The wild, Wild West of IoT security

In the case of Internet of Things security, it’s the Wild West out there. Drones with firearms attached, connected cars remotely sabotaged — the potential for trouble seems to be endless. Even popular culture’s been getting into the act. Witness HBO’s Silicon Valley episode where the self-driving “Hooli” car abruptly changes its destination and enters a shipping container, taking Jared to a man-made island in the middle of the Pacific Ocean (“I’m sorry, what? Mister car? Excuse me?”).

As we think about a future world with over 25 billion connected “things” in use by 2020, the cyber risk scenarios grow exponentially. In a prior article, “The IoT meets the Internet of Behaviors,” I outlined a few of the possibilities — some of which have already materialized in recent months:

• Connected home hacked to open the front door to thieves, open garage door to steal a car, raise heater to maximum levels to damage air conditioning system and/or household goods, turn off refrigerator, turn off sprinkler system, access personal computers, and so on.
• Connected, autonomous car or delivery vehicle sabotaged to crash via inappropriate acceleration or braking, or sent to incorrect destinations; vehicles such as trains, aircraft, drones, ships etc. similarly misdirected or sabotaged.
• Connected hospital hacked to change the route of delivery robots; functions of medical devices such as pacemakers and insulin pumps, and so on.
• Connected manufacturer hacked to interrupt functions of warehouse “picking” robots, equipment monitoring and maintenance sensors, plant control systems, supply chain activities, and so on.
• SCADA and PLC systems sabotaged in similar fashion to the Stuxnet worm that span up Iran’s nuclear centrifuges.

In each case the resulting “damage” can range from nuisance issues all the way to serious issues related to potential injury or loss of life, damage to physical property, or even threats to national security.

Prospecting in safety: What makes IoT security so difficult?

One of the main problems compounding this situation is that security is often an afterthought, bolted onto solutions after the fact, once issues arise. IT security experts and IT managers have been calling for security to be built-in by design for decades now, but there’s been a long line of technology innovations ranging from the Web, to mobility and cloud computing, and now to the IoT, where it still feels like, and often is, an afterthought.

Adding security after the fact creates other issues as well. When emerging technologies are not secure from the start, they create delays in realizing their full business benefits as organizations struggle to implement appropriate security controls. In fact, a study on “Risk and Responsibility in a Hyperconnected World” by the World Economic Forum estimated delays addressing cyber risk ranged from 11 months for cloud, to 5 months for IoT and mobility, to 3 months for social computing. Clearly, a larger percentage of typically flat IT security spend needs to be redirected here versus perimeter security.

What adds to this difficulty, in the case of securing the IoT, is that it’s a complex ecosystem no matter which industry you look at. IoT solutions and services are typically composed of not just one product, but a complex system of systems that includes hardware and software from many different vendors, much like RFID systems in the early 2000s, where you had to deal with a variety of tags, readers and middleware — all from different parties.

The security of the overall solution is only as good as its weakest link, so this multivendor complexity opens up additional vulnerabilities for cybercriminals to exploit and makes end-to-end testing essential. Some of the main vulnerabilities are explored in the Open Web Application Security Project (OWASP) Internet of Things Top Ten Project.

Avoiding the gunfight: A framework to think about risk

When thinking about risk levels related to IoT security, it’s useful to know where the major issues may arise once hackers get to their target destination via the cyber “kill chain.” One way to think about this is to consider the various categories of IoT devices and the corresponding types of cyber risk. As IoT devices become more controllable or more autonomous, the threat intensity increases as cyber-criminals are able to steal sensitive data, introduce malware, and ultimately conduct “command and control”-style sabotage.

One of the frameworks I’ve found useful has been Gartner’s classification of four categories of IoT devices, ranging from identifiable things (e.g., passive RFID tags), to communicating/sensing things (e.g., pressure sensors), to controllable sensing things (e.g. HVAC systems), to smart autonomous things (e.g., self-driving cars). The figure shows this classification with a rough sense of the types of cyber risk illustrated alongside.

Image courtesy of Nicholas D. Evans

There’s a new sheriff in town: Things are coming together

Fortunately, when it comes to building in security for the IoT early on, and by design, there are some promising signs. One example is the recent reference architecture published by the Industrial Internet Consortium or IIC. This extensive document “outlines key characteristics of Industrial Internet systems, various viewpoints that must be considered before deploying an Industrial Internet solution, and an analysis of key concerns for the Industrial Internet including security and privacy, interoperability, and connectivity.”

According to Stephen Mellor, the IIC’s chief technology officer, the IIC has been thinking about security right from the start. Its recently published Reference Architecture is intended to provide developers, engineers, systems integrators and organizations with a common vocabulary and a common approach to building and implementing IoT systems that are interoperable and secure. The group doesn’t develop standards, but focuses on collaboration and cooperation across the industry so that technology issues and gaps can be quickly identified and resolved.

According to Mellor, the group is also working on a specific framework for IoT security, which will be forthcoming. The idea is to take the security principles from the reference architecture, and add to them with further process and implementation guidance.

Another example of how security is being incorporated into an IoT vision from day one can be seen in the work of the German Industrie 4.0 Working Group focused on manufacturing. Its “Recommendations for implementing the strategic initiative INDUSTRIE 4.0,” published in April 2013, included safety and security as one of eight priority areas for action, with a further eight recommended actions specific to safety and security. Security by design was again highlighted as a key principle, as well as the development and implementation of IT security strategies, architectures and standards.

Of course, there are many other examples of industry players coming together to address the challenges and opportunities afforded by the IoT — and IoT security, in particular — and these are just two of the bright spots. For example, the Security Center of Excellence, operating out of the Harrisburg University Government Technology Institute, is also addressing these emerging topics and providing education to Government CISOs in the State of Pennsylvania.

Getting out alive: Success in IoT deployment

For organizations designing and implementing IoT solutions, the lessons are clear. First, have a clear sense of full spectrum of threat scenarios you may encounter — nothing is out of the question. As The Economist recently put it, you want to avoid the “Pay up or the fridge gets it” scenarios or worse.

Second, have a framework to help you understand the lay of the land, avoid the gunfights, and prospect in safety. Understand the threat intensity given your specific categories of IoT devices. The more controllable or autonomous your IoT devices, the higher the risk level, and you should also pay close attention to the massive amounts of data being collected by these systems.

Third, since cyber-criminals will enter your IoT ecosystem through any weak link in your defenses en route to their ultimate destination, including via counterfeit hardware in your supply chain, take a holistic approach to your cyber strategy and review the guidance and recommendations from the numerous consortia and organizations working in your field.

With these steps in mind, at least as your starting point as you head into the Wild West with your tools in hand, you’ll be well equipped to monetize your hard work in the years ahead.