Safeguarding the Internet of Things Being secure, vigilant, and resilient in the connected age
With 20 billion Internet of Things (IoT) devices in the world, do companies have a strategy for how to use—and protect—the data collected? Irfan Saif and Sean Peasley of Deloitte & Touche LLP spoke to Tanya Ott about how companies can mitigate the various risks across the IoT value loop.
Tanya Ott: This is the Press Room, Deloitte University Press’s podcast on the issues and ideas that matter to your business today. I’m Tanya Ott and today we’re talking about the Internet of Things.
Tanya Ott: Every time you jump into your car you’re getting into a big hulking steel box filled with the Internet of Things. These days the average car has about 200 sensors. GPS, backup assistance, windshield wipers—they can all be equipped with the IoT.
Sean Peasley: In the connected vehicle, for example, it will maybe help to monitor safe driving, give alerts to the driver, and let them know about things that are occurring around them.
Sean Peasley: Hi, this is Sean Peasley, principal within our Cyber Risk Services practice, responsible for our consumer and industrial products group.
Irfan Saif: Irfan Saif. I lead our Technology, Media and Telecom practice.
Sean and Irfan are both with Deloitte LLP and they spend a lot of time thinking about the IoT. And not just in cars. There are 20 billion Internet of Things devices in the world—everything from fitness trackers to smart thermostats to industrial applications.
Irfan Saif: Internet of Things, to me, is really about a device that has a couple of specific characteristics. One is it has some kind of onboard compute or processing power so that it can perform analysis. The second is that it has to have network connectivity and capability and the ability to communication bi-directionally. And the third is it has to have some form of sensors—sensors that can detect some form of ambient attributes in the environment around it and use that information, along with the information from the network, in order to make decisions, take automated actions, or share that information with other sensors.
Sean Peasley: Maybe safety-related, maybe diagnostic-related.
Irfan Saif: [There is also a] Connected irrigation system where you have a sensor that can detect humidity in the soil. It can look online to see if it’s rained in the area. It can look to see what other sensors in the neighborhood are detecting. And it can take action such as turning on the sprinklers for the water system or delaying watering … things like that. That’s an example of the IoT.
Tanya Ott: Basically, one of the key things is that it creates this really powerful feedback or information loop. Can I use the terms information loop and value loop interchangeably or are those two different things?
Irfan Saif: I suppose you could. To me it’s really about the flow of information from the creation of that information, the sharing of that information, and the augmentation of that information. So, in other words, taking other sensory information in order to sort of enhance the value of the insights provided by that information; and then use it to drive decision making. And that’s really where the value is within an IoT ecosystem.
Tanya Ott: Sean, could you take a specific product and then explain how the value loop or the information loop works with that product?
Sean Peasley: Yeah. For example, you might take some sort of connected appliance that’s connected to a consumer’s home. That appliance, maybe say it’s a refrigerator, could be analyzing data about preferences of the consumer and whether or not they are low on certain products—you know, let’s say milk for example. If they see that the milk in the refrigerator needs to be ordered they might be able to communicate with an application that would help the consumer to add that to their grocery list for the week. [It would] eventually also be able to automatically order based on certain preferences that the consumer has and really help make certain decisions based on the criteria that the consumer would give, to say “Here’s how that connected device is going to be able to interact in making things much more efficient for the end user.”
Tanya Ott: These IoT devices are used in lots of different industries. It’s not just thermostats and fitness trackers and things like that. We’re talking the health care industry. We’re talking traffic routing. We’re talking industrial systems that might control very sensitive manufacturing processes.
Sean Peasley: Exactly.
Irfan Saif: Yep.
Tanya Ott: How significant is that risk of data breach with IoT items?
Sean Peasley: The risk is definitely real and it’s significant in terms of what various adversaries have done in the last several years in terms of the ways that they’ve penetrated into various different systems. With having many more devices, you have mobile applications, you’ve got infrastructure components, organization networks, and even a consumer’s home network. All of these may be potential methods for adversaries to be able to penetrate into an environment to gather data, to find information, behavioral information, and other protected personally identifiable information. So this whole environment is much more vast than the typical enterprise has been for many companies.
Irfan Saif: Industrial control systems have actually been compromised in a production environment. In that case it was physical damage sustained. There was no loss of data.
Sean Peasley: There was an incident several years ago where there was physical damage to various different control units for a given nation state.
