We've all seen reports of pacemakers that can be wirelessly manipulated, insulin pumps that can be remotely mis-programmed and autonomous vehicles that have been taken over and gone rogue. And, while for the most part these incidents have been limited in their scope, we have seen some major IoT-related incidents such as the Mirai botnet. With experts forecasting that there will be as many 10 connected devices for every human on the planet by the end of the decade, if we don't get security right now, we could create a world where the hardware we rely on could be used against us.
At the recent NetEvents media and analyst summit, panel moderator Robert Haim from ACG Research said "We don't know who the heck is going to damage the property next and how they’re going to do it and what kind of skillset they have". He asked a number of players in the IoT security space how they would go about testing IoT products to so buyers had some level of assurance around device security.
Mark McGovern, from CA Technologies said "A lot of the way that we look at validating the analytics we do or the detection capabilities we do is to study and to analyse the actual behaviour of the systems and then to flag the things that are out of line and inconsistent with the past behaviours of those entities. So, whether that’s an IP address, an endpoint, a login, or a claimed identity, what are the things that are standing out, both against their own performance, or rather behaviour, and then the behaviour of the population? Then using that as a way to reinforce the learning that our systems are doing and the machine learning that we embed in, but also providing value to our customers".
With supply chain attacks becoming a key tool for that actors - Target was attacked via a third-party contractor and other recent attacks have focused on the suppliers of high profile targets - it's important, said Ziften's Roark Pollock.
"You have to look at your partners and be open to them testing your product on the chip fingerprinting side, intels, enhanced identity. They require you to go through a whole certification process. Put yourself through those partner certifications. Hire auditors. There’s auditing firms for security today. Don’t trust yourself. Get these guys to double-check your engineers, double-check your code".
One way to attack the problem is to think about trust zones, said Sanjeev Datla from Lantronix - invoking Robert De Niro's "Circle of Trust" from Meet the Fockers.
"When you look at a device as simple as a commercial door lock in a university, and if you look at the number of people who interact with that door lock, the roles, the responsibilities, that’s where the trust zones keep building up in terms of, what are the different levels of access that the administrator on premise has, or the nurse as he or she interacts with the dialysis machines? Then what are the kind of roles and responsibilities for the next level of people, the OEM who tries to maintain, the field service guy who comes and accesses the machine? What kind of roles and responsibilities? What do you permit? What do you not permit? These zones keep building up and when you look at a device it looks pretty simple. Right? You have an infusion pump and it has an Ethernet port. But if you look at the levels of rings of trust, or access controls, if you will, if you call it that way, how it builds up, it’s pretty enormous".
At the moment, it's clear that IoT security is immature. But the tools we need to start making the devices safer are available. For example, Hank Skorny from Neustar said we can leverage cloud-based processing to generate keys that can be sued to protect communications.
"Rather than doing key management on the device, what you’re instead doing is moving it up into the cloud, where all keys can be managed in the cloud and you therefore lessen the processing burden, memory burden, battery burden of the devices. Instead what you’re doing is you’re looking to generate an encryption key on first boot and register it back with the owner of that chip or that device. This way then what can happen is every single message that gets sent to and from that device is simply encrypted to that key".
The concepts of protected communcaiitons and the trust zones Datla mentioned are, to some degree managed in the solution Zebra Technologies has implemented with the NFL. All communications between the sensors worn by players and installed in the ball are encrypted and transmitted in a form that's useless without supporting metadata. The transmission network is physically restricted from outside intrusion and the data processing is carried out offsite, with all communications between data collection and processing also encrypted.
We often hear about "security by design". This solution highlights that it is possible to create a secure IoT environment but that it requires planning from the start - not being bolted on later.
Anthony Caruana attended the NetEvents Press and Analyst Summit in San Jose as a guest of NetEvents.