The Internet of Things (IoT) will usher in a new era of network intelligence and automation, but its arrival raises a host of serious security questions. Network World Editor in Chief John Dix explores the topic in depth with four experts:
* Marc Blackmer, Product Marketing Manager, Industry Solutions, Cisco
* Ari Juels, Professor in the Jacobs Institute at Cornell Tech (formerly Chief Scientist at RSA)
* Patrick Tague, Associate Research Professor, Electrical and Computer Engineering, and Information Networking Institute, and Associate Director, Information Networking Institute Carnegie Mellon
* David Mattes, CTO, Tempered Networks (formerly Advanced Research Technologist at the Boeing Company)
Security is obviously critical for IoT, but just how big a problem is it?
Juels: It’s kind of hard to calibrate the scope of the problem. We had a good object lesson in 2000 with the millennium bug scare. That turned out to be mostly ill founded because of the heterogeneity of systems and people had fallback mechanisms in place. I think depending on the degree of homogeneity or heterogeneity of IoT as it evolves, security will either be locally confined or will be sweeping in scope, but it’s hard to know how extensive security problems will be until we have a sense of how interoperable devices are and have a sense of how quickly attacks can propagate.
The more homogeneous is better or the worse?
Juels: Worse from a security standpoint, but better from a usability standpoint.
Mattes: In the early days of networking you had extreme heterogeneity of protocols and it was the convergence of those protocols that created the security problems and the security industry we have today. Similarly, we’ve been doing IoT-type things since the ‘80s with an alphabet soup of protocols. With IoT we will see the same thing; we’ll have a convergence at some point to a more homogenous environment and that’s going to cause the next security crisis.
Juels: Generally cybersecurity is a matter of combatting economic damage, combatting nuisances. With IoT it’s worth mentioning that security failures can be life-threatening, as in the failure of an implanted medical device.
Mattes: That’s a great point. Same thing in industrial environments like a chemical plant or a refinery where they are looking at wireless and Ethernet for transport. Link interruptions or failures can lead to dramatic safety consequences, so with IoT connectivity is tied to safety a lot more.
Why is IoT security different from how we are safeguarding all the stuff that is networked today?
Tague: One of the things that is fundamentally different is the use of the data. In classic network systems we think about data being specific to applications; siloed applications manage their own data and you can secure your data through the network as long as the two endpoints of the application are relatively trustworthy. With IoT, the value of the data is more about its ability to be shared. So data isn’t necessarily created by or for just one application. A lot of the value in IoT is devices create data but they don’t know who or what the data is for, and the applications that use the data might not know where it’s coming from or even care where it’s coming from. The whole ecosystem is a lot more open when it comes to sharing and managing the data.
Blackmer: That’s something we discuss with customers a lot. Who is going to own this data? Who has control of it? When it comes to privacy, how do I opt out if all these different devices are collecting different data elements and how do I control where it goes? I see that becoming a big question very soon.
Juels: We may see a striking shift in our social attitudes toward ownership of data as the custody of personal data from things like fitness trackers and medical devices and so forth is taken by service providers and not necessarily made available back to the customer. Should an individual own his or her own heartbeats? The answer would seem obvious, but in today’s environment it’s not so clear. If you’re wearing a fitness tracking device and all of your data is uploaded to the servers owned by the fitness device provider, it’s not guaranteed you’ll get access to that data. You will be, according to most terms of service, given very select access to the data and in many cases data can be resold. So we’re seeing a loss of ownership of data that would seem to carry a fundamental right of possession.
Mattes: One thing we need to face head-on with this proliferation of devices is the notion of how we establish and manage trusted relationships between devices, and over the full lifecycle of these devices, so we achieve greater control over the data and the sources and the consumers of that data. It’s going to have to be managed in an explicit way to reduce the attacks on these systems. To me that’s a fundamental problem that needs to be addressed and one that we’re working on here at Tempered Networks.
Blackmer: IoT is the Wild West right now. We don’t know what it’s going to look like, where it’s going. We’re right at the cusp and, while there’s a lot of opportunity, there is an intrinsic vulnerability because too often security is bolted on after the fact. So what concerns me is a rush to market to take advantage of the opportunities and not building in the necessary security and privacy protections, meaning we have to patch that together down the road.
Juels: Unfortunately that seems to be the lifecycle of any new technology. Security concerns are not addressed to begin with because people are more concerned with basic functionality. And I imagine we will see this repeated again and again as new IoT devices enter the market. I mentioned medical devices. We’ve seen that pacemakers and cardioverter defibrillators can be attacked over the air and, although there are security mechanisms built in to divert these attacks, they’re not very effective and the industry didn’t take the concerns seriously until they were publicized.
Can existing tools help us address IoT security issues or do we have to invent anew?
Juels: Existing technology is not even addressing existing problems, and IoT is likely to exacerbate that state of affairs. We’re still stuck with passwords after how many decades of trying to jettison them? And of course many IoT devices have password based access control; everything from lightbulbs to entertainment systems and automobiles use this antiquated technology, so those problems will carry over and a number of new problems will be introduced.
