The Internet of Things (IoT) paints a picture of a future Internet in which users, computer systems, and everyday objects (fitted with detection and activation capabilities) talk to each other, resulting in unprecedented convenience and economic benefits.
The IoT has enormous potential and can be found in many everyday activities. It makes cities smarter, industries way more efficient, transport safer, and can even improve life in general. Remote and smart monitoring of homes, cars, shops, and factories can greatly improve efficiency and convenience. However, it is not without risk. These tools can be hijacked to disrupt critical infrastructure, resulting in dangerous and costly outcomes, or, on a personal level, potentially expose our homes and private information to criminals. Hence, IoT has always needed to be secure in order to prevent malicious use.
In the rest of this article, we will explain in detail the IoT’s security challenges and how Randstad Digital's Innovation Center is pooling its expertise to offer solutions for each case studied.
everyone is talking about the IoT, but what does it really mean?
The IoT refers to a network of physical objects that can access the internet. The term ‘IoT’ is widely used, and its meaning is a little vague, mainly due to the very large number of concepts it encompasses. Therefore, there are several different definitions. At the Randstad Digital Innovation Centre, we use the International Telecommunications Union’s definition, which describes the IoT as a "global infrastructure for the information society, enabling advanced services by interconnecting (physical and virtual) things based on existing and evolving interoperable information and communication technologies." These things can be small and portable, like smart wristbands (e.g., Fitbits), connected watches, smartphones, larger appliances (smart refrigerators), or futuristic means of transport (driverless cars, etc.). These objects need to be able to connect to a WiFi network, 2G/3G/4G/LTE, etc. and must have sensors to collect raw data from their environment. This data is then stored on an online server before being processed and distributed in the form of information, which can then be used by the end user. For example, ski resorts can predict potential avalanches by collecting feedback from a network of connected sensors spread across snow-capped mountain peaks.
why should we be interested in the IoT?
When information and communication technologies make it easy to connect a multitude of small devices to the Internet, countless applications and opportunities emerge. The IoT announces the emergence of smarter cities, more efficient industries, and a better quality of life by becoming part of our homes and means of transport.
Let’s focus on three main areas of application, i.e., homes, cities, and smart industries.
Smart home objects now account for about 25% of all IoT devices. According to forecasters, sales of these objects reached 490 billion dollars in 2019, with home and security applications taking the lion’s share. The impact is difficult to measure at this early stage, although a recent report pointed out their particular usefulness for the elderly and people with disabilities.
Increasingly, cities are using connected objects and information technologies to improve the quality of urban services, reduce costs, and improve security.
For example, China has recently deployed a facial recognition system to combat terrorism. Obviously, a properly defined legal framework is necessary in this case.
The IoT can also help cities better manage their energy consumption. The city of Los Angeles replaced its public lighting with LED street lamps, thus reducing its energy consumption by a whopping 60%. The wireless connection of this new system to a network control center should provide additional maintenance savings while creating a dynamic system that improves security.
In the era of Industry 4.0, factories are using connected machines to personalize consumer products without massively having to modify their production chains. Intel has put in place a pilot system to analyze information from machines, sensors, and plant workers to help the company improve real-time checks on manufacturing processes. It estimates that it has made an annual saving of 30 million USD on the production of its computer chips. Similar IoT and Big Data analysis systems can be implemented in a wide range of complex manufacturing processes.
Thanks to this wide range of applications (and their future uses), the burgeoning IoT market is expected to triple in size by 2020 compared to 2014 and will dominate almost all embedded systems by 2020. Consequently, it seems like it would be a good idea to invest in the IoT.
But its use is not without risk.
… what could be a bad scenario?
Although there are many advantages to the IoT, security is a major challenge.
Let’s take a look at a day in Nathalie’s life that goes horribly wrong:
This morning, Nathalie was late for an appointment as she couldn’t find a parking space anywhere. All the car parking signs in the neighborhood were saying there were no available spots. So, she ended up parking further away than planned, but as she was walking to her appointment, she noticed lots of free parking spaces. After the meeting, she wanted to do some shopping. Having forgotten her shopping list, she tried to connect to her smart fridge, but in vain. So she went to work. Nathalie runs a small factory packaging fresh fruit juice, which is made and packed on-site. The automated and connected production line began to behave bizarrely in the early afternoon: bottles were either overflowing or only half full. Large quantities of fruit juice were being wasted, and a large number of bottles could not be sold. Natalie decided to shut down the production line until the problem was resolved. Her IT expert discovered that malware had entered the system, allowing an intruder to change the control commands on the production line. Driving home, she heard a report on the radio about a cyber attack on parking information signs in her town. Once home, she understood why she couldn’t communicate with her smart fridge. A backdoor, not reported on her smart home system, had been hacked, and the attacker had turned off the fridge.
