The Internet of Things (IoT) lets all kinds of objects and networks talk to each other, opening up incredible new opportunities. But in parallel, serious security challenges arise. No matter how strongly you have secured your organisation, a single sensor can jeopardise your meticulous measures. So, is IoT doomed? Or can we embrace the technology in a responsible manner?
In this session, we were guided through both pitfalls and best practices, as our experts shared insights on how to achieve a proper level of security with IoT. We topped the afternoon off with a real-life case from Renson.
IoT security applied in a real use case
First up, Kwinten Volckaert, Applications Manager with Nextel, shared the story of Volys - a chicken and turkey food products company. To meet their growth ambitions, the company had to tackle some specific and varied concerns, such as:
To handle these challenges, Volys embraced an all-round solution (see slides 10-11). The new flow supports much higher efficiency: in the supply chain, loading bays, even the parking lot and reception areas.
Next, Bart Van den Branden, Business Development Manager at Telenet, explained how to improve the visitor experience by making it digital. Think about attending a meeting at another company: you need to identify yourself at the parking gate, check in at the reception desk, etc.
When developing any solution in IoT, there are a few potentially weak links:
Make sure to have a certified device, Bart emphasised - do your homework before purchasing any device that ‘does the work for you’. You could even ask an ethical hacker to test the device.
Next, check how the device communicates with your network. Does it use your company's existing Wi-Fi, or do you need to create a separate network (or even smaller segments) per application? Or maybe you can use a secure VPN/APN tunnel from your mobile network towards your data centre… (slides 29-24)
When we look at the application side, typically devices and sensors come with a built-in application (that works in 90% of cases). But you don’t know where the information is stored, who has access, etc. These devices fail on most GDPR-related issues.
When building your own custom application, such issues can be avoided. And often, specialised suppliers have template-based applications – custom-made, but using standard components. This speeds up development, while standardising and securing the solution.
IoT in a VUCA environment
"The world is changing", Patrick Muylaert, Manager Key Accounts at Securitas, began. Today's paradigm shift brings us into a Digitised Hybrid Citizen Network. Understanding people and the customer experience remain key, as does safety: whether in businesses, healthcare, mobility, demographic and climate change, etc.
However, as a company, you need to be aware of regulations and certifications. Even when you're willing to innovate and disrupt, the rules and law have to work with you.
When asking yourself if IoT is secure, Patrick insists you can only answer the question through data. In itself, with the internet accessible by everyone and ‘everything’, IoT is not secure. But it comes down to what you do with the data:
Move your focus, he explained, from the 'war on talent' to the 'war on data'.
Security is a relative concept, as nothing is without danger under all circumstances. So search for a good balance with:
Each industry needs to prioritise these elements for themselves. But when on a project, work with people and with their knowledge, and be transparent about what you have in mind.
IoT: are we doomed?
“Are we doomed?" Eward Driehuis, Chief Research Officer at SecureLink, threw this question right into the group. He sees many concerns regarding IoT - tons of devices, produced in China, where nobody is concerned about how we will use them or how secure we are (see slide 2). Devices are cheap, firmware rarely updated, and nothing is supported.
Eward gave us an overview of cybercrime, then zoomed in on the impact of IoT crimes on our business. Cryptojacking, for instance, has been on the rise, seemingly overtaking ransomware - yet reality shows that ransomware is still the ‘easy money’ for cybercriminals.
IoT is not very much in the picture in this area, primarily because IoT devices gather data, but don’t hold it. Social engineering is far more interesting, and by far the preferred method of cybercriminals. In 2018, we saw three types of risks, none of which included IoT (as cybercriminals focussed on lower hanging fruit).
In summary, Eward quoted Gartner: IoT security as such doesn't exist ("Security and risk management leaders stop expecting large defined IoT markets to evolve. Specific niche technologies are needed, but to prepare for life after IoT, develop the right skills and a consistent approach to delivering IoT-infused technology programs").
Focus on the basics, he recommended:
Protection only gets you so far: detection and response can be much more valuable and actually keep you safe.
Case: Mapping IoT security to business models
Our final speaker was Brecht Neyrinck, Team lead IoT at Renson (a company creating healthy and comfortable indoor environments for living and working). OpenMotics is a daughter company of Renson.
Brecht presented to us Renson's high-end ventilation ‘Healthbox’ system. With IoT, Renson can connect and affect in-house air conditions. The platform for the Healthbox is closed, Brecht emphasised:
The idea here is that while a user might compromise his own system, such an incident goes no further, and compromises no other systems. Furthermore, the device software is quite secured (see slide 9).
Renson takes security one step further with a certificate (embedded in a QR code) guaranteeing that the person logging in to Healthbox is a Renson user, who is using a Renson device to access a Renson app.
Moving to the OpenMotics story, Brecht pointed out that this platform is more about an OpenSource IoT approach (see slides 13-17).
Wrapping up, he concluded: the closed source business model tries to guarantee a safe environment for your personal data, while the open source business model strives to empower you to be in control of your own data.
Access to more information about this topic and/or to download the paper is easy and fast, but exclusively for Beltug members (just login to get access).
Beltug gathers a lot of information. Here you find the advantages of Beltug membership
The Beltug Team
Click here to login