In an increasingly interconnected digital world, the Internet of Things (IoT) continues growing exponentially: a recent estimate suggests that 127 devices are added to the internet every second. We’re seeing huge improvements in efficiencies and convenience through things like networked ticketing systems for public transport improving commute times, smart bins that notify when they need to be collected, and CCTV camera solutions to help minimise crime.
This increased convenience and connectivity has made it easier to collect data on movements, habits, and patterns on a scale not seen before, triggering one of the biggest concerns cited in the reluctance to adopt IoT; privacy.
The Difference Between Security and Privacy
Erroneously often used interchangeably, ‘data privacy’ and ‘security’ are different things. Certainly they overlap, and many of the uses, threats, and protections instituted to protect one often safeguard the other too.
Data generated by IoT (like OT) falls into two categories; ‘at rest’ or ‘in transit’. These classifications are fairly straightforward; if it’s being stored it’s ‘at rest’ and if currently being used, ‘in transit’. So sitting on a drive versus being transmitted across a network – including the internet – as a coarse description. While a gross simplification, organisations will typically be involved with the ‘at rest’ elements of data as it’s stored in their cloud instances or own servers. The user data is ‘in transit’ while being generated, or being shuffled across the corporate network in the case of big data, and at rest when being stored on a platter in a data centre.
The nuanced difference between ‘privacy’ and ‘security’ comes down to what data is being protected, how it is being protected, who is responsible for that protection, and who is not responsible for it. Ultimately, ‘security’ is about stopping data being accessed by threat actors, and privacy about ensuring that data is (judiciously) only accessible when required and importantly, inaccessible without justification. For example, it’s of little use to break through network security measures to exfiltrate data that is properly encrypted. That is, in this instance, security was compromised, privacy was not.
Regulations for Data Privacy
There’s immense anxiety about data security and hackers gaining access to a company’s systems, but less frequently is there outcry with regard to data privacy unless a direct cause and effect is demonstrated and/or viscerally sensitive information is involved, like medical or financial data. This is often due to the conflation mentioned between the two terms, ‘privacy’ and ‘security’ previously mentioned. This has, however, been changing over the past few years with the introduction of new (or heavily amended) regulations drawing attention, and hence improving fidelity, as industries are compelled to understand. Most notably of these is the ‘GDPR’, or General Data Protection Regulation for the European Union – an acronym that strikes dread into many in the fields responsible for managing data – created to enhance protections for Personally Identifiable Information (PII). This regulation became active in May 2018, and isn’t isolated; other regulations around the globe like the California Consumer Privacy Act (CCPA) or the digitally-driven amendments to the analogue-era of Australia’s ‘Privacy Act’ and ‘Japan’s Act on the Protection of Personal Information’ came into effect shortly afterwards, demonstrating a trend towards the protection of private data in an ubiquitously digital world.
While all these regulations are primarily aimed at addressing data privacy through the lens of the individual, the overwhelming volume of data held by businesses collectively is that of Personally Identifiable Information – that of their customers. While IoT being used by a business may introduce a vector for attacks, the IoT-generated data (it being depersonalised) isn’t in and of itself, a risk to the business in the context of falling afoul of these regulations. The data captured from IoT devices used by consumers, however, is a very different matter.
In terms of the degree of consequence, theft of company intellectual property – its ‘personal’ data – may be a primary concern for businesses, the data being generated by its IoT devices is of little consequence. Things like the RPM of a robotic arm gyro isn’t something you’d necessarily want to release to hackers, but the geolocation habits of a person based on the sensors in their smartwatch has more obvious, and statistically more likely nefarious, implications. That’s why industrial espionage has been covered by the legal system for eons, but the irresponsible storage or use of PII is a relatively new phenomenon, largely because of the meteoric rise in volume and inescapable universality of user data capture by organisations.
We’ve also seen the power of ‘AI’ when combined with user data with public scandals like Cambridge Analytica. Though not related to IoT, the same principles of the importance of privacy apply; where seemingly inconsequential data points are wedded together to provide insights whose whole is much greater than the sum of its proverbial parts. Not only was this incident a catalyst for the introduction of regulations, it also forced consumers and businesses alike to look inwards at their own data privacy.
