One of Britain’s big utilities firms have begun a venture into the Internet of Things (IoT). But how do devices powered by IoT benefit businesses, and how risky are they to their security?
‘To address IoT security, we need to take a bigger picture view – we can’t only be looking at vulnerabilities, but we also have to catch the threats when they do get in. Artificial intelligence is being used now to find IoT hacks and respond to them before they cause damage’
Energy consultancy company Utilitywise, in collaboration with Vodafone and Dell, are set to launch a platform that will allow businesses to monitor energy usage within various areas from one single hub.
What has been described by Utilitywise managing director Brin Sheridan as “a ground-breaking technology”, it will display any lighting, heating and other types of energy wastage, which could lower the using business’s carbon footprint as well as the amount of money they spend on energy bills.
“By giving business owners and building managers unprecedented insight into how their businesses are using energy, they can make truly-informed decisions about how to reduce their utility bills,” Sheridan added.
“Utilitywise’s intelligent building controls solution has the potential to produce huge savings for customers, freeing up cash to be invested elsewhere.”
The Tyneside-based energy consultancy firm, formed in 2006, will take charge of the analytics department of the platform, while partners Vodafone will implement the software’s connectivity and Dell’s operation technology will be in place.
“With this unique combination we have the ability to reduce energy consumption bills for thousands of UK businesses,” said Dell’s EMC OEM solutions vice president Dermot O’Connell.
Vodafone and Utilitywise’s marketing teams will join forces to reveal the platform to the public.
This development marks one of numerous waves being made in the IoT market by businesses as the phenomenon starts to go beyond home and personal use.
But while going down the IoT route may be environmentally and economically efficient, there is always a risk that automated technologies could come under cyber attacks, according to Principal Business Resilience Consultant at Sungard Availability Services, Tom Holloway.
“Increasing automation, data-rich production cycles and complex global supply chains make the manufacturing industry particularly vulnerable to disruption, specifically from cyber threats,” Holloway said.
“The BBC put the cost of the NotPetya ransomware attack to businesses at $1.2BN, not an improbable figure when you consider that a stoppage in a complex car manufacturing plant can cost £10,000s per minute.”
The Sungard consultant went on to refer to WLAN-reliant radio data terminals, RFID tags and sensor-embedded automation controls as areas of systems as the most vulnerable to ransomware, malware and theft.
IoT devices being added to company networks has been proven to potentially expose company software to attacks. According to a study by Infoblox, 35% of participating companies based in the US, UK and Germany declared that over 5000 devices were connected to their network per day.
These devices, shown to be commonly made up of fitness trackers (49%), digital assistants such as Alexa and Google Home (47%) and Smart TVs (46%) among others, have been found to be easily detected by search engines such as Shodan.
Furthermore, 5,966 detectable cameras were found to be implemented within business headquarters throughout the UK, while 2,346 detectable Smart TVs in Germany and 1,571 devices in the US with Google Home installed were discovered in March 2018 alone.
Preparation, Proritisation and Protection
For Sungard Principal Business Resilience Consultant Tom Holloway, preparation is key to trying to preserve as much company data as possible if the network gets attacked.
“Preparation will help leadership teams manage a crisis when it happens. It’s not just your systems and data that you need to consider protecting, but also those of your suppliers, who in turn may be reliant on your data, and as you can’t protect everything, you must be ready to recover your data and systems whenever necessary.”
“Whilst you are considering the implications of all this, don’t lose sight of the impact of a data breach and the consequent damage of losing a client’s personal information – GDPR is barely 3 months from being in place and losing sensitive data could have serious repercussions on your business.”
In addition to what businesses must do to protect their IoT devices, EMEA director of cyber security firm Neustar Anthony Chadd said that prioritisation is paramount.
“In order to avoid becoming a target, business must be proactive in their approach and make it a priority to safeguard all IoT based systems,” Chadd stated. “To achieve this requires a clear understanding of what data needs safeguarding, and the levels of security that need to be put in place.”
“In order to achieve this, businesses must build out an organised and cohesive security strategy. This way they can successfully focus in on their more vulnerable data, processes and models – protecting valuable information from any and all IoT attacks moving forward.”
“On a more granular level, businesses must ensure the appropriate controls are in place for threat vulnerability and patch management while also ensuring that important data is identified and encrypted.”
>See also: 5 steps to better vulnerability management
Furthermore, Matthew Dunkley, representative for software licensing and security company Flexera recommends implementing a long-term plan complete with various security mechanisms early on to tackle insecurities.
“Devices are deployed in diverse environments and can be in use for many years,” explained Dunkley.
“In the manufacturing industry for example, devices are often being used for more than 20 years or even longer.”
“IoT device manufacturers will have to have a long-term strategy in place to protect and update these devices for a lifecycle duration that so far has been unknown to the regular IT/Internet security.”
In terms of what various mechanisms need to be put in place, Dunkley mentioned four methods:
“In the development phase, scanning and tracking for OSS and third-party applications need to be implemented to manage related software vulnerabilities. Application code should also be protected against binary tampering.”
“Secure and mature licensing technologies should be applied to ensure only eligible users can access the applications and compliance can be controlled.”
“Hacking is always a threat and possibility. IoT producers need to make sure they are notified immediately if a hack happens, and they should be able to react quickly and effectively.”
“The roll-out of patches and updates to the field needs to be automated and required detailed knowledge on what devices are using which software in which version to be effective.”
While companies try their hardest to eradicate vulnerabilities within IoT software, compromises to IoT security are part and parcel of the implementation, according to Andrew Tsonchev, Director of Technology at Darktrace Industrial.
“There’s only so much users can do to mitigate IoT vulnerabilities, and while manufacturers can make improvements, users should assume that their IoT devices are vulnerable to attack,” Tsonchev stated.
“These security flaws are so common because there is such a rush to get these products to the market as quickly and cheaply as possible.”
“To address IoT security, we need to take a bigger picture view – we can’t only be looking at vulnerabilities, but we also have to catch the threats when they do get in. Artificial intelligence is being used now to find IoT hacks and respond to them before they cause damage.”
“At Darktrace we find IoT compromises on a regular basis, from infected video conferencing devices in law firm board rooms, to fish tanks that have been hacked and are being used to exfiltrate data. This is because our technology analyzes all devices on a network, whether they are traditional laptops and data servers, industrial machinery, or IoT devices.”
With cyber attacks displaying a capability to go beyond phones, computers and other traditionally electronic devices within businesses, this may give Utilitywise’s plan to implement energy meters with built-in IoT plenty of food for thought when it comes to its protection from cyber attacks.