Cybersecurity takes center stage
Each year, thousands of IoT vendors, experts, analysts, and researchers descend on the Santa Clara Convention Center in San Jose, California, for the IoT World conference. The 2018 conference was a four-day event that witnessed over 12,000 professionals attending, including over 450 individual speakers and 300 exhibitors. The conference focused on several prominent topics this year ranging from the incorporation of Blockchain technologies in an effort to secure the IoT through the shared ledger to how automation and AI capabilities can be deployed to help effectively manage the enormous amounts of data produced by these devices. Although the application of these technologies spans every vertical market, the greatest threats have targeted critical infrastructure, most of which is reliant on outdated legacy systems.
Long time concerns are finally gaining visibility
IoT security took the forefront of the discussions at the conference early on. One of the primary themes throughout the entire conference surrounded the growing awareness that IoT security is a matter of not just economic security but national security as well. Such vital security demands require a fundamental assurance surrounding the reliability of entire the critical infrastructure ecosystem. However, securing the ever-growing number of IoT devices, as well as the data they communicate, is a monumental task.
Challenges can hinder effective application
The Under Secretary of Commerce for Standards and Technology and Director at the National Institute for Science and Technology (NIST), Walter Copan, highlighted several key challenges when it comes to IoT cybersecurity. Specifically, Copan mentioned that these challenges are technology based and relate to the substantive lack of standardized approaches to the implementation of security. Additionally, many challenges surround the development of new infrastructure in an effort to foster customer confidence and trust. These challenges are further complicated by the fact that IoT technology spans across every NIST program, including materials and sensors development, standards, data, wireless communication, cybersecurity, etc. In an effort to address some of these issues, Coplan directed attention to the Cybersecurity Framework Version 1.1 that NIST has developed, which seeks to address a wide range of complex cybersecurity issues that directly affect the IoT. By providing an updated framework to build from, NIST has provided some much-needed guidance in the absence of ubiquitous security standards.
Trusted relationships help foster client confidence
The lack of IoT cybersecurity standards was a continuing theme throughout the conference. Custom solutions for niche markets may provide the services needed to address a unique problem, but the lack of standards creates splinters in policies and practices that hackers will seek to exploit. As a result, trusted relationships can help bolster consumer confidence in the absence of such standards, as suggested by Senior Director of Marketing at Arm, Rhonda Dirvin. When devices are properly secure, that security helps bolster client confidence, which can help foster assurance for the massive scaling of IoT-connected devices expected in the coming years. Dirvin argued, “…understanding how to develop secure IoT devices and data throughout their lifecycle often feels like surviving the ‘Wild West’ due to inconsistent approaches and standards.” She endorsed establishing a secure root of trust as a communal industry-wide common practice that could ultimately lay the groundwork to develop a much-needed foundation of trust for the IoT domain. Dirvin displayed one of Arm’s recipes for just such a solution in its Platform Security Architecture, as well as some of its newly developed secure processors like the Cortex-M35, CrytpoCell-312P, and CryptoIsland-300P.
Blockchain application could benefit the energy sector
Critical infrastructure systems remain the greatest targets for cybercriminals. As a result, innovative solutions to address these threats are being continuously researched. Ahmed Banafa, an IoT expert and Professor at San Jose State University, argued that the current problem with the IoT infrastructure is that it is highly centralized and therefore provides a single point of failure (SPOF) in the event of an attack. As a solution to this problem, Banafa promoted the implementation of Blockchain technologies to address many of the vulnerabilities present in current IoT security architectures. Blockchain technologies are public, secure, and decentralized, which can greatly reduce the possibility of a SPOF scenario. However, he recognized there are several hurdles facing the adoption of Blockchain in IoT, such as scalability, processing power and time, legal and compliance issues, as well as a shortage of skills and needed storage requirements. Lastly, Banafa suggested that AI could be utilized to address many of the current limitations of Blockchain implementation for IoT security, although he also recognized that AI faces some of the same limitations as Blockchain technology itself. Despite its relatively underdeveloped state, Blockchain technology could help provide comprehensive IoT security in the near future.
Strategic evolution is mandatory
Unfortunately, many organizational networks operate on outdated systems and technology that is unable to address the growing cyber threat. Mike Marcellin, Chief Marketing Officer for Juniper Networks, spoke about the need for the network itself to evolve as a platform. He argued there are three dimensions to this evolution: connectivity, security, and edge computing. Evolution of these networks is vital to combat an explosive increase in the rate of cybercrimes. Marcellin provided some intimidating statistics, including that 80% of black-hat hackers are affiliated with organized crime and that cybercrime would be an $8 trillion business by 2022. He recognized that public and private organizations face struggles that hinder their ability to fight back against such threats. Flat budgets, a shortage of skilled security personnel, and the growing complexity of managing disparate systems can hinder their efforts. Marcellin proposed the implementation of the Software-Defined Secure Network paradigm. This new paradigm will demand coordination of big data, machine learning, and automation technologies in order to effectively counter the evolving threat landscape.
Defense against “bears”
In an effort to provide context to IoT cybersecurity, ClearBlade CTO Aaron Allsbrook used the analogy of cyber criminals as bears to describe the process of proper security implementation at the IoT edge. Allsbrook argued that there are four primary principles behind a “bear chase.” To begin with, bears go for the easiest way to attain their goals, so organizations need to implement comprehensive security policies and practices to outrun the “bear.” Second, bears like tasty treats, so companies need to take greater measures to secure their sensitive and valuable assets. Third, bears are clever enough to circumvent many security measures, so threat models should be routinely reviewed to prevent an unexpected security compromise. Lastly, bears are tenacious in their efforts, so organizations need to look for ways they can continue to improve their security infrastructure. Such a process is dynamic and demands that policies and procedures be continuously reviewed to ensure they effectively counter modern threats.