The Risk of IoT Privacy for Businesses
With IoT expanding at a rapid rate (75 billion devices are predicted to be online by 2025), the need to properly secure in-business assets has grown in tandem. For decades now, cybersecurity has been an acknowledged topic by organisations, and as companies prepare for the future, addressing the privacy of data assets must also be a priority, including those generated by IoT.
The rapid proliferation of IoT devices requires large-scale protective measures to identify and avoid hacks, breaches, and similar anomalous behaviours. With cybercrime on the rise, even the most security aware have proven vulnerable, and businesses that cannot effectively address IoT privacy are in danger of failing to meet privacy regulations, but also fall short of the emerging expectations from their customers.
The Secondary Order in IoT Privacy
The vast majority of data in the world today, roughly 90%, was created in the last 5 years, and a significant, and growing share of this, generated by IoT. When dealing with so much data, so many interoperable devices, and their uses and functions so innumerable, there’s little chance of understanding the total array of implications. We’re looking at a sea of Second Order Effects, meaning the full connotations of an action – in this instance by a myriad of IoT devices – aren’t easily calculated.
The implications of data leaks, or really any compromise in data privacy, are compounded by the rise of Artificial Intelligence (AI). Technologies that falls under this umbrella like Machine Learning (ML) mean that through amplified means, more can be done with fewer data points. Whilst it make take a human days, weeks, months to do the research and draw some correlation, AI can potentially do it in near real-time. Exacerbating this, AI systems are closely guarded, so the use of PII or the like, is often inexplicable as it’s hidden from observation.
Our solution at CyAmast uses ‘Federated Learning’ which means that data is processed inside your network, and the insights alone are collected, collated, and used to enhance the solution in something akin to an evolution or education as new insights are learnt. With our method, no sensitive information leaves your premises, yet all the benefits are still reaped.
IoT Monitoring, Access, and Management
IoT is a comparatively recent development that can often prove challenging to more traditional IT security mechanisms. The fundamental steps that need to be taken to guard privacy in an IoT context are for data to remain encrypted whether in transit or at rest, and the necessary packet inspection of traditional security approaches break that encryption.
Furthermore, differences in specific kinds of IoT devices may require different approaches to access them. Sectors such as healthcare, aeronautics, and civic infrastructure each have their own types of devices, and without transparency, a traditional IT team might not even be able to ascertain whether a black box product has IoT capabilities or not, so can’t readily see if a device is ‘calling home’. That can lead to gaps in monitoring, limits to device functionality, as well as a limited ability to identify and manage any potential problems. Compounding the problem is the rapid advancement of new technology with improved versions of IoT devices replacing older ones that have outlived their functionality. Attaining uniform IoT monitoring over the entire lifecycle of an IoT device is challenging in the extreme, and because they interact with the physical world differently, standing organisations may lack the expertise to properly address complex issues of privacy and security.
These issues can be resolved with a comprehensive foundational approach, designed to not only address the current IoT management and security needs of a given business, but also adapt to the inevitable changes in their industry and working environment in the future. That requires a partner with in-depth knowledge of IoT privacy and security issues who can apply that expertise to specific industries in a way that matches each company’s unique needs.
The introduction of M.U.D. or Manufacturer Usage Description, (along with less well evolved standards) means that the certified/assessed devices must fall inside a specified set of behaviours. While this means that a lot of the mystery, and therefore risk, evaporates from IoT implementations, non-adherent devices, including older ones, don’t comply. This is where CyAmast are able to help. Regardless of whether the MUD Profile is accessible, or whether it even exists, our solution ‘learns’ the behaviours of devices and automatically creates policies based on their expected and allowed patterns of behaviour.
So while IoT privacy may ultimately be a matter of consumer impact, we must acknowledge that the data generated by IoT devices produced, monitored and maintained by manufacturers means they have a unique duty of care – a new paradigm in the ownership of products. In the absence of that duty, CyAmast shoulders that burden, and not only ensures that the corporate network stays more secure, but that IoT won’t be responsible for privacy issues either.