Securing the Internet of Things
The business opportunities presented by the Internet of Things are generating a lot of excitement in the IT community, and rightly so. Innovative devices and embedded smart capabilities can transform the customer experience, enhance functionality, improve product maintenance, and create new business propositions such as subscription models and new forms of data analytics.
However, the IoT presents important new security challenges. Even with the explosive growth of mobile apps and the cloud, the focus and expertise of corporate IT security has remained largely inside the company firewall. But this new environment of ‘things’ resides almost entirely outside of the corporate network, relying primarily on the external internet and local connectivity technologies such as Bluetooth or mesh networks.The main dimensions of this new security situation are summarized in the figure below.
Figure 1 - The IoT security challenge
Early security experiences
Security researchers and the media have been having a field day identifying IoT security weaknesses – not just in the lab, but in devices that are in widespread use. Recent examples include:
- Cars, light-bulbs, door locks and refrigerators that have been remotely controlled by attackers, or infected by malware so as to become part of a ‘botnet’.
- Studies by both commercial and university research groups that have catalogued numerous IoT software weaknesses, and shown that many phone apps (including some popular medical apps) have been poorly designed and risk exposing sensitive customer data.
Unfortunately, current strategies – even by some security solution vendors – repeat the pitfalls of the past, such as requiring end users to take responsibility for security configuration and patching.The track record of end-user system security management does not inspire confidence, but even if it were better, end users can hardly be expected to support the scale and complexity of IoT system deployment when they may not even be aware that their clever new device is in fact a fully networked computer.
The need for an IoT conceptual model
It is often tempting for an organization to define its IoT security requirements purely by the first application that emerges – be it extending industrial control to the internet or connecting a mobile phone to a new wearable technology. However, the initial set of IoT applications is likely to expand significantly over time.
Similarly, the initial IoT security focus is typically on the ‘micro element’ of the device – outside of the context of the corporate network – even though we know that most devices cannot securely operate without the ‘macro elements’ of applications, data stores and services which bring trust and security to this distributed world of ‘things’.The macro elements must be in place because a device on its own does not know if it can trust messages from other components or services unless it has them authenticated by an authority that it can recognize. A trusted messaging channel/cloud service(s) that allows one device to accept commands or release data based on the state of another is fundamental to being secure.
While some macro elements can work effectively in closed systems where devices maintain their unique identity and security status through a dedicated management system, they become more powerful when one device is used for more than one purpose, and thus needs a unique identity and common authenticator that multiple applications can recognize.The conceptual model shown overleaf may be helpful in understanding these broader security challenges.
Formulating an IoT security strategy
IoT security is sufficiently important that the actions and decisions that companies make about it will often shape their reputations and future business opportunities, as further discussed below:
Reputation and stance
IoT has the potential to benefit the supplier, the customer, or both. But we can’t assume that these benefits will be automatically available. Particularly when IoT services are used by specific individuals, explicit permission is generally needed for data collection and use. Even the collection of non-personal data often needs at least tacit agreement from a broader set of stakeholders, possibly including regulators.
Getting these issues wrong can have disastrous implications as customers will reject products or services seen as untrustworthy. Mistakes can even result in regulatory intervention.There are two main scenarios where permissions are important:
- A company collects and uses customer information to help in managing its own business (for example, proactive maintenance, cross-selling or on-selling of data).
- A company collects information to provide additional/improved functionality and services of potential benefit to its customers.
Of course, none of this is new in a world of loyalty cards and web usage tracking, but the pervasiveness, volume of data, and physical proximity of IoT can make the subject very emotive. For example, Ford was widely criticized after an executive publicly stated that it could (in theory) monitor speeding infringements made by its customers. BMW countered that it would maintain customer privacy.
Similarly, at least two TV manufacturers have been taken to task for using cameras and microphones to monitor more than their customers expected.We tend to think that companies have a legal obligation to declare or explicitly ask permission in order to collect and use such data, but, for example, when the information is only used in aggregate, covert data collection can (at least arguably) be outside of current regulation. In such cases, each company must set its own standards and take its own stance.
Figure 2 - IoT conceptual model
This model highlights the following elements and challenges:
- Statement of company values – The stance that the organization wishes to take in terms of privacy, security and the assurance that its standards are being met.
- Independent verification – Independent assurance and/or testing that IoT security has been effectively addressed in the development, deployment and operation of a new system.
- Regulation and compliance – Covering both general regulation such as protection of personal data and specific regulation such as safety or medical systems integrity as required by a particular regulator.
- Authentication and attestation – Security capabilities that can give confidence in the source (identity) of an IoT component and the validity of the messages it is receiving or transmitting.
- Cross-service brokers – Services that provide software logic that makes decisions or triggers actions, such as IoT outputs based on IoT inputs.
- Security maintenance – The processes and technical management actions that allow security weaknesses in software or its configuration to be corrected.
- Embedded systems – IoT technologies that are built into existing systems to enable them to communicate over the internet and provide data or respond to commands.
- Smart devices – Devices capable of data processing and designed from the outset with internet connectivity.
- Hubs – Smart devices such as smart phones that provide an interface between less sophisticated IoT components and services on the internet.
- Mobile apps – Software designed to run on smart mobile devices. Apps are often the human interface used to control IoT systems and applications.
- Wearables – Smart devices that are worn to provide additional sensors or capabilities (for example, glasses as video displays and watches as heart-rate monitors).These may connect directly to the internet or via a smart-phone hub.They will also increasingly connect to each other.