Digitization means that increasing numbers of once standalone objects and devices are now interconnected.
We talk to Ferri Abolhassan, Director of T-Systems and Head of the IT Division and Telekom Security, about how to protect the Internet of Things (IoT) against cyber attacks.
There's a lot of talk about Industry 4.0 and the Internet of Things, or IoT for short. In a nutshell, it's about connecting up production and control components in industry to the Net. What challenges does the Internet of Things pose to security?
Ferri Abolhassan: I believe there are two major challenges. The first stems from the sheer volume of things that are connected with one another. Experts currently estimate that some 6.4 billion things are connected to the Internet worldwide. By 2020, this figure is expected to rise to 25 billion. Less conservative estimates even put it at around 50 billion. So it's clear from this figure alone that the Internet of Things is theoretically opening up the network to attacks by cyber criminals on a huge scale.
The second challenge has to do with the connected things themselves. A lot of what is or will be linked up to the Net was never conceived for this purpose. Take production machines, for example. They often run on completely outdated systems and are riddled with vulnerabilities. But even new connectable technologies have no inbuilt security. How would you go about protecting your smart refrigerator?
What would even happen if my refrigerator is hacked? I don't care who knows what's in there!
Ferri Abolhassan: That is a very narrow perception of the dangers. As soon as a fridge has an IP address and is online, it risks being hacked by criminals and used remotely as a bot, for example. So the fridge might be manipulated into helping send infected spam e-mails or extorting money from businesses using what are known as denial-of-service attacks. These threaten to shut down a company's website by overloading it with traffic if they fail to pay up. And your fridge plays along.
So don't operators protect the networked infrastructures or individual devices?
Ferri Abolhassan: The point is that most people don't even realize anything needs protecting. The first step is to develop an awareness of the challenges involved. A lot of companies have as yet failed to read the signs of the times and are simply not ready for the connected world. And, in most cases, consumers are no different. However, setting up a basic level of protection is not rocket science.
How can connected devices be protected – old and new?
Ferri Abolhassan: With new devices, due attention must be given to security right from the start, so they need to be developed with security in mind. At Deutsche Telekom, we use a privacy and security assessment process that incorporates data privacy and data security considerations into the product development phase from the word go.
Once a system is up and running, there are various aspects to consider:
- Be aware of what is connected: Knowing exactly which devices are connected and how is essential to keeping them better protected and monitored.
- Don't think every last thing has to be connected: Be economical: Not everything that can be connected must be connected. Only link up what is useful.
- Keep data communication down to the essentials: So devices on the network will only communicate under specific, predefined circumstances. For example, a device with no e-mail function must not necessarily support this service, which can be provided directly in a kind of firewall in the unit itself.
- Separate critical systems from non-critical systems: For example, don't connect industrial plant controllers to office communication networks. This rules out the possibility of an access gateway being opened.
- Create logical areas: Set up logical sub-divisions within the overall system to keep damage down to a minimum in the event of a successful attack.
- Use penetration tests: Check vulnerability beforehand to help prevent attacks before they happen.
- Keep software up to date: If all systems were updated on time worldwide, 95 percent of attacks could be prevented. So it is absolutely essential that updates are carried out without delay to avoid being an open target for attackers.
- Encrypt connections between things: Encrypt communication to stop information from being intercepted en route.
- Use certificates to verify the identity of all things: This ensures that only authorized individuals can access exactly the devices that need accessing, and that all communication partners are really who they say they are.
- Use strong partners: Seek expert assistance in case of uncertainty and have an end-to-end protection concept drawn up by a company such as Deutsche Telekom.