We know about the myriad of possibilities the Internet of Things (IoT) promises enterprises: lower operational expenses, generation of new revenue streams and providing customer experiences. Various analysts and research firms have been predicting the rise in connected device numbers for some time now. In their recent report, IDC predicted that the number of “IoT endpoints” (connected devices such as cars, refrigerators and everything in between) will grow from 10.3 billion in 2014 to more than 29.5 billion in 2020, generating trillions of dollars in new revenue by 2025.
The Need For Security
Anyone in IoT consulting and selling would appreciate that security is one of the initial concerns of customers. However, surprisingly, the IoT ecosystem is still too nascent to address this important aspect at its core. In one of its whitepapers, “Insecurity in the Internet of Things,” Symantec notes that about 19% of all tested mobile apps controlling “Connected Home Devices” do not use SSL. None of the devices provided mutual authentication between client and server, with some devices providing no provision for strong password enforcement. Some cloud interfaces did not support two factor authentication. For systems providing online firmware updates, most of them did not provide updates as signed. This indeed is scary.
One reason why security is still not core to the IoT solutions could be the fact that so far it has been confined to individual pieces. Device manufacturers secure devices, IT systems secure software systems and infrastructures and connectivity providers secure their networks. IoT by its nature, disrupts this model, by connecting all of these systems, platforms, devices, etc.
If IoT security continues on its current path, the consequences are harrowing. One area of concern is the lack of differentiation in the way IT vendors and manufacturers of smart products manage IoT use cases and IT technology assets.
There is a vast difference between devices and sensors meant for IoT use cases (temperature sensors, vehicle on board units, gas valves, and thermostats) and IT technology assets (servers, PCs, tablets, and phones).
IT assets are designed to run in controlled environments, they have more processing capability, and are designed to be managed by people (in some cases partially). However, by nature, IoT assets are built for autonomy, working in uncontrolled, unobserved, and remote environments. In most scenarios, they either control a physical asset or report a fact. Hence we need to realize the important differences in the kinds of interaction these two enable. A security breach in a connected world could inflict physical harm, damage to assets, prolonged or permanent downtime of assets and infrastructure, and privacy and data breaches. A compromised connected pump in a closed pit mine could flood and cause loss of lives. A jeopardized traffic light system could lead to accidents. An insecure remote health monitoring system could lead to wrong diagnosis. The potentials are frightening.
The Future of IoT Security
IoT solution designers need to move out of the current bolt-on security approach towards one that is inclusive, where security is the main driver at time of design and is built into each component forming the IoT value chain. This should cover devices, software running on devices, communication and network, cloud, interfaces, physical security, people, data, and applications.
Optimally, an inclusive security approach should govern the design of IoT solutions:
- Security should be the primary, core principle when designing anything. If there is a possibility that security cannot be implemented and the solution is veering towards a mitigation or shortcut approach, then either re-engineer or do not implement.
- Devices and Assets should be treated like users. Each device should have an associated identity. Authorization and authentication should align with that identity, just as it would for an individual.
- Ideally, devices should have outbound connectivity, which would also cover bi-directional communication. This kind of connectivity would restrict devices from acting as servers.
- Each individual component in IoT systems (hardware and software) should be built to very clearly understand what to trust and what not to trust.
- The system – everything including devices, communication, and software – should be able to identify anomalies (deviations from normal behavior) and alert automatically.
- Architecture should follow a container-based approach, defining what each container has access to and can do.
- Advanced backend analytics should be built to correlate data from all systems and detect stealthier threats.
- The security responsibility should not be left to the default security provided – for example, security available at the link layer. An application layer security mechanism should be employed – encryption, authentication, authorization, etc.
IoT needs security that addresses its unique requirements and concerns. How many of us would want to live with insecure devices in our homes, businesses or cars?
As IoT becomes more and more part of our daily lives, security remains an urgent call.