Utilities, and other energy organizations, are moving into the IoT ecosystem in a big way. There are a lot of advantages to getting data in real time at a granular level. Better business decisions and lower costs are now possible. The imperative to lower emissions to meet government targets will also be assisted by IoT devices.
However, many people have become concerned about the downsides of connecting every appliance and system together: cyber attacks and privacy issues. On one level, a smart city's cyber infrastructure is an ideal target for both terrorists and “ordinary, decent criminals”, because the rewards can be very high and the risks small. If you are a bad actor operating your attack from an internet cafe half a world away from the victim, the chances of getting arrested are minimal.
The challenge of IoT security is multi-layered, cross-domain and involve not just technologies, but local authorities, regulators, governments, policies and laws.
This vulnerability is increased by the use of wireless connections, rather than wired, which are less easy to get access to. New wireless technologies including LTE, Bluetooth Low Energy (LE) and LoRaWAN have to be secured, and the workforce is very fond of using their own devices rather than company-issued hardware, which again complicates security.
Automation tools which probe for weaknesses are more readily available to malicious actors and social engineering where employees are duped into giving access can be effectively deployed against organizations.
In 2021 Orange, the European telecommunications giant, launched an initiative called "IoT SAFE" in collaboration with Thales, an important manufacturer of electronic devices. Best practice involves collaboration between a network provider and an IoT device manufacturer: this significantly improves the security of IoT devices. IoT Safe holds all the cryptographic keys securely on the device's SIM card (or eSIM).
Some companies are looking at Security-As-A-Service: where a third party with expertise in this area ensures a company's systems are as defended as they can be, and also performs “White Hat” hacking tests to see if there are vulnerabilities. By having a specialist service like this, companies can avail themselves of the best expertise, without having to train their own staff in what is not a core activity for many utilities.
The risks in IoT are rapidly evolving as the technology advances. The rapidly evolving IoT security threat landscape necessitates enterprises finding trusted partners to mitigate risks across the endpoint, network, transport, cloud/data and application layers.
-
Secure end-to-end. The IoT comprises a lot of different areas, any of which could be the weak point.
-
Secure by design. End-to-end security should be inbuilt from the beginning, not overlaid at the end.
-
Establish policy and processes. This might include things like network separation, strong passwords, use of public key infrastructure, and certificate management. It might also include compliance with standards, and obtaining ransomware insurance.
-
Compliance. Establish a mechanism for ensuring that the organization is compliant with the ever-changing regulations relating to IoT and particularly security.
-
Train your people and partners. The biggest security risk is generally the failure to follow established practices, which can be mitigated by training, including business certification such as ISO and Cyber Essentials.
-
Manage your partners. Organizations will almost invariably rely on third-parties for the provision of parts of any IoT project. Everyone must be confident that they are complying with best practice for security. Do your due diligence on them and their security practices.
Â
This is an evolving area of technology, and no doubt new threats will emerge as more areas and devices are connected together. But the benefits look to outweigh the risks.