The Internet of Things (IoT) is putting autonomous computing devices and sensors on the internet at breakneck speed. With little or no planning for security, these devices present both opportunities and threats. The recent Symposium On Securing the IoT, the first entirely focused on security issues, attempted to address this gap.
The conference was held at the Crowne Plaza San Francisco Airport hotel for nearly 100 IoT and security researchers and professionals on March 5-7. But even before the conference close, planning was under way for an East Coast venue later this year and a followup U.S. IoT Security conference in 2019
This event was hosted by OATH, the Initiative for Open Authentication. OATH addresses the security challenges present in networked organizations by promoting standard, open technology that is available to all.
IoT systems and networks have many unique challenges for security. IoT devices have very limited computing, memory and power resources, unlike general computing.
Enterprises may field thousands of devices that have limited compute and power resources but need very long lifetimes, measured in years or decades. They often operate in harsh industrial environments. And they are very hard to replace or update.
But this may quickly change if we get to 20 billion, or more, devices on the internet by 2020 — and those estimates keep going up.
Don Malloy, chairperson, OATH, told Mission Critical Magazine that the idea for the IoT security conference “... started a number of years ago, when I saw that protecting all people from getting hacked was more important. Now we are starting to connect things and we see more and more devices are getting attacked with very few companies securing them.
“The Mirai attack a few years ago ... that really worked people up. I've seen lots of wearable and internet dolls and I ask vendors, “What type of security are you putting on it?” and they say “Well, it uses WiFi and its secure because it’s got a password.” Then they say, “This is a dumb device so it does't need a lot of security.” Of course that didn't stop the 2016 Mirai attack.”`
[Editor’s note: Mirai is malware that turns networked devices running Linux into remote controlled and misdirected “bots” that can be used as part of a botnet in large-scale network attacks. It primarily targets online consumer devices.]
“A lot of small companies, in their race to get something out, leave security to be an afterthought," Malloy said, “So they don't put security on. But designing it in at the beginning, that is the thing to do.”
The problem, he says, is the history of the internet and the fact it was built to be redundant so any packet finds a way to be routed to its destination. Security and privacy were never considered in the original design.
“When I look at the drive for secure IoT, and think about industrial side vs those of the consumer, industry really needs IoT security because that makes IoT devices simpler and more cost effective and brings businesses into real time. For the consumer it isn't live, or die but for a firm it will be,” said Malloy.
The conference topics included discussion on industrial verticals like medical devices and automotive systems but also the security impact of IoT devices and gateways on corporate networks, which was troubling.
In a first day session on parsing and comparing different IoT security frameworks, Mingliang Pei, CTO for IoT and Identity at Symantec, showed that the many current frameworks significantly overlap. But they also have different operational goals and so emphasize different aspects of data security and even privacy, depending on the use cases.
Pei reviewed several existing frameworks and compared them, including BITAG, OTA Trust, IoT Foundation, the GSMA IoT Security Guideline, and others.
Because of different Political and business drivers, there will be different frameworks, Pei said.
This leads to developing individual playbooks for individual situations.
“IoT security practitioners can leverage these frameworks in securing their IoT products and services,” Pei said. He recommended practitioners focus on a common core list that he summarized from several representative frameworks, and also to keep up date to the latest regulation development and technology proposals such as MUD in the IETF.
After the conference, Pei told Mission Critical, “This symposium was very successful in hosting many influential IoT security experts from a broad range of industry verticals. It is an important new IoT security conference that will benefit executives, technologists, and architects in taming ever growing IoT security concerns.”
Lan Jenson, CEO of Adaptable Security, pointed out that the adaption of digital infrastructure is proceeding at least five times the rate for electricity and the telephone. And there is a growing lag in legal and regulatory frameworks, she added. The NIST standards for IoT CyberSecurity were still in draft, she noted, at the time of the conference.
Adding to this, venture capital firms invested $3.1 billion in nearly 300 cyber security startups in 2016 alone, according to research firm CB Insights.
Later in the conference, Dr. Tao Zhang, IEEE Fellow and Distinguished Engineer at Cisco, told the audience, "For a long time we built firewalls and monitored access and we also tried to hide our assets.” He explained that this worked for a while, “But, eventually bad things happen."”
When we experience an attack now, Zhang said, "We can do little more than clean these systems and reinstate them."
Zhang hoped companies would be able to learn from attacks and mistakes and begin to prevent them. “Our firewalls will be less adequate over time. We need a scalable and trustworthy way to monitor and update devices but it’s hard to do both at the same time,” he said.
Zhang pointed out that drivers of cars cannot wait hours for the electronics and IoT devices on board to update. Cars — and other IoT systems — are not operated by security experts, he said, and they need to updated without delay.
Continuing on the theme of scale, Jennifer Gilberg, senior director of IoT Strategy or Intel, addressed the problems of initiating and updating IoT devices in scalable and economic ways
“If you can't automate on-boarding, you're going to have security issues,” Gilberg said. “Our vision is for any device to connect securely to any backend because if we don't solve the on-boarding problem, no one in the industry wins, and customers don't win.”
Rather than depend on highly skilled and more expensive technicians with security skills, Enterprises and OEMs need use existing industrial installers that simply add power and communications links to field devices for fast activation.
Intel, with many IoT partners, developed Intel Secure Device On-board (called Intel SDO), as a neutral on-boarding service with ecosystem connections to put IoT devices into service faster with the existing workforce. The SDO service uses Intel privacy and digital ID services, which use a silcon-based device identity to ensure device on-boarding and software provisioning updates are kept anonymous and secure.
Gilberg also said this approach eases the quiet but ongoing civil war between IT and operational technology (OT).
There was an early launch of SDO version 1 at the Barcelona IOT conference in October 2017. Gilberg noted that they are seeing mostly 32 bit processors, and very few 16 bit processors. Intel is now looking at ways to verify owners to devices for additional IoT security.
The historic vulnerabilities of IoT and recommended approaches were also discussed at the RSA Security Conference held recently in April. This link to a short podcast by
Chad Childers of Connected X Security summarizes the issues and approaches succinctly: https://bit.ly/2k7EHNE.
Childers notes that IoT communications should be primarily out-of-band but often aren’t. He also pointed out that the use of commodity hardware components allows for unanticipated future vulnerabilities when attacks surface for these common components. He recommended having an agile incident response team at the ready since unexpected attacks will continue to emerge. Even medieval castles had unexpected access points, he noted, referring to the beginning of his RSA talk.
Another concern raised at both security conferences was the future risk of analytics that can piece together multiple data sources to pierce the privacy veil
This new threat vector, shown by researchers at Princeton, uses non-secure sensors and data like barometric pressure and acceleration, with gyroscopes and magnetometers, to quickly determine someone's location and direction without GPS info. For example, an app called “PinMe” can find someone quickly when their GPS is turned explicitly off and location info is blocked. Advanced analytics can still quickly whittle down options and identify where someone is and where they are moving, or even which airport they landed at even if they are flying. Until all sensor data can be blocked on mobile phones, turning off a phone is the only way to protect it from PinMe and similar apps with analytics. The same vulnerabilities apply to unprotected IoT devices. See https://bit.ly/2rPNw2R.
Bruce Schneier, CTO at IBM Resilient, commented on PinMe, “This is a good example of how powerful synthesizing information from disparate data sources can be. We spend too much time worried about individual data collection systems, and not enough about analysis techniques of those systems.”
Malloy told Mission Critical Magazine that the East Coast conference will be held either in Boston, or near Research Triangle, in N.C. "I've had pull in both directions, but it will be in the Fall,” he said