As a follow up post to my "The Internet of Things outlook for 2014: Everything connected and communicating", this post covers the security concerns that you and others have concerning machine to machine communications between "things". Security is a valid concern for these devices, for communications between the devices, and for the communications from the devices to the servers they report to. It's easy to conjure security questions and to hold manufacturer's and developer's accountable for security but it's less easy to offer answers and suggestions to help solve those security issues. In this post, I aim to answer those questions.
In the Internet of Things, there are devices setup to monitor, measure, and control. The devices themselves are vulnerable to theft and physical compromise. The primary solution to physical security is very basic: physical security. Yes, I know how that reads but it's also true. The device itself must be secured with locks, locking cases, secure placement, and tamper alerts.
If someone compromises a physical device, then its contents, software, and settings are also compromised. Before you purchase an IoT solution or devices, you have to ask the question, "What information is available to a tech savvy thief?" Hopefully the answer is "none" but don't expect that to be the answer you get. Expect that any of your devices can be compromised and any data on them can be accessed. Be sure that your device vendor is aware of physical security and that you've covered the bases with him or her.
There are two locations where data can be compromised: on the device and in transit. Data on a device, also known as data at rest, is especially vulnerable because a data thief has plenty of time to analyze whatever he or she finds. The solution is to encrypt data at the source, i.e., on the device. Some encryptions can be broken, so you have to ensure that your vendor uses a very strong, non-compromised encryption method for all data stored on the device.
All data means not only data collected but also data that has to do with configuration, network settings, target systems, VPN configuration, and ownership information.
Data in transit, either over a wired network or a wireless network, is vulnerable to attack, hijack, and theft. Once a data thief puts himself or herself between your device and its home network, your data is at risk. Data communications must be encrypted. Encrypting data on the device will slow or deter a thief but couple that encryption with encrypted communications and you have a formidable level of protection.
Check with your vendor and your IT staff to verify that your machine to machine communications are encrypted. A secure channel such as a VPN is a requirement for protecting data along the way from its origin to its destination.
This post outlines what I call end-to-end security for devices involved in machine to machine communications. If there's any failure of security anywhere along this pathway from the device (thing) through its communication channels to the target system, then the entire process fails. Vendors must focus on security as well as functionality.
Encryption of all static data must be ensured. Communications must be encrypted. And the devices must be physically secured.
For the Internet of Things to work and for the data collected to be valid, security of the things and the data must be perfected.
My best advice for exploring IoT is to select your device vendors based on security, data quality, and special features—in that order. However, if you're locked into a vendor already, you should contact a company that specializes in IoT security to assist you in updating, upgrading, and securing those devices.
Can you think of any security issues that I didn't cover in this post for IoT? Talk back and let me know. What types of security measures do you employ?