Device identification is fundamental to security
One of the most difficult challenges to IoT security can be boiled down to one issue: visibility. Unless you are able to see exactly what devices are connected to your network, you are effectively blind to the vulnerabilities within. However, identification alone isn’t enough as you need to ensure that each device on the network is authorized to be connected to its resources. Nisarg Desai, Director of Product Management of IoT at GlobalSign, highlighted a method of securing IoT by utilizing specific device certificate technology. For example, Desai described an IDevID (Initial Device Identifier) as a device birth certificate. The IDevID is a globally unique certificate, tied to both the manufacturer and the device, and is ultimately stored in a way that protects it from modification. Additionally, LDevID (Locally Significant Device Identifiers) is also a globally unique certificate tied to an IDevID that incorporates additional information specified by the device owner/operator to support local device authorization. Desai described the importance and value of incorporating PKI and Blockchain operators in an effort to respectfully manage and record the identity of an IoT device. By providing a definitive method of identification to each device, the implementation of access control becomes far simpler to execute.
The authentication of things (AoT) as a solution
IoT visibility demands identification. But identification itself is limited without a means of verifying the identity provided in order to ensure device security. However, Harsh Patil, Senior Staff Research Engineer at LG Electronics Mobile Research, argued that in addition to securing these devices, ensuring user privacy also remains a primary concern. To address such concerns, Patil presented the concept of the authentication of things (AoT)—a suite of authentication and authorization protocols for the entire IoT device life cycle. Patil noted how the very foundation for any security solution relies on cryptographic keys in conjunction with various policy enforcement measures. The inherent problem with this method of security is that the algorithms themselves can be extremely resource intensive. In response to this problem, Patil promoted AoT as a method of security that “incorporates lightweight and side-channel attack protected cryptography while ensuring seamless interoperability.” Only once all devices are properly identified, authenticated, and authorized can network visibility be truly achieved.
Tried and true practices live on
Although there have been many solutions offered to address cybersecurity, those that have stood the test of time remain fundamental to any security strategy. Mike Ahmadi, Vice President of Transportation Security at DigiCert, insisted that the best strategy to address the evolution of security threats in IoT is to apply mature solutions to the problem. Echoing previous speakers, Ahmadi proposed that PKI, Secure Boot, and Roots of Trust need to be established and applied throughout the entire supply chain. Furthermore, he advocated Code Signing and Secure Updates as a means of ensuring the security of applications, as well as updating the software to address vulnerabilities as they are discovered. He emphasized that encryption practices are a cornerstone of information security, as is ensuring the integrity of the data by preventing unauthorized modifications. Lastly, Ahmadi argued that redundancy is needed in any security architecture and that a comprehensive recovery policy is a core component of such a strategy. Although these practices are not new in the realm of cybersecurity, it’s their limited application to IoT that has created many of the vulnerabilities exploited in recent years.
Reduce friction to increase security
Passwords have remained the bane of security professionals for years. They are so ubiquitous that the correct one for any respective service can be easily forgotten, creating critical challenges to any industry. This in and of itself can create substantial friction toward proper authentication. Patrice Slupowski, Vice President of Digital Innovation at Orange, argued that the future of digital identity must be strong, frictionless, and multi-factor in nature. Slupowski showcased Mobile Connect, Orange’s user authentication solution. Mobile Connect is designed to prevent fraud, reduce friction, improve the user experience, and reduce the cost of user authentication. By developing an Orange ID, users can securely verify their identities while automatically filling out online forms during the account creation process. By removing the requirement of the user to remember a password, the process of securely identifying and authenticating a user is streamlined, thus removing one enormous and common hurdle from the login process.
Retrofitting legacy system infrastructure
Legacy systems remain the most complex of problems when addressing IoT cybersecurity. Karl Bream, Vice President of Corporate IoT Strategy at Nokia, recognized the importance of securing the volume and velocity of data generated by these systems. However, he recognized the challenge industrial companies face today in their efforts to transition their mission-critical communication infrastructure to enable digital and automated operations. Bream argued that “Legacy networks were not engineered to support real-time communication of high-volume, bandwidth-hungry, latency-sensitive, critical data with the highest QoS.” The systematic transition necessary to equip these outdated systems with modern communication capabilities to meet these demands will be tedious. Reliance on these legacy systems is crucial, which demands that these systems are updated with capabilities that allow for effective monitoring and management. However, if a coherent security strategy is implemented from day one and followed throughout the entire transition, the process of securing the data within will be much less painful.
Unlike similar technology expos, the IoT was understandably at the forefront of IoT World. The conference delivered valuable insight and analysis and provided presenters with an opportunity to showcase the newest solutions, products, and services designed to help address the ever-growing threat landscape. However, when it comes to cybersecurity for the IoT, the ecosystem is in a perpetual state of flux. As more and more devices become connected, the larger the threat landscape becomes. Additionally, the lack of ubiquitous standards that exist when applying cybersecurity to the IoT is one of many complications that will need to be addressed before truly comprehensive security strategies can be implemented. The demands for data security will continue to evolve and grow, ensuring that securing the IoT will remain a primary industry focal point for the foreseeable future.