Creating a secure network for the Internet of Things
The attitudes and perceptions around the Internet of Things (IoT) span a wide array of views from the extreme excitement of consumers and manufacturers, to the concerns (bordering on paranoia) of privacy and security professionals. Some see the Internet of Things as the promise of ubiquitous connectivity across all aspects of our life. Others view it as another in a series of uber technology trends off of which to sell new products and services. Many view the IoT movement as nothing more than marketing fluff to stir up consumer interest in new (and sometimes puzzling) networking capabilities.
There is one aspect of the Internet of Things that all of these various factions can agree upon. The long-term success of the trend and many of the new gadgets it introduces will depend largely on the community’s ability to deliver a secure platform for the IoT. This reality has many asking the question, “What does a secure network for the IoT look like?” While requirements will vary, there are some common elements that we will explore here.
The two sides of the IoT security coin
There is a two-fold dilemma when it comes to IoT security and securing a wide array of newly networked devices. The first side of this coin is the protection of things, i.e., the risk of the device becoming compromised. Here we have to worry about factors such as a huge increase in unknown vulnerabilities within these devices. Often for manufacturers of these “things”, security takes a back seat to creating buzz around networked capabilities, and selling. Often, these manufacturers will have relatively immature software development life cycles, particularly in the area of security.
The other side of the IoT security coin is protection from things; the “thing” as the perpetrator of the attack. We see more and more theoretical stories about the rise of “thingbots” and massive systems of compromised devices (some perhaps more realistic than others). These things will often be hard to identify granularly as they typically share IP addresses and have unfamiliar operating systems. Their rapid proliferation and deployment onto the network, along with the above-mentioned vulnerabilities, suggest many may in fact be prone to compromises that can be exploited by bot herders.
Steps for manufacturers to improve the security of “things”
Consumer technology manufacturers can hardly be blamed for getting caught up in the excitement of the IoT. According to research from the Acquity Group , two out of three consumers expects to have at least one piece of “connected technology” in their homes by 2019. We have all seen the rise of these devices and their many displays in retails stores. In fact, those smart thermostats that draw us in are expected to have 43% adoption in the next five years according to that same study.
Two things with regard to IoT security remain very unclear. The first is the extent to which delivering a secure network is a critical requirement for consumer adoption of increasingly network-enabled devices. The second is the lengths manufacturers are prepared to take to ensure security of their devices.
Clearly, the IoT movement has many non-technology (or at least security) focused companies jumping into the networked world. These organizations need to ensure that they are adopting into product development stringent security practices as part of a Software Development Life Cycle. Applications and new code need to be put through a Quality Assurance (QA) process that test for security vulnerabilities. This vulnerability management process also needs to be applied not only to the development of the devices themselves, but also any networked components, such as databases or systems in the cloud serving and storing data from these devices.
Some manufacturers are taking additional steps. In a previous article, we mentioned some vulnerabilities of Tesla cars that have been found and very publicly exposed. What we did not discuss are the steps Tesla has been taking to find any and all possible vulnerabilities within their product. This past June, Telsa formalized its already active and ongoing work with security researchers in launching “Bug Crowd,” a bug bounty program paying out initially $1,000 for vetted and validated vulnerabilities presented by independent researchers. In August, they increased the potential payout to $10,000, partly in response to the high profile vulnerability exposed at the DEF CON conference earlier that month. Some call this mostly a PR move, but it represents an increasingly popular means of leveraging the vast and sometimes mysterious security research community.
Manufacturers who elect not to stimulate white hats (or more likely gray hats) to identify vulnerabilities might want to consider the fact that others may already be organizing efforts for them, just with less clear (but likely less altruistic) intentions for use. More recently, Zerodium announced a $1 million bounty for a fully executable exploit for iOS 9, highlighting the extreme value of vulnerabilities for commonly used devices- a fact that should also not be lost on those less concerned about protecting devices, but more concerned about protecting their organizations from IoT devices.
Critical steps in protecting organizations from IoT risks
The variety of new risks and threats posed by a future with billions of networked devices are too numerous to cover comprehensively here, but let’s take a look a couple of clear requirements.
