As both business and consumers show a rapidly growing interest in the Internet of Things (IoT), the lax security standards in some of these devices is coming under renewed focus.
Security vendor, Symantec, said in its recent annual security threat report: “Targeted attack groups increasingly focus on IoT as a soft entry point." It previously reported that, in 2018, attacks towards IoT had increased by 600 per cent year-on-year.
Given that $US745 billion will be spent on IoT in 2019, according to research by market intelligence company, IDC research, and by 2022, it will surpass $US1 trillion, the security risks behind IoT are widespread, and potentially catastrophic. We’ve already seen horror stories of everything from hackers getting access to people’s baby monitoring cameras, through to the ability to take remote control of an electronic car on a busy highway.
Azure Sphere as the IoT security solution
According to Microsoft, the problem the IT industry faces in addressing security problems inherent with IoT is that IoT requires a fundamentally different approach to security that that taken with more traditional IT.
“It’s an entirely new challenge. If you think of traditional IT and mobility management scenarios where there’s well defined approaches to data protection and access management, coming to IoT, where those methods don’t apply, it is an entirely new world.” Danielle Damasius, Principle PM, Azure Sphere, Microsoft, said. “With IoT you’re looking at devices that are always on, unmanaged from a traditional sense and unattended in a lot of cases, so often there aren’t many indicators that a device has been compromised – there aren’t the traditional watchdogs in place.”
End-users only have so much they can do to protect their environment of IoT-enabled devices. The hardware manufacturers also need to be proactive when developing solutions around IoT security. With so many devices in production, and no unified platform for IoT security to operate on, manufacturers have previously been left to their own security practices.
By the time the end-user has a few IoT devices in their environment, security has become a patchwork of differing standards provided by a wide range of different vendors that have vastly different levels of resourcing available to provide security. Hackers only need to find one vulnerability to gain access to the organisation’s network – and such an environment is ripe for finding weaknesses. It is why IoT is seen as a “soft target”.
As a result, Microsoft has developed Azure Sphere to create a highly secured IoT devices. A Linux-based embedded OS and cloud service for microcontrollers, Azure Sphere addresses the most critical challenges facing IoT by presenting a uniform platform for security that all device manufacturers can access.
Manufacturers implement the Azure Sphere platform onto their devices, and can then rely on the built-in security provided by Microsoft’s security practice. Connected to the cloud, Microsoft brings its considerable weight in security to failure reporting to identify threats and automatic updates to address vulnerabilities as they are revealed.
IoT security best practices
In looking to address the threats, Microsoft developed a design philosophy in approaching IoT security, called the “seven properties of highly secure devices”. These properties are a blend of hardware, OS, and cloud-based security properties, creating an end-to-end security solution, and highlighting the need for IoT security to be approached as a whole-of-industry challenge.
“Foundationally, we believe that when you start building devices you should immediately have security in mind,” Damasius said. “Azure Sphere is designed to make it easy and affordable for manufactures to build renewable security into their devices from the outset.”
Microsoft also has a network of hardware and design partners that it works with to help other partner manufacturers build security into their devices.
“Some manufacturers in IoT still think they can solve for security later,” Damasius said. “No manufacturer sets out to make insecure devices, of course. Nobody wants to be the one with the botnet refrigerator. But if they’re not being proactive about security from the outset, then they’re unintentionally being insecure and putting their brands and customers at risk.”
IoT offers some great opportunities around technology and innovation, and it won’t be long before connectivity is standard practice for just about everything. However, the IT industry does need to come together to deal with the security challenges of IoT; the risk of data compromise is simply too significant to ignore at a time where data sensitivity is top of mind among consumers and regulators. Establishing a standard platform that can be natively implemented into IoT chips is a key first step in creating a better security practice across the industry.
For more information on IoT and security, don’t miss Danielle Damasius’ presentation at the IoT in Action event in Sydney on March 19. Register to attend here.