SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Story image
Expert opinion: How secure is the ‘I’ in ‘IoT’?
Wed, 22nd Nov 2017
FYI, this story is more than a year old

There's a lot of talk these days about the Internet of things (IoT). But what's often overlooked is that the IoT is also an Internet of shared services and shared data. And this simple fact is quickly becoming one of the biggest hurdles for companies looking to integrate their businesses with the IoT.

Specifically, the public nature of the Internet is causing business and government leaders alike to confront a profound challenge. The global ransomware attacks this year that have crippled infrastructure and businesses across Europe have highlighted systemic vulnerability of the public Internet. And as both the number of connected devices and data traffic volumes continues to grow, so too does the level of damage and disruption that a cyberattack can inflict upon this open network.

Clearly, today's IoT-oriented businesses must begin to develop a full-scale strategy for moving their vital business operations to a global, private, isolated network. Let's take a closer look at the reasons why.

The IoT's Looming Challenge

Cisco's Visual Networking Index (VNI) forecast predicts that global IP traffic will increase three-fold, reaching an annual run rate of 3.3 zettabytes by 2021. In fact, for the first time in the 12 years of the VNI forecast, M2M connections that support IoT applications are predicted to make up more than half of the world's total 27.1 billion devices and connections. Together, they'll account for five percent of all global IP traffic by 2021.

But while the number of connections continues to multiply exponentially and involve more and more partners, businesses remain vulnerable from the weakest link in the system – their connectivity.

The genius of the public Internet is that despite how we use it today, it was never designed to be a secure or trusted environment. It was conceived as a network for academics and researchers to exchange data, and it works as more of a best-endeavours network than a best-of-breed one.

For this reason, companies that want to conduct business, transfer data, monitor equipment and control operations globally – with certainty, security and privacy – should not be relying on public Internet connectivity. The sheer number of access points and endpoints creates an attack surface that is simply too wide to protect, and it calls into serious question whether the public Internet is up to the challenge of supporting the IoT. Instead, it's time to take a step back and look for something different.

A New Network Model

One of the most effective solutions to the public Internet's openness lies in the integration of global, private, isolated networks. These networks ensure complete separation from the public Internet, total control over who accesses the network and how, and maximum flexibility to build and optimise partnership connections. And, tellingly, these networks have been able to continue to operate throughout the high-profile cyberattacks that have made the headlines over the past year.

Networks, by design, rely on two-way communications. Given the sensitivity and importance of the data involved, companies need these networks to be always available, always bandwidth-capable, and always secure.

At the same time, business-critical networks need to be connected using communication links that strictly control the identity and rights of the people, applications, and devices accessing them. And while they need to be private for security reasons, in many cases they also need to be open and transparent for regulatory reasons.

Consequently, the private-network model has emerged as one of the most viable for the emerging IoT world.

PSD2 and More

A critical example of the need for this model is the new Second Payment Services Directive (PSD2) regulations coming into effect in Europe.

PSD2 will require a new level of collaboration and security between banks and their financial services partners. And, for the first time, it will allow bank customers to utilise third-party providers to manage their finances and help them with services like making payments and arranging money transfers.

Banks will be required to open access to customer data to a host of third-party companies, and at the same time ensure the security and privacy of customers' information. Again, this control cannot be guaranteed if those connections are coming over the public Internet, with its vulnerability to attack over such a wide surface.

So, with new regulations like PSD2 propelling the beginning of a new IoT era, businesses must begin to develop a full-scale strategy for securing their business operations on a private, isolated network.