EN 
DE 
The Internet of Things (IoT) is multiplying the risks of hacking attacks, as every network-connected device is a potential entry point. Peter Siwon, Business Development Manager at MicroConsult, and Michael Schnelle, Consultant at Mixed Mode, describe the biggest risks and explain protection strategies in this interview.
Do you think the danger posed by threats in the IoT is underestimated?
Peter SiwonUnfortunately, people's subjective perception of risk often differs considerably from an objective assessment. Even with a high objective and statistically verifiable risk, such as in road traffic, we feel safe if we ourselves or our immediate surroundings have not yet been affected. This changes abruptly when we ourselves or people we know are affected (e.g., a traffic accident) or when disasters (e.g., terrorist attacks) attract significant media attention.
From this perspective, it can be assumed that subjective assessments are very often wrong in one direction or another. Therefore, it is important that we evaluate risks objectively using verifiable data, such as the number of intrusion attempts into a computer network per day, the number of potentially threatening emails, or statistical data from reputable sources.
Michael SchnelleGiven the experiences gained in the various projects we have undertaken so far, I must answer this question with a yes.
This is hardly surprising, as IT systems are generally becoming increasingly interconnected and complex. This is particularly pronounced in the IoT sector. The increased complexity makes it ever more difficult to develop secure software. Every system interface is a potential entry point for an attacker. Furthermore, the IoT often uses heterogeneous hardware components with heterogeneous software.
Each component must be considered separately. A small sensor needs to be secured differently than the managing gateway, which is also completely different from a client application.
What do you consider the worst threat?
Peter SiwonAs described above, humans tend to misjudge risks. This is compounded by their inclination towards convenience (not changing passwords, using the same password for multiple accounts, using overly simple passwords) and their aversion to regulations and rules.
Another threat is the blurring of lines between professional and private communication and system usage. For example, smartphones that are also used privately are sometimes used on company networks. Finally, it is simply a matter of ignorance, such as a lack of knowledge about manufacturer default settings that should be changed before a system goes online.
In short: The greatest risk is posed by people themselves. Another risk I see lies in the lack of effective processes and infrastructure that, in an emergency, ensure the functions of failed systems are taken over and the affected systems are quickly reinstalled. The greatest threat, however, is that these individual security vulnerabilities could cripple critical infrastructure such as central servers or other systems for an unacceptable amount of downtime or with an unacceptable frequency of failures.
Michael SchnelleThe question of the worst threat cannot be answered generally, as it depends heavily on the use case and the operating environment of a system. A threat is considered in terms of its exploitability and potential damage. This is also referred to as the potential risk of a threat. Even if exploiting a threat causes comparatively high damage, the risk can still be low if the threat is practically impossible to exploit.
On the other hand, the risk of a threat can also be high if the expected damage is low, but it is very easy to exploit. Threats that are very easy to exploit are usually also easy to protect against. A popular entry point in the IoT – and often underestimated – is the web interface of a gateway. This can usually be secured with minimal configuration and the use of proven, standard software.
How can one successfully defend oneself?
Peter SiwonThe most important thing is education, and not just once, but repeatedly (for the reasons mentioned above). There should be at least one competent person in the company who is able to objectively assess the risk and prepare the necessary and appropriate safety measures in a way that is easy for laypersons to understand and implement.
This person needs sufficient time to continuously engage with the topic, as internet security is an ongoing process. Ultimately, compliance with security measures should be regular and, ideally, automated. If such a person is unavailable, external support is advisable. This isn't new, except that the circle of systems and individuals affected by such threats has expanded exponentially due to the IoT.
Michael SchnelleSecurity is a process that should ideally be an integral part of a project from the very beginning. Making a finished product or system secure is extremely difficult. Security aspects should be considered as early as the planning stage. Ideally, the developers also have an understanding of security and know what needs to be considered to develop secure systems. Threat and risk analyses can determine the optimal balance between the required level of security and the associated costs.
A system can rarely be made 100% secure, because as long as it interacts with the outside world, a residual risk remains. The goal is to minimize this risk as much as possible.
The MicroConsult Seminars and Workshops They provide you with the necessary tools to develop and implement efficient solutions for protecting your systems.
Further information
MicroConsult Training & Coaching on the topic Safety & Security
MicroConsult expertise on the topic of safety & quality
MicroConsult Training & Coaching on the topic of IoT