With the advent of billions of non-traditional IT devices, accurate device identification will simultaneously become more important, and more difficult. The primary tool that has long been used for device and user identification, namely IP addresses, is rapidly declining in its security value.
Dynamic IP addresses, global Network Address Translation (NAT), and anonymous proxies are just a few of the tools out there that are making the connection of IP address and device or user very hazy. This is an area where potentially newer device fingerprinting technology can play a role. Device fingerprinting is a rapidly growing technology that employs various tools and methodologies to gather IP-agnostic information about the source, including running a JavaScript on the client side. The device fingerprint uniquely identifies a web tool entity by combining sometimes dozens of attributes of a user’s device to identify and then track their activities, generating a behavioral and reputational profile of the user.
Security teams also need to prepare to match the level of automation now clearly seen on the attack side of the ledger. The idea of “script kiddies” and dark rooms filled with hackers in sweatshirts manually coding attacks against individual adversaries is an antiquated notion. We know from the frequency, polymorphic nature, and rapid response of today’s attacks that we face an increasingly automated flow. This flow is one that cannot reasonably be defended against by a team of security professionals (regardless of their capabilities) reacting and manually implementing protective measures. Protection from new, previously unseen attack sources demands investment in automated means of attack detection and coordinated mitigation.
Don’t count on regulations to protect anyone
This past spring, the Federal Trade Commission released a report on the pros and cons, benefits and risks of the IoT, based on the results of a workshop held last November where experts gathered to discuss this fast-moving technology trend. Quite correctly, the workshop and the report give considerable focus to the issue of security concerns related to the IoT. In doing so, the report provides a welcome and needed step forward in both identifying and starting the process of addressing security concerns with a wave of additional devices becoming network-enabled.
The report puts tremendous focus around consumers and consumer data protection, privacy, etcetera. Obviously, there are key issues that will need clear security solutions to ensure protection of Personally Identifiable Information (PII), both to facilitate adoption and to ultimately protect users. However, the report does not go far enough in addressing several other security issues. It also falls short of effectively defining the landscape of “IoT industries,” and the overall discussion suggests a narrow view of those needing to participate in the conversation. By no means is this an exhaustive list of the areas that many industries will need to tackle to ensure secure and safe IoT, but it represents a few particular areas we see a lack of focus thus far:
- Employee Safety: both the opportunities and the challenges of IoT clearly extend into employee wok safety (e.g. production facilities and industrial control concerns)
- Critical infrastructure protection: industries such as logistics, mass transit, electrical and heating elements all rushing in IoT technologies and,
- Law Enforcement and Military Applications: of course in the world of drones, one can clearly see where IoT becomes more relevant to these important areas of national commerce & safety.
Don’t forget about availability
An important consideration for organizations looking to create a secure network to support IoT adoption is availability. For many years, and for a wide variety of reasons, availability has traditionally taken a back seat to the other elements of the CIA triad (confidentiality, integrity and availability). One major reason for this is the pressure on organizations to protect consumer data. Most industry driven security compliance initiatives (such as the Payment Card Industry Data Security Standard, PCI-DSS) similarly center on data confidentiality and integrity. In the past, losing network or application availability have mainly impacted revenue or productivity, but have been viewed as less severe an issue than an actual data breach. However, the movement of organizations to IoT principles means a greater dependency on the network to maintain increasingly critical operations, making availability more and more important and a serious security issue.
Regardless of your organization’s interests around the IoT, be they monetization from the demand in more and more connected devices, or simply preparation for the impact on the threat landscape, the time has arrived to start taking proactive steps to ensure security. In the end, the full vision of IoT may or may not come to pass. It may take longer than some predict. What is undeniable is that we are in the midst of an explosion of connectivity, and while the average consumer may not be aware of IoT concepts, they will have expectations with regard to security. Similarly, they will be by-and-large clueless to the potential impact they (and their new gadgets) have on the threat landscape, and thus cannot be relied upon to maintain security capabilities on these devices. As a result, the burden of protecting organizations from the possible wave of new, larger threats falls to the security operations teams.