Tanya Ott: I’m sorry, can I stop you for a second? Because you guys are obviously really familiar with this case and I’m not—and I know you probably can’t go into details talking about companies of whatever—give me a clearer idea of what you’re talking.
SeanPeasley: So the first is a country’s industrial control system, a penetration of their environment. And malware infected their environment and it infected the industrial control systems related to their nuclear enrichment program.
Irfan Saif: Yeah, and the second one was a manufacturing facility in Germany where there was a failure with one of the IoT devices, part of the control system framework. And when that device failed it did not fail in a safe manner. So effectively what happened was it failed in a way that caused a furnace to stay open, which caused part of the plant to overheat. That caused a fire and it caused significant physical damage—so, another different kind of example, but an example of where, you know, not always data loss being the concern. There could be actual physical damage, loss of life—those kinds of things that could be the negative ramifications of cyber breaches with these kinds of technologies.
Tanya Ott: Was that just an example of an IoT device failing that caused a cascading effect on other devices or was that something that someone had maliciously gone in and tampered with?
Irfan Saif: You know, it’s unknown. However, the point being that a lot of times when devices are attacked the intent of the attacker is to cause the device to fail. And sometimes that failure allows for opportunities for them to extricate data. It allows them open access to the device. And so one of the design principles of such technologies, particularly technologies like IoT where there’s a heavy automation component to it, is that if they do fail the desire is that they’re designed and built to fail in a safe way. And that did not happen here.
Tanya Ott: I do want to get to how companies can manage the risk of this in just a minute. First of all, I think it’s important to say that, as you know, IoT is really hot. Companies are rushing to put sensors in all kinds of objects right now. And I know from talking to others in the field that some companies are deploying IoT perhaps without any real strategic plan for how they’re going to use all the data they’re collecting. I’m wondering—what about the security? How comprehensively have most companies thought through the data security issues related to the IoT?
Irfan Saif: Well, I would say in some cases they’ve been relatively well thought through. But there are a number of cases where these are sort of pet projects or their pilot projects and, you know, in many cases they don’t necessarily have the broad range of capabilities and thinking at the table to think through these issues. For instance, [issues like] not only what can you do with the data that’s collected, but also what kind of platform is going to collect the data? How do you govern all of that? How do you—now that you have these IoT technologies, sensors, and all of this processing power, and the ability to act in an automated way—implement system-level controls for what kind of data can be shared? How long can it be retained? And also, as it relates to the security of the devices themselves, how are they secured and how are they built? For example, I’m familiar with a consumer products company and they have a business unit, a division, that’s creating an online IoT-centric product for the first time. None of their legacy products have had any electronics in them. They’ve never connected back “home,” if you will. They’ve never sent any kind of information back, so they have no platform. They have no experience governing and managing this kind of information or these sorts of technologies. And they don’t have necessarily IT or other relevant groups even involved in the design of the platform. They’re just kind of “doing it.” So when you start to think about the scale of the kind of data and the breadth of the challenge, that’s when it’s going to become very, very important to think about these devices and think about the solution development in a very holistic manner. And that’s not happening necessarily consistently today.
Sean Peasley: And we found that’s fairly common, right? That organizations are trying to react to various different market opportunities and they’re trying to be agile and create a kind of a version 1.0 of a product. And that will likely have a lifespan and that’s not necessarily going to be a 10- or 20-year whole lifespan for a product. They’re trying to make sure that it rapidly evolves. Hence, security is probably not the first thing that they thought of. They thought of functionality first; they need to think of the more holistic approach where you look at your research and development and you start to think about ways to build security into the design of the product itself or the overall IoT device and environment, and then build that securely. Also think of not just some of the security mechanisms and controls that we’ve dealt with in the past, but think of even physical security controls. What are the things that are tamper resistant, right? If somebody does open a device and tries to reverse engineer that, it will have an effect and hopefully reduce or mitigate the risk of somebody being able to tamper with that device.
Tanya Ott: Rather than having to go back after the fact and retrofit something that’s already been developed with security measures.
Sean Peasley: Exactly.
Irfan Saif: Exactly.
