We are used to devices communicating with each other. Digital devices and assistants turn on the radio on command, we turn on our lights with our smartphone, and the printer orders new toner on its own. All this makes security solutions for data traffic in IoT all the more important.
With digital assistance systems such as Siri, Alexa and Google Home, networking penetrates deeply into the private sphere of users. IoT also involves risks for companies that can ultimately be much more serious than in the private sector. Sensitive data must be shared with service providers - so how do you keep control? Operational processes must not be interrupted, or it will not only cost a lot of money, but trust as well. In some extreme cases, the existence of the company is at stake. Above all, this applies to industry and IIoT.
A sophisticated sense of security is still the big exception with IoT components. This problem is not specific to IoT in the course of technological development. The life-saving, omnipresent airbag was only developed when the car had reached a certain degree of maturity and you could rely on the car to drive at all. Nevertheless, mistakes have fatal consequences even and especially at this stage of maturity. The early history of technology is full of catastrophes. But we were in an analog world then. An IT disaster can be far more serious in these networked times.
In the case of the Internet of Things, there is a very fundamental problem: IoT unites two previously separate spheres: fast-moving IT on the one hand and classic devices and industry with "things" in the broadest sense. Over the last decades, fundamentally different processes have taken place in both spheres. A six-year-old laptop or a four-year-old iPhone are regarded in IT as old models that need to be replaced as quickly as possible. Industrial components, on the other hand, sometimes last twenty or even twenty-five years. For example, the communication system installed in an IoT-controlled turbine is outdated long before the IT system itself needs to be replaced, and it is questionable whether patches are released during the entirety of its operational lifespan. And no one can guarantee that the encryption algorithm that is implemented in an IoT-controlled machine today will still be secure in 10 or 20 years' time. Rather, it can be assumed that the basic principles of IoT security will have changed by then.
So how to deal with this paradoxical situation? Are modularly expandable devices that connect the world of IT with the classical industry perhaps the most attractive solution?
But the problems do not stop there; they also include human dynamics: The employees involved in the installation, maintenance and control of IoT systems in industrial and commercial environments are generally not IT experts. In the event of malfunctions, it is only natural for them to take care of their particular technology: If an industrial plant fails, the technician searches for a defect based on his training and experience and does not suspect a web attack on the plant. When the power fails in a large company, no building manager thinks of a potential attack by hackers. So where to begin? How can the relevant employees be comprehensively trained? Do you take classic industrial training courses and add IT content to them? Or do you take IT experts and sysadmins and train them beforehand according to the requirements of the industry?
It is not difficult to imagine such damage or horror scenarios, especially since IoT is also establishing itself in critical infrastructures, for example in the health sector or in electricity and water supply. Almost a third of all machines in the industry are now "smart", and it can be assumed that "smart" also includes the ability to communicate. But this must not stop at the machinery. Human awareness must remain on a par with the capabilities of machines in order to properly assess safety risks.
IoT connects technical (production) systems - sometimes also work pieces or even raw materials - to the web via standardized communication interfaces; this opens up the possibility of monitoring and control; not only for authorized users, but basically also for others. These can either collect information about the respective systems, or they can take over the control of the systems concerned and, for example, trigger malfunctions. The whole thing can be thought out further in threat scenarios such as a war of industries, where hackers are becoming a successful instrument against unwanted competitors.
Many questions, but few answers, because it is difficult to move in this very hypothetical field and to convince with practicable proposals. This is because there is often no empirical test area yet.
Do you have experience with IoT, IoT security, or IoT in the context of industry (IIoT). Then we would be pleased to read your comments and ideas.