensure that people or organisations with malicious intent are unable to disable our homes or cities through cyber attack. And this is a case where 1 size most definitely does not fit all. The use of multiple systems, both to protect the network and endpoints through prevention and detection is critical to our personal and social protection.
The smart home, the smart business, and the smart city will all require a smart network. Devices may have different operating systems and different degrees of security. But what they will have in common is that they’ll connect to an IP network.
Whether that initial connection is via Bluetooth, Wi-Fi®, unlicensed spectrum, 4G, 5G, or even a cable, is almost irrelevant. The data transmitted from these devices will end up on an IP network communicating to and from cloud servers.
The smart city will fail without a smart network, and a smart network has to be the central point of our cyber security defences. Yes, work needs to be done to improve the security of the individual devices. But applying security at the network level plays a fundamental part in protecting the safety of our data, our homes, and our cities.
- Identifying unusual patterns of traffic
- Encrypting data in transit and at rest
- Monitoring data sources
At Alcatel-Lucent we like to say the network is the future. Actually, make that the secure smart network.
Smart city web page
Internet of Things web page
Our authors look forward to your questions and comments.