With new network security breaches announced every week, people now understand many of the risks associated with cybersecurity. Several years ago, Irfan Saif (@irfansaif), a principal with Deloitte & Touche LLP’s Cyber Risk Services practice, wrote, “Internet of Things initiatives demand targeted strategies to combat the influx of new cyber risks that will invariably accompany them.”[1] Saif’s assertion is as true today as it was back in 2015. He continues:
“What makes the Internet of Things (IoT) different from the traditional Internet? People, for starters. The IoT doesn’t rely on human intervention to function. With the IoT, sensors collect, communicate, analyze, and act on information, offering new ways for technology, media, and telecommunications (TMT) businesses to create value — whether that’s creating entirely new businesses and revenue streams or delivering a more efficient experience for consumers. But this also creates new opportunities for all of that information to be compromised. Not only is more data being shared through the IoT, among many more participants, but more sensitive data is being shared. As a result, the risks are exponentially greater.”
As Saif notes, the IoT is an ecosystem of sensors, connectivity, and analytics primarily dealing with machine-to-machine communications; but, those communications can involve data which, if compromised, can have serious consequences.
Why security is a big IoT challenge
Complexity always increases risk and IoT is very complex. Although the name — Internet of Things — conjures up the image of a single network, the IoT is actually a network of networks. Each of those myriad networks involves sensor manufacturers, network providers, and analytics platforms. Every single stakeholder involved in an IoT network must be secure or the entire network can be compromised. Although groups are working on standards for IoT components, today’s bits and pieces aren’t standardized. This is a problem because IoT devices are being rolled out at an ever-increasing pace. Edwin Lopez (@EdwinLopezT37) and Jennifer McKevitt (@mckvt) report a study by Mobile Experts concludes, “High demand could lead Internet of Things makers to triple production by 2022, shipping $70 million worth of devices in the next five years compared to $22 million today.”[2] That’s a lot of non-standardized equipment being woven into the economy’s fabric. Saif explains, “The broad range of connectable home devices — TVs, home thermostats, door locks, home alarms, smart home hubs, garage door openers, to name a few — creates myriad connection points for hackers to gain entry into IoT ecosystems, access customer information, or even penetrate manufacturers’ back-end systems.”
Mordechai Guri, chief science officer at Morphisec, is concerned by “the sheer scale of the attack surface.”[3] He notes, “The current estimate for IoT devices is 6.4 billion, and Gartner predicts they will reach an installed base of 21 billion units by 2020, others predict even higher. These devices are ever-connected and ever-susceptible, even when idle, and cybercriminals are taking full advantage.” He asks, “With a problem of such magnitude, why aren’t we doing a better job of protecting IoT devices?” From his perspective, the answer to that question is: “There are almost no in-device IoT security products. The current diversity of hardware, software and OSes poses a real challenge for developers of security products. IoT is a mixture of systems, composed of various types of CPUs and chipsets from different vendors.”
What can be done?
Addressing the IoT security problem is a huge challenge. Guri explains, “Most IoT devices are riddled with vulnerabilities but were not built with patching and updating in mind. Cameras, routers, printers, sensors — all have internal firmware, which usually works for years without an update. As a result, there are many IoT devices, with different versions of kernels, frameworks, web-servers and applications. And even if manufacturers could develop patches, the logistics of upgrading the software or firmware is extremely challenging. Apart from the difficulty in accessing devices, most do not have the memory and processing power needed to receive and perform the upgrade or patch. The online-update, instant-patch paradigm used in the modern OS is not yet feasible in the IoT world.” It will take decades to switch out this equipment with secure replacements. Nevertheless, we need to start thinking long term.
Saif explains, “Safeguarding the IoT is complicated by the scale and scope of data being generated and collected, not to mention that much of it is actually held or accessed by third parties. As a result, many leaders are implementing an umbrella-level cyber risk paradigm, raising standards for cyber risk at every level of the organization, enterprisewide, from pre-threat to post-event. That means preventing and anticipating IoT-related cyber threats before they take hold, monitoring and neutralizing threats already in play, and restoring normal operations as soon as possible when an organization is struck by a threat.” Peter Cochrane (@PeterCochrane), a consultant and former CTO of BT, insists we need to create an auto-immune system for the IoT. “Cyber security complexity and sophistication surpassed individual human and group capabilities a long time ago,” he writes, “and we have to look to automation and real-time reaction. For the IoT especially we need a system of defense that apes the immune systems found in nature. Although a good deal of research work in this arena is under way, I would suggest that any protection has to be holistic and deep, embracing every chip, card, shelf, rack, room, building, site, campus, network and device with automated attack detection, collaboration, and learning, with rapid global sharing of solutions (antidotes). Such an approach will automatically limit the depth, reach and damage of all forms of attack while realizing far greater levels of security.”[4]
Ofer Amitai (@portnox), Chief Executive Officer at Portnox, believes blockchain technology could help secure IoT ecosystems. He notes, “Due to their weak computing power, it’s challenging to authenticate IoT devices because their ‘bare bones’ architecture makes it difficult to track their activity over time. These vulnerabilities have caused the focus on IoT technology to shift from the benefits for improving efficiency and enriching data, to a deep-seated concern for their potential security risks.”[5] He explains how blockchain technology can help address this challenge:
“As opposed to the centralized, information-based model for managing access, blockchain is based on a distributed ledger of verified transactions that cannot be broken. It is a ‘permissionless’ and public system, but there are also ways to manage the blockchain in a way that is permissioned and private — suitable for IoT and other connected devices. In effect, a ‘permissioned and private’ blockchain could be used to safely on-board IoT and other connected devices, registering them in a private blockchain ledger. New devices attempting to access the network would have to be approved, and found to follow the same security policies to be verified and granted access to the chain — thereby eliminating the possibility for ‘zombie devices’ like the ones that carried out the Dyn DDoS attack. Through this model, IoT devices can communicate with like-IoT devices to determine if the ‘newbie’ is up to par on its security settings, making sure that it only has access to data that authorized IoT devices have permissions for, and that it isn’t siloing data or acting as a ‘thingbot’.”
Summary
Clearly, we have a long way to go to improve IoT security. New technologies, like blockchain can help, but standards are also required. As the number of IoT devices and networks grow, the importance of IoT security will also increase. Every stakeholder must do his or her part if IoT potential is to be realized in the decades ahead.
Footnotes
[1] Irfan Saif, “Cyber Risk in an IoT World,” The Wall Street Journal, 19 November 2015.
[2] Edwin Lopez and Jennifer McKevitt, “Report: IoT tech may triple in use by 2022,” Supply Chain Dive, 9 August 2017.
[3] Mordechai Guri, “Overcoming challenges in securing the Internet of Things,” Information Management, 1 June 2018.
[4] Peter Cochrane, “The IoT needs an immune system to fight off nasty infections,” Computing, 16 August 2016.
[5] Ofer Amitai, “Using blockchain to solve IoT security challenges,” Information Management, 6 February 2018.