IoT is creating many exciting opportunities for organizations, while at the same time introducing new risks and liabilities – particularly concerning network and security management. Because IoT applications interact with the physical world, a security breach can result in injury or property damage in addition to data loss/theft. These risks are particularly high when an IoT application is used to monitor critical infrastructure.
In the next part of our ongoing IoT Insights series, I share some key insights I’ve learned from my time in IoT and as Senior Vice President of Information Technology and Security here at KORE. A crucial step in successfully launching and sustaining your IoT solution is to understand best practices of IoT network and security management. Let’s take a high-level look at four of the critical questions we answer in the full insight report:
Businesses encounter the most challenges when managing and securing IoT devices located outside their four walls. These unprotected devices in the field can become vulnerable because they can be physically accessed by hackers. Some examples include premise security systems, such as security cameras, and devices that monitor critical infrastructure, such as bridge sensors. If these devices are compromised in any way, they may transmit inaccurate readings and require maintenance trips and truck rolls to repair or replace the devices.
In some cases, your physical device is not at risk – but your data is – because the network connection is not secured properly. Many IoT solutions, such as Personal Emergency Response Systems (PERS) devices and ATMs, transmit sensitive information. When segments of the network are not under direct control of the organization that deployed the IoT device, unprotected segments of the network may be open to hackers, putting its end-users’ data at risk.
Additional vulnerabilities can exist when security patches are not up-to-date. Security patches are small but critical software updates that can fix known security issues in a device’s software. Device manufacturers release these patches on frequently and IT and business users are often remiss in applying the latest patches in a prompt manner. Many organizations also face new challenges keeping up with patches due to the scale of IoT systems. Applying security patches to thousands of IoT endpoints can be a daunting undertaking, leaving devices unprotected and vulnerable to attack.
The best way to reduce the number of security vulnerabilities in your solution and ensure robust IoT security is to perform threat modeling during the design stage. Threat modeling begins with an architectural diagram of the solution that clearly depicts how data flows throughout the solution’s different elements. This allows you to clearly identify the most likely liabilities, document them, score them, and then determine the necessary steps to mitigate them. It is much easier to deliver a secure IoT solution by designing the solution with security in mind at the start rather than attempting to add security to a solution after it goes to production.
Once threat modeling is complete, you need to assess whether your solution requires data encryption. Encryption is essential if your IoT solution collects and processes sensitive information such as Personally Identifiable Information (PII). If it does, this data should be encrypted at rest and in transit.
While data encryption has been used by enterprise and government IT organizations for many years, data encryption for IoT solutions lags behind. In fact, a large number of IoT devices are still transmitting unencrypted data. One reason for this is because many IoT devices have limited memory and processing power and solution providers forgo encryption in order to save valuable device resources.
To overcome the challenges of underpowered devices incapable of device-level encryption, offload your encryption functions to the network or cloud provider. For example, data transmitted on the KORE network is protected by a virtual private network (VPN), where we encrypt the traffic between the KORE network and the customer application servers, even if the customer servers are in AWS or Microsoft Azure.
An organization’s Chief Information Security Officer (CISO) or equivalent member of the security team is typically responsible for the security of an IoT solution. If your organization does not have a CISO, consider partnering with an experienced IoT provider to lead the process and help ensure that the appropriate security measures are included in your solution.
When seeking a partner to help safeguard your devices, network, and data, it is important to work with IoT partners that have deep IoT expertise. A good device partner should have the ability to remotely enhance device security capabilities after the solution has been deployed by delivering firmware upgrades and patches Over-The-Air (OTA). An ideal IoT network services provider should have a secure global network, purpose-built for IoT, and comprehensive VPN solutions. A data services or application development partner should show evidence that a secure software deployment lifecycle (Secure SLDC) is in place and that static and dynamic code analysis tools are used.
IoT security and data privacy are crucial to ensure the long-term success of your IoT solution. To learn more about ensuring security at every stage of your IoT solution download the full Insight Report: Network and Security Management.
Chris has an extensive background in technical leadership and project management in the wireless communications industry. With over 20 years of Information Technology industry experience, Chris has overseen dozens of large-scale wireless and mobile technology projects. Prior to leading the network and security groups at KORE, Chris served as VP of Technology for RacoWireless, where he directed the build-out of the company’s next-generation M2M network and device management portal. Chris oversees a talented staff of system, security and network engineers and manages the day-to-day operations of KORE’s world-class datacenters. He possesses experience in the areas of network security, disaster recovery/business continuity, location-based services, enterprise systems, and massively-scalable application architecture. Chris received his bachelor's in computer science from The Ohio State University.