Cyber security is undoubtedly a word we will hear more often in 2021. With the increasingly widespread use of smart devices connected to the internet, cyber security becomes a key consideration when thinking about adopting IoT technologies.
As they can interact with and control our environments – just think about automated access control of a building or facial recognition technology-, they need to be protected from cyber-attacks.
‘Internet of Things’ (IoT) devices – also known as smart devices – are being added to our homes and workplaces on an increasingly regular basis, enabling spaces to become more intelligent and interactive. Whilst there are many benefits to introducing IoT devices in our daily lives, we also need to consider how we best manage privacy and data security.
What are IoT devices, and how do they work, exactly?
Source: Juniper Research
IoT refers to the network of interconnected devices that can interact within an enclosed environment (i.e. home, office, store) or outdoors (i.e. auto mowers, smart sprinklers, and more). Smart devices can be connected to each other and the internet in a network (cloud) which can be private, public or a hybrid mix of the two. However, most of the data is transmitted through the Internet, which is public.
IoT devices add varying levels of interactivity to the spaces in which they are used, bringing a multitude of benefits to the end-user. These can range from convenience due to the ability to automate processes and remote-control various appliances or systems in the home or the office to introduce energy optimisation capabilities and achieve new functionalities for an enhanced home and office experience.
Smart devices in our homes and places of work
Statista estimates that UK household penetration of smart devices in 2021will be 37.4% and expected to hit 63.0% by 2025. In 2018, a YouGov survey revealed that 66.44 million people (23% of the population) already owned a smart device.
Of all users, the age groups with the highest adoption are, unsurprisingly, 25-34 year old Millennials (28.8%) and 35-44 year old Gen Xers (23.1%), those we expect would be more open to digital transformation.
The rise in the use of smart technology in everyday personal lives – smartphones, smartwatches, voice-activated devices, smart light bulbs, to name a few -, and the increasingly affordable price of tech means the adoption in other areas of our lives is reaching a peak stage, too.
In the past few years, the discussion surrounding smart cities’ development and, therefore, intelligent buildings have abounded. With 5G technology now a reality, smart tech can reach new heights and speed up the development and adoption process over the next few years. The volume of activity we’re seeing here at Smart Spaces is a clear example of just how much smart technologies are taking real estate and workplaces by storm.
What is cyber security, and why is it important
According to the National Cyber Security Centre, cyber security can be defined as the manner in which individuals and organisations deal with the risk of cyber-attacks.
Cyber security’s primary function is to ensure devices, and the services people access, are protected from being breached by unauthorised parties who could steal and wrongly use, or even damage, the device and/or the personal data stored in them.
With the advent of data privacy regulations such as GDPR, the focus on data privacy has grown tenfold in previous years. Looking ahead, we expect an even greater emphasis on this and, in particular, how cloud-connected devices are secured.
What are the risks incurred by IoT devices?
IoT ecosystems can be quite intricate, interconnecting devices of different complexities and capabilities developed by various vendors with diverging protocols.
It is important to distinguish between the type of risks that can be incurred: cybersecurity risk and privacy risk. Even if related, these risks have distinct requirements that need to be taken into account to identify how to best approach risk management initiatives.
In a NIST research paper looking into ‘Considerations for Managing Internet of Things Cybersecurity and Privacy Risks’, the authors define cybersecurity risk as malicious actions executed by a third-party, aimed at taking advantage of systems and devices’ vulnerabilities. These activities are directed at damaging the same device and/or compromising the data stored in it.
A privacy risk concerns the issues that can be incurred when processing authorised personal identifiable information (PII) to meet its mission or business needs.
Depending on the different IoT device capabilities, cybersecurity and privacy can be affected, so it’s essential to have a clear view of the single device functionalities.
As smart devices can interact directly with the real world through sensors or actuators – such as opening locks or controlling the HVAC units in a building – as well as provide personnel, processes and other devices with access, management and monitoring capabilities, the damage that can be incurred to the device and data can be severe.
Interface capabilities such as those provided by APIs (application programming interfaces), or the same found in smartphones and the WI-FI, give them the ability to communicate to or between devices.
NIST argues that these different capabilities mean IoT devices are open to various risks and have to be protected on three separate but interconnected levels to provide risk mitigation:
- device security to ensure it doesn’t get compromised and used to conduct attacks
- data security to ensure the data collected, stored, processed or transmitted by the device keeps its confidentiality, integrity, and availability; this includes PII data
- individuals’ privacy to ensure it is not affected by the device and data security processing
Solutions to protect your smart devices from cyber security attacks
An efficient cybersecurity strategy aims to provide protection to all connected devices and networks and the data they collect, store or transmit. To ensure this, a thorough risk assessment to understand specific vulnerabilities must be executed throughout the IoT ecosystem lifecycles, as this is bound to change and expand in time.
But, how is it possible to increase the security of the smart devices and the data?
Authentication & Authorisation
Through authentication and authorisation, access to smart technology is restricted to only personnel that has been identified and authorised. On the Smart Spaces platform, permission is provided on a role-based access control (RBAC) model and geofence-based access control (GBAC) to protect onsite access.
Therefore, authenticated users of an IoT ecosystem (devices and networks) are granted access to only those features and controls their position in the building and workplace hierarchy permit.
An example of permission according by role could be:
- a visitor being given only temporary access to the building, parking space and specific workspace via a QR code or visitor
- front of house staff could be granted only those functionalities needed to manage reception, including the ability to create visitor passes for visitors who have not pre-booked
- a Facility Manager could be able to control the complete environment or only their designated floor(s), including access to a digital twin dashboard for predictive maintenance and actioning
Securing Smart Enabled Buildings
Because of the complexity, heterogeneity and the large number of interconnected resources, authentication and authorisation become essential tools to keep control of and properly secure the IoT devices and networks.
However, practical strategies to secure the ecosystem don’t stop at one solution.
An automated detection and response (ADR) solution could be the most effective strategy to secure all aspects of an IoT infrastructure. An ADR makes use of various types of security measures to provide security information and event management, prevention and detection from intrusion, endpoint detection and response and more, for a broader defence from threats.
Blockchain, machine learning and artificial intelligence are the latest technologies and tactics to be brought to the field of cyber security to help hinder threats to the ecosystems. These are still in their early stages, though, making for some challenges to a practical application.
Interested in knowing more about blockchain? Read our article Blockchain and Swarm Learning to Improve Big Data IoT Security.