IoT Security – Insight on Trends, Challenges and the Road Ahead
The Internet of Things (IoT) industry isn’t part of the “Near Future” – it’s already here and growing rapidly. The Wall Street Journal hails IoT as the next Industrial Revolution and, according to Cisco, there are currently 4.9 billion connected devices today with an expected 12 billion by 2020. The fully matured result of this rapid growth is a $6 trillion industry.
AT&T’s Cybersecurity Insights Report surveyed more than 5,000 enterprises around the world and found that 85% of enterprises are in the process of or intend to deploy IoT devices. Yet a mere 10% of those surveyed feel confident that they could secure those devices against cyber attacks.
The big question that emerges as individuals think deeper about the the implications of almost every device being connected is: “How do we keep our devices secure?”
To further our discussion on IoT Security from our Insight paper, we talked to Kyrio’s Director of Business Development, Security Services, Ron Ih, to get expert insight into one of the most pressing questions in tech today…
- What is the most important IoT security trend we are seeing this year?
As consumers and businesses adopt more IoT devices and threats continue to multiply, securing those devices easily and at scale has become a daunting task. We are seeing more specialized security tools and processes specifically for IoT devices this year, specifically the use of digital certificates and public key infrastructure (PKI’s) to enable a more secure onboarding process.
“‘Onboarding’ is the process by which a new device is connected and added to the network and the local IoT ecosystem. Onboarding includes the process for authentication, authorization, and accountability of that new device.” — A Vision for Secure IoT
Digital certificates are issued and signed by a reputable source, often referred to as a Certificate Authority or Root of Trust. Like a digital identity card, devices exchange digital certificates to cryptographically authenticate each other’s identity and origin. In other words, authentication credentials allow you to prove you are what you say you are. As the IoT Security Informed Insight explains, “not only do digital certificates increase security, they enable a better customer experience (e.g. no PIN to enter.)”
The cryptographic signatures within the certificates cannot feasibly be forged or re-created unless you have the proper private key at the source. You can read more about the authentication process, digital certificates and PKI’s here.
- What are the main challenges facing the IoT industry today?
The challenges are multifaceted, but the three most common I see are:
- While many companies are beginning to explore solutions, most device makers do not have security experts and are unprepared to manage security complexities
Device manufacturers and security companies have traditionally operated in two quite separate worlds.
Device manufacturers operate in a world of physical devices, often on the scale of hundreds of thousands, even millions of devices the manufactured each year. Tightly managing inventory, bill of material costs, and just in time delivery are essential to remaining competitive. Device manufacturers work with firmware and small footprint applications, often with limited compute power and storage. Security can be limited to that which is only essential, in order to keep costs down and delivery times short. This market is generally characterized by tens of thousands of small to medium sized companies that individually might not drive very high volumes, but in aggregate ship billions of devices.
Security companies have traditionally operated in the world of enterprise computing, networking, and web servers and web applications. These accounts are typically characterized by large corporations with IT groups and staff or consultants that specializes in security. Generally, these are large companies, banks, data centers, health care providers, etc. where there may not be a physical product, but valuable data that is stored in vast database servers. The data enables services and usually involves personal and/or financial information that must be protected.
As you can see, this can result in a large mismatch between what a device maker needs, and what a security company is equipped to provide, resulting in the two parties talking past each other. As a result, device security often doesn’t get implemented properly. This is not because the device maker doesn’t want to do it, but because they are not effectively guided on HOW to do it.
- In the pressure to meet product schedules and quarterly earnings, device security is often omitted or left as an afterthought because it currently takes too much effort and cost to understand and implement it
People often hear that cost is the reason for not implementing security, but misinterpret where that cost lies. There is indeed strong pressure to lower BOM costs, but the larger cost is often in the staff a company needs just to understand security itself. Whether it is allocating brain cycles from existing staff or new hires, headcount is generally one of the largest costs a company incurs. Understanding takes brain cycles. Brain cycles = time. Time = money, big money.
If we are to address the IoT security issue effectively, we need to address the time aspect of implementing security.
- Although IoT has existed for some time now, the market pressure to go wireless leaves devices more vulnerable to attacks
Autonomous networked devices have existed for quite some time already, but have primarily been implemented on wired networks on a relatively limited scale, using general purpose computers. However, with the relentless march of Moore’s Law, microcontrollers have advanced to the point where even a very small, inexpensive chip can operate a full TCP/UDP network stack in addition to managing a wireless radio. This high integration and lower cost have driven the market towards the adoption of small, wirelessly connected autonomous devices. In addition, the convenience of wireless connectivity has increased the scale of adoption to levels that are orders of magnitude greater than we have ever seen before.
Every device that is connected to your network is effectively a user on that network. Would you let a human user onto your network without verifying their identity? If you wouldn’t do that, why would you let a “device” do it? I put “device” in quotes because, in a network environment, you can’t always be sure if something claiming to be a device actually is what it says it is.
The justification for omitting security I often hear is “there is nothing important on that device”. That is the data center way of thinking about it where you are protecting what is directly on the system where security is implemented. My response is usually this, “You are absolutely correct. No one cares about what’s on the device. They care about the network it’s connected to.” That usually gets them to rethink their position. Insecure devices provide a foothold on the network to attack higher value devices or capture sensitive data.
- How can companies work to ensure better security in their IoT products?
- Businesses need to stop looking at security as a burden
Instead, businesses should leverage security as an opportunity to improve customer experience and revenues. Consumers don’t buy security for security’s sake, they buy products that make their lives easier and more convenient. If a product is secure, it improves the customer experience.
- A holistic approach to security must be addressed at the design stage of a device
To bring products to market faster, it’s easy to fall into the trap of a “sell now and we’ll patch it later” mentality. It’s nearly impossible to predict every security issue that may arise, so manufacturers need to consistently ask themselves: “How would this feature play out over time?” and “How do we do this in a way that’s scalable and secure over time”. Retrofitting security midway through the product lifecycle generally doesn’t work nearly as well and often sets you up for failure.
- Businesses must understand what “security” actually means and look for solutions that are easily digestible if they don’t employ security experts
Device makers need to understand what security actually means and what it is. Just because you use encryption, doesn’t mean your device is secure. The biggest element of security is not encryption, but authentication: identify who you are communicating with and be able to verify it.