Getting a Handle on IoT Cybersecurity
The Internet of Things (IoT) is already huge and growing quickly. As everything becomes “smart”—smart cities, smart health care, smart agriculture, smart energy, smart infrastructure, smart vehicles, smart buildings—both the temptation and the opportunities for criminals to disrupt this technology increase. The IoT is not a centrally-managed, homogenous system with carefully crafted security; its hardware and software include security schemes that range from very sophisticated to nonexistent.
One step to solving the IoT cybersecurity challenge is to understand the nature of the challenge in a structured way and to make sure that everybody uses the same vocabulary to discuss things. Researchers at the University of Louisiana at Lafayette have taken on this challenge, and they have summarized their research in a paper titled Security Taxonomy in IoT – A Survey, by Phillip Williams, Pablo Rojas, and Magdy Bayoumi, Ph.D.
The paper describes several incidents that give the reader a clear sense of the urgency of the challenge. For example, a botnet targeting IoT devices disrupted several well-known video streaming, social media, and payment sites. Hackers have been able to remotely change dosages on pumps delivering critical medicines to patients. Hackers have also broken into thermostats of buildings; imagine the problems that could be caused by pumping excessive heat into cold rooms or by turning down furnaces in winter and causing pipes to freeze and burst.
Baby monitor cameras have been hacked, and industrial blast furnaces used in steel production have been severely damaged. In other instances, passwords have been changed, locking even system administrators out of IoT devices. Perhaps worst of all, the article mentions 19 successful attacks on the system responsible for managing and securing America’s stockpile of nuclear weapons.
Beyond reporting on issues, the paper provides a useful chart that illustrates exactly how common IoT devices lack security in authentication, authorization and integrity, access control, availability, encryption and confidentiality, secure communication, and non-repudiation. It also lists the security threats to which common IoT devices may be vulnerable, including tracking, cloning, man-in-the-middle attacks, eavesdropping, spoofing, denial of service, and much more.
The three authors of the paper have performed a valuable service in writing this paper, and IoT engineers and administrators would do well to consider its findings.