Searching for a path to IoT security

My conversation with an informed skeptic.

1 2 3 4 Page 4
Page 4 of 4

Since the properties are so intertwined, I encourage companies to develop good requirements and address security and privacy together. 

SN: That’s our third take away then -- companies must address security and privacy together while understanding that they are different but inseparable

Practicing Cybersecurity fundamentals

So our three findings for reaching that appropriate balance of risk vs. reward for IoT companies are

  1. Be accountable to customers’ security needs even if they are not expectations.
  2. Practice system design fundamentals with good checks and balances.
  3. Develop in full awareness of user and functional needs for both security and privacy.

However, these are high level principles and we still suffer from whichever is the weakest link so let’s conclude with specifics.  What are the fundamentals you advocate for good cyber security, i.e. good IoT security?

TC: The Federal Trade Commission identifies 5 basic business principles you should follow:

  1. Take stock. Know what personal information you have in your files and on your computers.
  2. Scale down. Keep only what you need for your business.
  3. Lock it. Protect the information that you keep.
  4. Pitch it. Properly dispose of what you no longer need.
  5. Plan ahead. Create a plan to respond to security incidents.

This is a great start.  Many companies start to screw up with #2, and instead collect and store as much information as they can.  That creates a liability for you, and can harm your customers.

SN: I think many readers will find #2 counter-intuitive in the IoT context where data is the objective and big data is the assumed pot of gold at the end of the road.  I think this is a tough one because I do not believe that we always know what data will be valuable and to what other data there might be correlations.  I know of one customer who kept all the raw data from an application where we had reduced the data to a single actionable number.  Two years later they discovered that there was another signal in the data stream and we were able to re-design the data filter to go back and re-calculate all the scores providing immediate validation of a completely new value proposition.

The other thing about good systems design that has particular importance in IoT development is that Systems Engineers have to be excellent “make vs. buy” decision makers.  Development in the IoT is more dependent on the ecosystem than any other product space today.  I would argue today that data transfer, ingestion, storage, and access are all a “buy” decisions.  How do we make our system more secure with those decisions?

TC: With modern security architectures one can design a device to plug into a somewhat unclean network (power and computer) and make the device behave well (good privacy/confidentiality, integrity, availability, the latter limited by reliability of the network).  As soon as you put a cloud provider in there, however, you have to work harder.  If you're just using cloud storage, then you can still have all your Confidentiality-Integrity-Availability (CIA), as long as you build a solid crypto architecture, and never ever release the keys into the cloud.

If you want the cloud provider to also host processing, which means they have access to your customer's unencrypted data, now it is far more difficult.  If you can de-identify that data, which implies you have an expert statistician review your design, you might still be able to maintain some privacy on that data.  Engineers and managers typically overestimate the amount of effort it takes to piece clues together. That's what Big Data is all about, in fact.  De-identification will have to be done in your shop, on your machines, before that data goes to the cloud.  It includes masking IP and MAC addresses. 

SN: So even the “buy” decisions in IoT systems design require additional discipline, process, and policy to manage the security risk.

TC: Yes, just as it is for software code quality and safety.  Companies make choices about risk tolerance and how much they want to invest in development and operations.  Some are choosing quick profit over quality, sustainability, and long term brand.  The Deepwater Horizon report is an example of that sort of culture on a large scale, but it appears to be prevalent in this new flurry of IoT devices.

SN: Your last point may be true today, but it does not have to be the norm.  Indeed, Adventium has a new contract to help make sure that security, safety, and privacy continue to be the norm in medical devices.  I also know you are proud of the performance in these regards of avionics industry as a whole.

TC: Yes, the aviation industry in particular has a phenomenal quality record.  In fact, 2015 would be hard to improve upon.  They’ve shown you can be regulated, profitable, and global while still achieving fantastic safety performance.

Regarding medical devices, DHS's Cyber Security Division (CSD) recently launched the Cyber Physical Systems Security (CPSSEC) program that aims to “build security into” emerging Cyber Physical System (CPS) designs. Adventium is developing a high-confidence cyber-physical architecture for medical devices.  Part of our motivation is that in the Twin Cities alone, we have hundreds of small medical device manufacturers.  They are great at identifying therapies to improve quality of life.  The average size of these companies is 50 or so people.  Rather than having hundreds of these companies all reinvent the wheel and figure out how to develop a secure platform, we will provide an open-source exemplar.  Security is a system property, so each device company will still have to make an argument to the FDA about the safety, efficacy, and security of their complete solution.  But this will provide them with a starting point and guidelines, so they can focus on their core competencies.

Following the path

TC: Security threats are always evolving.  The attackers are smart so they continue to improve their skills.  Technology must continue to advance to stay ahead of those attackers.  One key research area we are exploring is providing both safety (e.g., give positive control authority to a control systems operator) while remaining secure (not giving it to an attacker).  That’s a tough problem with no general solution in place yet.  But the basic stuff on those top 10 and 20 lists?  Yeah, the technology and processes are there.

SN:  Thanks for helping define a path to better security through better security practices, Todd.  Hopefully these insights on designing for security in IoT applications will help designers create more balance in the marketplace and the approaches described herein offer good fundamentals on how to meet customer expectations.  The continuous drum beat of attacks and consequences thereof are creating increasing expectations with both customers and shareholders.  I believe we will see many more systems designers and business leaders be accountable for the security of their IoT offerings in the near future. 

We can’t afford to wait 10 years.

Copyright © 2016 IDG Communications, Inc.

1 2 3 4 Page 4
Page 4 of 4
7 secrets of successful remote IT teams