IoT needs security by design… not as an afterthought
Syed Hosain is the chief technology officer of Aeris, a technology provider and a cellular network operator that delivers comprehensive IoT and M2M services to leading brands. As IoT matures and scales up, it’s clear that the security issues that afflict the wider internet are also present in IoT but they are also accompanied by numerous device, hardware, software and application weaknesses that are specific to IoT apps and services.
Here, Hosain makes the case for securing IoT offerings at the design stage rather than attempting to hold back the tide of attacks by attempting to add security to systems once they’re in deployment.
IoT Now: What is the difference between securing the IoT and traditional internet security?
Syed Hosain: We’re focused on traditional internet security because people don’t think about it, particularly in the context of IoT, until a large-scale media event reports a security breach. Once that happens, there’s a flurry of attention but that quickly subsides until the next breach is reported.
My fear is that one day an IoT security breach event will cause a fatality, such as someone dying from a medical monitoring service failure. If we’re not prepared and able to say we did the best we could, the entire IoT industry will have serious and ongoing security issues to address that will hamper further development.
In IoT, the stakes are higher than in other areas of internet security. For example, a credit card security breach is not the same thing, identity theft is not the same thing. Because, although these cost money and are very inconvenient, nobody dies from them. IoT security breaches have the potential to do much more serious harm than these and a fatality could set back the IoT market in general.
Service providers therefore need to be able to confidently say that they have addressed security issues as best they can, using state of the art practices within a rational context. By a rational context, I mean identifying likely threats versus the damage a breach can cause and deploying security implementations accordingly. If organisations can demonstrate that they have considered the risks to a service and then designed, deployed and maintained security processes effectively, it will be much more straightforward to defend the industry as a whole when something serious happens.
For example, a simple data breach on a noncritical IoT device needs to be taken in context. The organisation needs to evaluate the risk, which in the case of a simple data breach may have little or no security impact, and act accordingly. Of course, if the breach is on a medical device or in the food and water supply industry, the risk is greater and heightened security awareness and secure implementations are required.
Companies therefore should perform an analysis and determine whether to spend one dollar or a million dollars to protect their service and IoT application. It’s vital that they go through the steps to evaluate the threats, the potential for damage and the cost of mitigation. Only then can they state that they have made the best decisions and deployed the best technology to protect their users. It is that knowledge which will protect the IoT market as a whole.
IoTN: Is the IoT security challenge mainly about retrofitting security technology to existing devices to achieve a defensible position?
SH: Absolutely not. Security must not be an afterthought and has to be designed in from the start and treated as an ongoing process. A service can’t necessarily be secure from the start so adding something later doesn’t address some application services’ inherent lack of security. For security in IoT, this is challenging because there are so many vulnerabilities to address over a very wide threat surface. For instance, breaches can occur all the way through the IoT service chain from the source device, such as sensors or gateways, to the transport network, the network infrastructure itself, the data connections, the host servers and finally humans, organisation processes and automation.
This is complex and organisations therefore need to consider all the risk points where security breaches can occur. It’s not as simple as addressing devices at one end and processes at the far end of the IoT chain, because there are many other places where security best practices can be implemented.
Thus, I believe security has to be addressed within the network as well as the end-points. In IoT, we worry about device identity in a different way to a mobile network operator because devices are being utilised in different ways and small flaws can have serious consequences. For instance, if you have a dumb device like a sensor that goes awry and it causes a security breach, you can’t modify it easily as you will have to send someone to fix or replace it. In IoT the sheer scale of the market will preclude this from being financially viable so providers will need the functionality to go back and remotely update devices over the air.
Furthermore, the fact that security is never going to be perfect from device deployment until scheduled retirement means remote updating must be designed in and enabled. If it isn’t, it will be cost prohibitive to operate a service or IoT application because of the cost of making changes.
IoT Now: Is it the sheer scale and diversity of IoT that makes the security challenge so demanding?
SH: Yes, the scale is the tough problem. However, that also presents opportunities to enhance security because one of the things that is coming with scale is that almost all the new devices are IPconnected – via cellular, hybrid or satellite networks. When we get to the projected billions of devices, they will need IPv6 addresses because all of the patchwork of techniques we’ve used to extend IPv4 addressing has come to an end because of the scale of IoT deployments.
This gives us an opportunity on a customer or application basis to isolate and potentially block a range of devices within the network if they are breached. This could be ten thousand devices or ten million devices but we’ll know which they are by their IPv6 range and therefore can block them. For example, with the recent distributed denial of service (DDoS) attack through IoT cameras that used Embedded Linux in three to five million cameras. These had hardwired the passwords for admin accounts. In such a security breach event in the future, we would use the IPv6 addresses of all the cameras and block them.
IoTN: How strong is the need for standardisation or at least some sort of cross-industry framework for IoT security?