One of them mentioned earlier is the erosion of privacy, because we’re generating more and more data whose ownership isn’t apparent or whose ownership is shared. A video from a camera in a public environment, for instance, relays information for the public good, but of course involves sensitivities with respect to individuals tracked, and the ways the data can be correlated isn’t always obvious raising still more concerns. So there’s this phenomenon of data sharing and privacy in which the decision by one individual to share data can impact another individual, and IoT is exacerbating this phenomenon.
Patrick Tague of the Information Networking Institute Carnegie Mellon
A good example of this is location privacy. We have all these location tracking devices now. If I decide to reveal my location to the world I may also reveal the fact I happen to be in the same physical environment as you are so I’m also betraying your location privacy. I can do that without your consent and even without your knowledge. This general problem of data sharing and privacy will be accentuated by IoT and we need a completely different conceptualization of privacy to deal with it.
So not only will existing tools not be adequate for the job, but existing models of privacy are going to be inadequate in this world of very aggressive and pervasive data sharing. (Also see: "Internet of Things roundtable: Experts discuss what to look for in IoT platforms".)
Mattes: I agree that we’re going to need a new model. As far as technologies go, we have better techniques to use than passwords today. We have hardware roots of trust and we have digital identity. But those are hard to use so they don’t get used and/or people don’t know they can be used. I do think new technology will be needed too, like how do you do a hardware root of trust for virtual servers? So people are going to need to work on that, but I think it’s more about the model and the architectures around this stuff, rather than we have to invent a whole bunch of new technology to throw at it.
Blackmer: I have to second both your points. We have stuff today that isn’t being applied appropriately or properly. Everybody is looking for that big easy button and it just doesn’t exist. As long as we’re looking to technology to be the fundamental answer, we’re always going to be in a loop of not adequately protecting ourselves. How do you go and find a technology to “protect your environment” when you don’t know what’s in your environment, when you don’t know what normal is in your environment? Quite often people can’t answer those questions. Bringing in the latest and greatest technology isn’t going to help if you don’t know where and how to apply it.
Tague: Usability is also a big concern, especially when we think about devices at scale. If I, as a consumer, have 100 or 1,000 devices in my home, there’s no existing solution that will allow me to seal the leaks. Passwords are certainly out the window because many devices won’t have a UI so I won’t have a way of authenticating myself.
Also, consider the fact that many IoT applications aren’t going to run on behalf of a user, so simple things like authentication, authorization and access control become difficult. We’re no longer thinking about a user, we’re thinking about an automated agent that has no physical representation, doesn’t necessarily even belong to a particular service provider, and might actually establish contracts with service providers to get access to data to perform some functionality that’s either for a user or for another service provider.
Long story short, it’s a level of complexity that we haven’t quite thought through and don’t quite understand, and we really have to understand that before we can even think about things like coming up with the right models.
When you say it that way it sounds impossible.
Tague: I don’t think it’s impossible, it’s just difficult.
Mattes: We work with owners of critical infrastructure and I tend to think of these industrial networks as IoT on a smaller scale. They tend to be autonomous control systems that involve all sorts of sensors, actuators, servers, vendors, contractors, remote employees, etc., with a high need for integration to make processes more automated, more efficient. If we build some models at the standards level and make it a checkbox when people are building their networks of devices, there’s some hope people will start to do the right thing. We have to make security easy and automated for the end users.
Given the breadth of the problem, will we likely end up with a hodgepodge of approaches that will result in a management nightmare?
Blackmer: I’m actually an optimist, but I do expect a hodgepodge because, as we look at standardization, the problem has always been, how do you make it broad enough to appeal to a greater audience who can take advantage of it, but specific enough to be useful.
Security right now is a hodgepodge. But I don’t think we need any more standards. We’ve got enough. We’ve got to make the ones we have work, but we are still at the cusp of this. We don’t know what it’s going to look like yet. I have a feeling there’s going to be a natural expansion/contraction. Things change, new technologies are created that can be folded into something else. I expect it to be that way and, unfortunately, yeah, it is a management nightmare.
Tague: Definitely a hodgepodge at first, because it seems like that’s always what happens. Ultimately I think the question of whether or not it’s going to be a management nightmare is for some, yes, for others, no. Although this is a massive problem, within an individual organization, within an individual group, within an individual domain, the requirements are much more concise.
A company that has a certain type of IoT infrastructure they’re managing locally, their requirements are going to be different from another company. Standardization could help, as long as the standards are broad enough to capture everybody’s requirements, and flexible enough that my organization can configure what they need and someone else can go and configure something differently for their purposes.
Blackmer: I can throw in one data point. We had done a survey among CSOs and on average they were dealing with about 85 different vendors, which was a shocking number. That’s what I mean when I say it is complex and a management nightmare. All those relationships to manage, all those upgrades, all those patches, the interoperability, etc.
+ ALSO ON NETWORK WORLD ARM acqusition highlights quest to embed IoT security +