This scenario is based on the three main areas of IoT mentioned above. Is it realistic?
Dystopian scenarios are partly realistic for two main reasons:
- connected objects are like small computers. They can be attacked via a Trojan, virus, spyware, or malware.
- they are connected to the Internet 24/7.
Different security accidents have occurred in the past.
In November 2013, Symantec confirmed the discovery of the first IoT worm called Linux.Darlloz. The worm targeted computers using the Intel x89 architecture. It also targeted devices using ARM, MIPS, and PowerPC architectures typically found on routers and decoders.
In 2014, a group of students from the University of Michigan took control of actual road traffic lights in order to identify vulnerabilities ("white hats"). They were able to change the status of the lights (red, amber, and green) remotely. They also observed that the factory’s default settings were not changed and that the network commands were not encrypted.
In December 2014, the German Federal Office of Information Security reported a cyber attack on a sawmill. Beginning with the computer network in the office, unidentified attackers were able to cause tremendous damage by compromising the industrial control network and preventing the closure of a blast furnace. Although many details of this ‘successful’ attack remain unknown, it is likely that companies with similar automation systems will have scrutinized their safety guidelines and practices.
what sort of security threats exist?
To better identify and understand the risks, let’s start by looking at and classifying the origins and objectives of attacks on IoT systems.
We classify security threats in terms of their main causes and objectives. This leads to better strategies for setting up more effective countermeasures against all types of attacks.
Threats can be:
- natural in origin (severe weather events) i.e. not caused by people. Hence, the probability of their occurrence largely depends on the geographical location of the security system and the climate. Natural causes can be predicted and their countermeasures usually have nothing to do with IT. Consequently, we will not discuss them in this article.
- human in origin with no intention to harm, which occur due to a lack of knowledge about systems and procedures. In this case, awareness campaigns and training will significantly reduce the risk of errors and the exposure of connected objects to intrusion risks.
- human in origin but deliberate i.e. with malicious intent directed towards a specific server (directed attack) or non-specific (random attack).
what are the characteristics of an effective security solution?
An effective security solution comprises a range of measures implemented throughout a system’s life cycle. It encompasses a broad set of process management strategies, tools, and policies to prevent, detect, and respond to threats to IT assets.
It relies on six pillars:
- Confidentiality: only authorized users have access to saved information or information being relayed in a system.
- Integrity: during data transmissions, no intruder is able to modify the original content of the data. This is a key point, especially in the case of critical data such as electronic funds transfers, air traffic control, etc.
- Availability: users can access visible data without unexplained constraints. This is the most important attribute for service-oriented companies that rely on information (e.g., airline schedules and online inventory systems).
- Authentication: a secured system must confirm the identity of the emitter/user before any access or data processing can take place.
- Non-repudiation: non-repudiation of the origin proves that the emitter is the source of the sent data/information. Non-repudiation of the arrival confirms that the user did receive the message.
- Auditability: a secured system can track all the activities carried out by its authorized users thanks to a transaction log.
the benefits of the Randstad Digital Innovation Center for IoT security
The Randstad Digital Innovation Center researches and develops ideas so that a new product or service can be commercialized.
With regard to cyber-security, we conduct extensive research, i.e., looking at academic and industrial studies on the vulnerabilities of data communication in the IoT. Each study is carried out for a certain technology in order to design appropriate mitigation measures. Moreover, Randstad Digital has set up a test bench to simulate cyberattacks for each newly designed security solution. One of the Innovation Center’s current projects is to design a security solution for Bluetooth Low Energy BLE, one of the most used technologies in the IoT. The aim of this project is to design a security add-on, This add-on needs to be portable enough to adapt to different operating systems depending on the device being used without adding too many extra performance costs.