Sean Peasley: Unfortunately, if you look at the wireless networks as one component to communicate with, you know, we’re dealing with legacy technology having to integrate with those, [which] doesn’t make it as easy because the ecosystem that these IoT devices are using are some of the same kinds of networks that we’re utilizing today in terms of cell networks and other types of wireless networks. So you’re dealing with a lot of different capabilities or lack of security capabilities that those offer, [and] you’ve got to try to do things to take advantage of the different security controls that are available. If there’s deficiencies there then you’ve got to try to think through what can help mitigate the various different risks.
Tanya Ott: So, not just the device itself, its sensors, and other devices it interacts with, but how it gets that data from one to another, whatever sort of transmission that is.
You guys write about Heartbleed and OpenSSL vulnerability. Can you first back up and explain what OpenSSL is for folks who maybe aren’t as versed in it as you are.
Irfan Saif: OpenSSL is simply an implementation of SSL, which is the secure socket layer. The simplest way to explain it is if you’re using a web browser and you see the little lock that indicates you’re on a secure connection, the protocol that it’s using is called SLL. So OpenSSL is simply an open source implementation of the SSL protocol.
Tanya Ott: I have a social media network that will remain unnamed up on my laptop right now and I see a little lock next to the URL. So that’s what you’re talking about. It means it’s secure. Or relatively secure. But we have the Heartbleed issue, which is what?
Sean Peasley: It was an implementation for SLL that has a security flaw that had to get remediated because of that security flaw within Heartbleed itself and the implementation. So organizations that had implemented Heartbleed had to go through and retrofit to add a patch and/or correct that flaw.
Tanya Ott: When you’re talking about IoT devices, they could be vulnerable? They could have that bug in them already and it hasn’t been fixed?
Sean Peasley: Correct. If it had the Heartbleed embedded in it and there’s not a way to update that firmware for the device, then it could be vulnerable.
Tanya Ott: How common do you think this is? How likely is that?
Sean Peasley: I’d say there are many devices that are still out there in the wild that do have Heartbleed on them, so it may take time to completely resolve that issue.
Irfan Saif: I would agree with that, but a lot of those devices aren’t just limited to IoT. There’s lots of web servers. There’s lots of devices that use OpenSSL that are vulnerable—not just IoT devices that might have OpenSSL in them.
Tanya Ott: So it seems like the takeaway from this is largely this is not a set-it-and-forget-it type of situation. You don’t develop an IoT device and develop the security parameters that go with that and then say “oh look, we’re done!” and move onto the next thing. It requires a level of vigilance.
Irfan Saif: That’s exactly right. It requires a full life cycle, if you will, to maintain the platform, manage and maintain the data, keep the components of the device up to date, make sure that the environment that the device sits within is also kept up to date and managed and monitored and all of the sort of good hygiene that you would expect from a robust security program.
Sean Peasley: How do you monitor, you know, if adversaries are trying to do anything that does not seem authorized or doesn’t seem to appropriate? Are you monitoring that proactively and what they might be trying to do and understanding their techniques and their motivations? And [are you] really making sure that you’re able to respond if something negative happens or if an adversary is able to infiltrate the environment or be able to breach data or be able to infect with malware? How does the organization recover from that—from a business standpoint and not just a technical standpoint?
Tanya Ott: So, what can a company do to recover from an attack or just an accident with an Internet of Things device? Sean Peasley and Irfan Saif have plenty of ideas … and you’ll find them in their article Safeguarding the Internet of Things: Being secure, vigilant and resilient in the connected age. You can find it at dupress.com.
I’m Tanya Ott for the PressRoom, a production of Deloitte University Press. We post new podcasts every other Monday. Be sure you subscribe so you don’t miss a single one. We’re covering some really interesting issues—including 3D printing … It’s more than just personal bobble heads and toys.
[callback to previous episode]
Kelly Marchese: We’re seeing the most interested industries are those that require highly customized parts. So you think about the health care industry—hearing aids or braces or even hip joints. It can open up all kinds of doors to new businesses.
You’ll find that interview in our archive at dupress.com. Tell your friends about us and tell us what you think. You can leave a comment on the podcast page. You can email us at firstname.lastname@example.org. And if you’re on Twitter you can tweet us @du_press. Thanks for listening and catch you next time.
This podcast is provided by Deloitte LLP and its subsidiaries and is intended to provide general information only. This podcast is not intended to constitute advice or services of any kind. For additional information about Deloitte LLP and its subsidiaries, go to Deloitte.com/about.