IoT systems affect businesses without user-centric privacy management systems.
User privacy concerns are among the key obstacles to the widespread adoption of connected Internet of Things (IoT) devices. Smart gadgets offer incredible value creation and capture opportunities, but their vulnerabilities might cause catastrophic disruptions, ranging from privacy breaches to breakdowns of public ecosystems. In this article, we assess the risks of IoT adoption and consider privacy management standards, approaches, and paradigms.
THE SCOPE OF IOT SECURITY VULNERABILITIES
According to a report by Deloitte, among the 49 countries that possess a defense budget of over $1bn and keep exposed IoT systems found online, Slovakia, Lithuania, Estonia, Latvia, and Czech Republic are the TOP-5 most-exposed countries based on IoT targets per unit of GDP. Their quick adoption of IoT systems without proper security measures might cause significant economic damage to individual businesses, entire industries, and national economy as a whole. The USA is lower on the list of the most vulnerable states despite the largest number of exposed IoT systems located, as its economy is more diverse and stable in the face of a potential attack.
China, Iran, and Russian Federation are less vulnerable to IoT attacks, possibly because of lower adoption or the ongoing development of statewide cyber-security systems. Japan is one of the most secure economies, despite the widespread adoption of industrial and household automation. This may be the result of the Japanese approach to developing custom software instead of adopting available solutions as well as security-conscious design and implementation of IoT systems.
IOT: TARGETED AND WEAPONIZED
IoT systems can be both a weapon and a target of malicious attacks. Millions of unsecured devices have been infected with Botnet technology and participated in Distributed Denial of Service (DDoS) attacks. Krebs On Security, Dyn and other companies fell victim to attacks that did not require big budgets and sophisticated technology due to IoT devices’ vulnerability.
Targeting IoT systems is another serious security concern. Three major categories of IoT systems with huge potential for economic and public safety repercussions include:
-Industrial infrastructure. Switches, valves, CNC and production environment controls are at risk. Tampering with any of the exposed industrial systems may lead to asset damage, lost production, equipment malfunctions, and accidents.
-Communications infrastructure. VoIP systems and routers are the most vulnerable among communication IoT devices. Physical damage of the networks, large-scale losses of communication and panic among the population are all high-impact risks.
-Building infrastructure. Power, security, elevators, and environmental controls are commonly exposed systems. Their vulnerabilities can cause physical damage to the systems and buildings, denial of service and panic among the tenants.
Other emerging IoT targets include traffic control and autonomous driving systems, as well as critical objects of national infrastructure, like nuclear power plants or major telecommunication switches. Although their security is usually better, they still present alluring targets for cyberterrorists.
IOT IDENTITY MANAGEMENT AND PRIVACY SECURITY STANDARDS
The US and the EU countries focus their security efforts on critical infrastructure and military targets, leaving the protection of privately owned systems to their operators and owners. However, this approach leaves a window of opportunity for malicious cyber attacks as the adoption of IoT systems spreads across public, commercial, and industrial sectors. Foreseeing the economic, financial, and psychological impact of IoT vulnerabilities, the international community has been working on standards for security techniques to protect user identity and privacy.
The breaches in data security cause loss of personally identifiable information that affects organizations and individuals. Identity theft, legal liability, recovery costs, and reputation risks are among the common consequences of security breaches in IoT and other sectors.
ISO/IEC 29100 is designed for organizations that develop, operate or maintain systems handling personally identifiable information. The privacy framework outlined by the standard enables businesses to identify security terminology, define critical roles engaged in personal data processing, describe privacy security considerations and reference common privacy principle used for IT.
According to the ISO/IEC 29100 Privacy Framework, users, subscribers and data owners take on the role of personal information providers, while application owners and operators act as PI receivers. User-centric privacy security framework is established if PI receivers employ privacy safeguarding controls to meet the PI providers’ privacy preferences at all stages of information handling, from collection and storage to usage, transfer, and deleting.
This standard provides guidance for identity information management. While the first part outlines terminology and concepts, the second one defines reference architecture and requirements, and the third part suggests practical implementation of an identity management system. The practices address identity related risk when acquiring, processing, storing, transferring and using personally identifiable information.