SH: This is necessary but efforts are still at an early stage. There is a recognition that security breach concerns are so serious that the situation needs to be addressed with a consensus across the IoT industry. This will need to happen without government involvement because government initiatives, although underway in many markets, will move too slowly to be ready in time for the market’s needs.
Aeris has focused on certain markets and is tackling the challenge in an industry-wide, secure way. Initiatives such as FASTR (Future of Automotive Security Research), an organisation established by Intel, Uber and Aeris, has targeted the automotive market because it’s an area we’re familiar with and we know that security is being taken seriously by everybody in this market. The organisation now has about half a dozen members associated with the automotive industry and is working on what it takes to implement a security architecture that follows the best known technical standards available for the auto market.
IoTN: Do you think the majority of the market is ignoring the risks and hoping for the best or are most IoT companies preparing for the worst?
SH: We see both attitudes. Way too many people have jumped on the IoT bandwagon to create applications without thinking about security. But there are some applications in the IoT market which are worrying about security sufficiently to slow down their rate of deployment to assess the impact of security breaches.
Remember we’re talking about an enormous market with multiple networks and billions of endpoints in time, with revenues somewhere between US$3.9 trillion and US$11.1 trillion per year in 2025, according to projections from McKinsey & Company. However, all that growth potential is at risk because it will only take one well-publicised security breach that causes a fatality to damage the market as a whole quite significantly.
There’s a clear recognition that money will have to be spent to achieve IoT security and an acceptance that doing so is essential. Businesses understand that they have to invest in IoT security because the cost of a security breach could be enormous. In the US, for example, the legal liabilities could be huge. But, if you can demonstrate that you took the best, most effective solution available, with full awareness of the security issues in the market, and still a security event took place, that liability may be reduced.
Further to this, IoT security isn’t just about protecting your business from big security events with far-reaching consequences. There are privacy challenges which are related to security requirements for organisations to consider as well. Companies are overlooking IoT security in this respect. It’s not just an issue of consumers losing their privacy, the potential for actual harm exists in applications such as internet-connected two-way baby monitors that have been breached.
It’s fundamental for the success of IoT applications that consumers are protected. Many adults don’t understand the impact of security breaches and we cannot expect children to be able to deal with it either. Organisations therefore must implement security during the design phase of devices and applications and perform the necessary analysis to develop in-depth understanding of the consequences of breaches. IoT solutions must ensure general public safety along with meeting consumers’ reasonable privacy expectations.
IoTN: What does Aeris see as the key ingredients for achieving end-to-end IoT security?
SH: We see four key areas for achieving IoT security in Aeris systems: traffic segregation, network whitelisting, multi-stage verification and anomaly detection through analytics. We see these four as vital for secure IoT deployments.
Traffic segregation means that any device on the network cannot communicate with any other device, thereby ensuring attacks cannot proliferate across the entire network. This protects against device-to-device and mobile-to-device breaches and we ensure that all public access on our network is blocked as necessary.
With network whitelisting, we define at the network core who can communicate with the device and who the device can communicate with. Anything else is blocked by access controls in the Aeris platform. This provides the control necessary to eliminate unauthorised communications.
The Aeris IoT Platform is also implementing multistage verifications that are fundamental to enabling secure over-the-air (OTA) updates. An on-device installer can securely download the software image from the OTA server, the server then send a separate out of band message to the device with a unique key that is required in order for the update to proceed. This architecture provides an additional level of security in case the OTA server is spoofed and malicious software is downloaded because until the key is received, the device blocks the update.
Finally, we see anomaly detection based on the intelligence gathering capability built into the Aeris system as a key security enabler. Anomaly detection baselines communications to devices to assess normal patterns. We then monitor traffic, set alerts and can identify behaviour changes based on this baseline information and, if we see an anomaly, the Aeris IoT Platform can shut off network access for any device that is behaving outside of its normal range.
IoTN: How do you see IoT security developing over the next two years as the IoT market and ecosystem matures?
SH: The kinds of activity that have taken place so far have mostly focused on credit card security, identity theft and website attacks. These are really standard internet security issues and don’t address the specifics of IoT apps. State actors – governments and military –have tackled potential terrorist problems such as defence, airport security and critical infrastructure such as water systems.
There’s a dichotomy here. Data security problems are being dealt with by governments with cybersecurity departments looking to protect citizens from hacks, while issues regarding financial security and privacy are being handled by enterprises. However, there’s a big difference between both of these and the requirements of securing IoT.
My greatest concern is that a fatality will have occurred as a consequence of an IoT application or device security breach by 2020. So I believe much more attention must be devoted to IoT security in the next few years to create the frameworks to enable a more secure IoT. When we get to the deployed base of 50 billion devices, the need for these to be secure is going to be fundamental for these IoT applications to deliver on their potential.
By 2020 we need to have reached a situation where IoT security is mature enough to support, for example, automotive applications that enable users to control their vehicles but prevent criminals from hacking them. The IoT market is huge and there are enormous opportunities for security breaches as a consequence. We have to think ahead and plan ahead in order to have security by design in IoT.