This article first appeared in the
Autumn 2017 issue of The Record.
Internet of things (IoT) is coming and a lot of IT executives are scared silly. Or maybe it’s more accurate to say they are resigned to their fates.
In a May study of 553 IT decision makers, 78% said they thought it was at least somewhat likely that their businesses would suffer data loss or theft enabled by IoT devices. Some 72% said the speed at which IoT is advancing makes it harder to keep up with evolving security requirements.
Such fears are rooted in reality. Last October, hackers took down the company that controls much of the internet’s domain name system infrastructure using some 100,000 ‘malicious endpoints’ from IoT devices. More recently, the WannaCry ransomware attack crippled some ATM networks and washing machine networks. For naysayers, those attacks validated fears that hackers could cause mayhem by commandeering IoT devices.
At the same time, the IoT industry continues its steady growth path. Predictions say that by 2020 there will be some 21 billion IoT devices in existence, up from five billion in 2015. About eight billion of those devices will be industrial, not consumer devices. Both present a juicy target for hackers.
For some, it seems like IoT is a slow-motion wreck playing out in real time. “The reason that the industry hasn’t backed off is the value proposition is very powerful,” says Chris Moyer, chief technology officer and vice president of cyber¬security at DXC Technology. “The risk proposition is also very powerful and that’s where the balancing is going on.”
Regardless of the industry’s appetite, IoT isn’t likely to get scale until the industry addresses its security issue. That will take a cooperation among vendors, government intervention and standardisation. In 2017, none of those things appear to be on the horizon.
What’s wrong with IoT security?
The consensus is that IoT is still under-secured and presents possibly catastrophic security risks as companies trust IoT devices for business, operational and safety decisions. Existing standards are not in place and vendors keep struggling to embed the right level of intelligence and management into products. Add to this the increasing collaboration among attackers, and there’s a need to address these challenges across a set of dimensions.
Consider what we face with the security of IoT devices:
• Unlike PCs or smartphones, IoT devices are generally short on processing power and memory. That means that they lack robust security solutions and encryption protocols that would protect them from threats.
• As IoT devices are connected to the internet, they will encounter threats daily. For example, Shodan, a search engine for IoT devices, offers hackers an entry into webcams, routers and security systems.
• Security was never contemplated in the design or development stages for many of these internet¬-connected devices.
• It’s not just the devices themselves that lack security capability; many of the networks and protocols that connect them don’t have a robust end-to-end encryption mechanism.
• Many IoT devices require manual intervention to be upgraded, while others can’t be upgraded at all. “Some of these devices were built very rapidly with limited design thinking beyond iteration one and they’re not able to be updated,” says Moyer.
• IoT devices are a weak link that allows hackers to infiltrate an IT system. This is especially true if the devices are linked to the overall network.
• Many IoT devices have default passwords that hackers can look up.
• The devices may have ‘back doors’ that provide openings for hackers.
• The cost of security for a device may negate its financial value. “When you have a two-cent component, when you put a dollar’s worth of security on top of it, you’ve just broken the business model,” says Beau Woods, an IoT security expert.
• The devices also produce a huge amount of data. “It’s not just 21 billion devices you have to work with,” says Kieran McCorry, director of technology programs at DXC. “It’s all the data generated from 21 billion devices. There’s huge amounts of data that are almost orders of magnitude more than the number of devices that are out there producing that data. It’s a massive data-crunching problem.”
Taking such shortcomings into account, businesses can protect themselves to a certain extent by following best practices for IoT security. But if compliance isn’t 100% (which it won’t be), then inevitably, attacks will occur and the industry will lose faith in IoT. That’s why security standards are imperative.
Who will set the standards?
Various government agencies already regulate some IoT devices. For instance, in the US, the Federal Aviation Administration regulates drones and the National Highway Traffic Safety Administration regulates autonomous vehicles. The Department of Homeland Security is getting involved with IoT-based smart cities initiatives. The Food and Drug Administration also has oversight of IoT medical devices.
At the moment however, no government agency oversees the IoT systems used in smart factories or consumer-focused IoT devices for smart homes. In 2015, the Federal Trade Commission (FTC) issued a report on IoT that included advice on best practices. In early 2017, the FTC also issued a challenge to the public to create a “tool that would address security vulnerabilities caused by out-of-date software in IoT devices” and offered a US$25,000 prize for the winner.
Moyer says that while the government will regulate some aspects of IoT, he believes that only the industry can create a standard. He envisions two pathways to such a standard: either buyers will push for one and refuse to purchase items that don’t support a standard, or a dominant player or two will set a de facto standard with its market dominance. “I don’t think it’s going to happen that way,” Moyer says, noting that no such player exists.
Instead of one or two standards, the industry has several right now and none appear to be edging towards dominance. They include ¬vendor-based standards and ones put forth by more established agencies in the space. All of those bodies are working on standards, protocols and best practices for security IoT environments.
Ultimately what will change the market is buyers, who will begin demanding standards, Moyer says. “Standards get set for lots of reasons,” he explains. “Some are regulatory, but a lot are because buyers say it’s important to me.”
Lacking standards, Woods sees several paths to improve IoT security. One is transparency in business models. “If you’re buying 1,000 fleet vehicles, one might be able to do over-the-air updates and the other we’d have to replace manually and it would take seven months,” Woods says. “It’s a different risk calculus.”
Another solution is to require manufacturers to assume liability for their devices. Woods says that’s currently the case for hardware devices, but it is often unclear who assumes liability for software malfunctions.
Artificial intelligence to the rescue?
A wild card in this scenario is artificial intelligence (AI). Proponents argue that machine learning can spot general usage patterns and alert the system when abnormalities occur. Bitdefender, for instance, looks at cloud server data from all endpoints and uses machine learning to identify abnormal or malicious behaviour. Just as a credit card’s system might flag a US$1,000 splurge in a foreign country as suspicious, a machine learning system might identify unusual behaviour from a sensor or smart device. Because IoT devices are limited in function, it should be relatively easy to spot such abnormalities.
As the use of machine learning for security is still new, defenders of this approach advocate using a security system that includes human intervention.
The real solution: A combination of everything
While AI may play a bigger role in IoT security than initially thought, a comprehensive IoT solution will incorporate a bit of everything, including government regulation, standards and AI. The industry is capable of creating such a solution, but the catch is that it needs to do it on a very accelerated timetable. At the moment in the race between IoT security and IoT adoption, the latter is winning.
So, what can companies do now to latch on to IoT without making security compromises? Moyer has a few suggestions:
1. Take an integration approach: This is a case where more is better. Moyer says that companies using IoT should integrate management solutions and bring the IoT platform in for primary connectivity and data movement, and pull that data into an analytics environment that’s more sophisticated and lets them do a behavioural analysis, which can be automated. “By integrating those components, you can be more confident that what you’ve got from a feed in an IoT environment is more statistically valid,” he says.
2. Pick the right IoT devices: Those are devices that have a super-strong ecosystem and a set of partners that are being open about how they’re sharing information.
3. Use IoT gateways and edge devices: To mitigate against an overall lack of security, many companies are using IoT gateways and edge devices to segregate and provide multiple layers of protection between insecure devices and the internet.
4. Get involved in creating standards: On a macro level, the best thing you can do to ensure IoT security in the long run is to get involved in setting standards both in your particular industry and in technology as a whole.
This article was produced by WIRED Brand Lab for DXC Technology