IoT – omnipresent and ambivalent Smart World – What Do We Do for Security?
IT facilitates many things – in industrial production and infrastructure operation, but also at home, in the streets and at the gym. This creates new targets. How do we deal with that?
IT has fundamentally changed the industry over the last 20 years. Factories have been retrofitted, logistics networks built up and overlapping value chains established. The production takes place globally and locally (glocal production), augmented reality shows the way to the spare part in the high-rack warehouse and cyber-physical systems interact with and monitor the production processes by means of sensors and actuators. However, smart factories also offer more targets for attacks: from the theft of physical and intangible assets like data and processes to factory espionage and actual sabotage.
In operation engineering also, there is less work carried out on site. Remote access, however, involves risks, e.g., for critical infrastructures, such as power plants or waterworks. The life cycles of the technologies used are several times longer than in IT. The central administration must therefore be able to deal with a wide range of components from the last millennium – and with its security standards which are not based on today's threats. In addition, critical infrastructures require a variety of sensors to ensure operation, and these are not risk-free. Newer sensors have significantly more functions and many have a radio or network connection as well as enough CPU and memory reserves to be able to provide their service in 10 years' time. When safety is neglected, such devices quickly mutate into small, powerful soldiers in an army of bots.
Smart homes, wearables and vehicles
Sensors also surround us in our private lives, either in our own four walls or on our bodies: small digital helpers measure all sorts of things and facilitate everyday life by gathering data. Intelligent vehicles do the same. Their assistance systems often synchronize their data directly with the manufacturer. As a user, we do not know whether our user data has been sufficiently anonymized. In most cases it is also unclear to whom the data belong, which jurisdiction they are subject to, who can evaluate them, and who is liable for them when they are stolen. The direct dangers are not to be underestimated either. For example, there are already ways to crack intelligent locking systems to open vehicles.
Organized crime plays an increasingly important role in attacks on the private sphere and on companies. It also relies more and more on the division of labor, on automation and modularization. Cybercriminals use standardized services such as platforms and botnets, frameworks for Trojan horses or money mules for money laundering. Nowadays, there are complete packages on offer, for example for ransomware – cybercrime as a service – so to speak. With this professionalization certain task areas become more replaceable and the fight more difficult. In addition, automation allows widespread attacks, which means that a very low success rate brings enough profit.
What to do?
The challenges to security are complex and need to be addressed in a variety of ways. Technical adjustments to the end user's infrastructure are required, as well as measures taken by manufacturers of software and hardware, and regulatory measures.
There is little you can do as an individual, ponder the advantages and disadvantages when you purchase a product, for example. The support offered is essential. Will the manufacturer still supply security updates in two years' time? Are the patches installed automatically or do you have to do this yourself? Furthermore, you can segment your private infrastructure, for example by isolating the smart house, the car or the backup system in their own network, analogous to the perimeters in companies. Combined with a better authentication protection, for example by means of a second factor, this increases the barriers against an attack or at least allows an adequate recovery in the event of damage.
Companies have more options, but protection is also more difficult. Who may do what in Industry 4.0, when and where? How are interfaces protected, who regulates permissions, who bears responsibility and who is liable? Also in operation technology, it is important to clarify how to deal with the growing targets and how the mass of devices can be sensibly managed and maintained. The protection has to be in depth and to be modularized in the same way as the internal and external services used. It is necessary to implement a combination of individual and networked protection mechanisms in each of the modules. On the one hand, the classic perimeter protection is to be ensured with tools such as virus scanners or firewalls. On the other hand, early detection must be extended. In order to recognize modern attacks such as advanced persistent threats (APT), a holistic monitoring of the systems is required. A risk score can be generated by continuously reviewing network transitions for patterns and anomalies. Only through the correlation of such data can a timely response and a full depth defense across all security shells and modules be achieved.
At the same time, the monitoring raises questions about data protection: What is allowed, what not? Who decides whether security or privacy is more important? Some decisions must also be found politically and implemented, for example, with regulations.
Together we are strong
It is important to pay attention to security as an individual. For an effective defense against attacks, however, we need the exchange of experiences and cooperation models. Similar to the increased division of labor and structuring of attacks on the part of organized crime, a professionalization of the defense must be introduced. In addition to the classic training of end users, this means organized collaboration in combating cyber threats through so-called threat intelligence. By means of a coordinated exchange of information between stakeholders, early warning systems can be adapted and fine-tuned in a timely manner. Only in this way can smaller companies have a chance to defend themselves against new attacks and to ensure survival in the eternal cat-and-mouse game.
This article was published in a slightly adapted version titled "Crime as a Service" in Computerworld in May 2017.