According to the ISO/IEC 24760, application owners should manage the risk of identity errors, and ensure the confidentiality, integrity, and availability of identity information they store, process, and communicate. The standard also suggests the use of identifiers. They allow businesses to distinguish entities and facilitate their representation in some situations, e.g. hiding the entity’s identity when providing identity information for use.
PRIVACY BY DESIGN IN IOT
Existing international standards and regulations concerning privacy and protection of personal data leave multiple consumer issues unanswered. While ISO Consumer Policy Committee (COPOLCO) is working on standards for identity management and privacy technologies, researchers and IoT pioneers rely on the principles of Privacy by Design (PbD).
BALANCING PRIVACY RISKS AND BENEFITS
Studies conducted for the World Economic Forum demonstrate that data owners (IoT users) are willing to release personal information to data consumers for sufficient benefits. However, to make a pragmatic decision, users should realize the risks associated with sharing private data. Additionally, users should be able to change their privacy preferences according to context.
Privacy risks awareness implies that:
-Data sensitivity can be direct or indirect. While power consumption is not sensitive on its own, frequent measurements allow data consumers to infer sensitive data, including the use of specific devices, presence or absence, behavior patterns and more.
-Trust in data consumer depends on the data consumer’s reputation and interaction history. State-owned companies might be more trustworthy than private businesses.
-Data leakage reflects the accuracy of the personal data shared and often depends on the sampling frequency. Increased sample frequency boosts the confidence degree of the inferences made by data consumers based on the IoT data.
Data providers can expect physical, financial or psychological benefits of sharing personal information. Common examples of data sharing benefits include reduced rates, lower consumption, feelings of self-satisfaction and confidence.
PRIVACY BY DESIGN DEVELOPMENT PRINCIPLES
Researchers of the Privacy and Big Data Institute, Ryerson University, outlined IoT security concepts based on 7 basic Privacy by Design principles. They are recommended for IoT devices’ designers, developers, testers, and operators.
1. Anticipate and eliminate opportunities for abuse. Only IoT users can approve their personal information gathering, processing, and sharing. In user-centric development cycle privacy abuse potential is accessed and eliminated at every stage.
2. Configure privacy by default. To foster consumer trust and benefit from a public perception gap that favors reliable technologies, businesses design intrinsic privacy before adding information management capabilities.
3. Embed integrity into design. Layering privacy security at all levels of IoT design is becoming an industry standard, making application designers and developers introduce security features from the bottom-up.
4. Fuse optimized experiences to full functionality. Forward-thinking companies do not make customers choose between privacy and full functionality. Instead, they maximize user experience while protecting user interests and rights.
5. Clarify and simplify for protective design. Complexity reduces usability of privacy security measures. To support full lifecycle protection, developers adopt privacy best practices and introduce simple but overlapping security measures.
6. Control monitoring and awareness. Fear, uncertainty, and doubt among users can be overcome by introducing customers to the implemented transparent and protective measures.
7. Include users as stakeholders, not victims. Building trust with consumers starts with treating them as stakeholders, whose primary needs are privacy and safety.
SECURE. VIGILANT. RESILIENT MODEL
Deloitte considers IoT privacy through a Secure. Vigilant. Resilient paradigm. To establish a secure information management system, experts focus on three aspects of privacy security.
1. Software, hardware, and data must be secured at all levels of development and operation, at all stages of the lifecycle. Without proper safety measures, IoT device breaches might transform from a privacy theft to a threat to life.
2. Companies must stay vigilant when dealing with connected devices and collected data, as both software and hardware is prone to aging and deterioration. Moreover, the attack approaches evolve and utilize weaknesses of which IoT developers are not aware.
3. To quickly detect the breach, eliminate the threat, and stop the spread, companies must have security protocols and procedures in place. They help limit the damage done to the systems and the business reputation as well as reestablish normal operations.
Apart from generating value, IoT systems can cause significant losses for businesses that do not establish user-centric privacy management systems. Following international standards and relying on Privacy by Design principles are essential to fostering customer trust and promoting wider adoption of smart connected devices. Disruptive companies ensure privacy considerations lay at the foundation of every piece of IoT software and hardware and maintain the best security practices throughout the system’s lifecycle.