For many IoT related conferences, security is an ancillary or subordinate topic. It often takes a backseat to discussions surrounding breakthroughs in device application, functionality, or capability. However, during the annual IoT Security Summit, security discussion are granted center stage. This provides a unique opportunity for industry leaders, vendors, and analysts to dive deep into the security challenges being faced by the explosion of IoT technology. As adoption of the IoT is only expected to grow in the coming years, it’s vital that we stay ahead of the various threats such adoption will undoubtedly introduce.
The first presentation at the conference outlined the necessity for effective identification for IoT devices. Neha Kumar, product manager for Intertrust Technologies, argued that the complexity demanded by proper device identification is no longer limited to something as simple as a key or a certificate. These identities operate within complex security structures that rely on nuanced applications of the identity itself. Device identity is critical to any information ecosystem, as it is a fundamental component of comprehensive visibility and management. As a result, these identities have to be incorporated into the device from their initial development, and must be used across the entire lifecycle of the device, from cradle to grave.
Jeffrey Chavis, chief engineer at the Johns Hopkins University Applied Physics Laboratory, discussed how the capabilities present within machine learning technologies could be leveraged to assist in protecting the IoT. With the plethora of new devices entering the IoT, the threat landscape is growing every day. Chavis compared securing the IoT to an asymmetric fight on an asymmetric playing field. He argued that machine learning tool can aid in situational awareness with automation and analytics. However, Chavis cautioned that machine learning is not a silver bullet solution, as machine learning tools are not designed as a replacement to traditional tools. Machine learning has limitations to its capabilities, and is frequently being targeted by attackers, so effectively implementation demands frequent re-assessment.
In a coordinated presentation, Craig Miller, senior director of product strategy at u-blox, and Christopher Schouten, senior director of product marketing at Kudelski Group, discussed the necessity of embedded security protections for IoT devices. The pair highlighted the complications that arise from trying to apply an IT approach to an IoT environment. Traditional cybersecurity approaches are limited to connected and cloud security, but leave gaps in the protection of physical IoT devices and their data. Embedded security provides solutions that are between 60-80 times cheaper than a fix after the fact. The pair further accentuated the importance of security for IoT devices from chip-to-cloud and cradle-to-grave.
KC Rakam, a Big Data specialist with Google Cloud, provided insight into the various security capabilities present in Google’s Cloud IoT Core. Rakam specific that despite the disparity between various devices within a business, each requires connectivity and effective management. Rakam highlighted how Google’s Cloud IoT Core solution provides a comprehensive platform hub with which to manage these various connected devices, while simultaneously using analytics to gain insight into an organization’s operations. The Cloud IoT Core platform operates on the MQ Telemetry Transport (MGTT) industry-standard communication protocol, and utilizes industry-standard security protocols as well, with an auto-managed infrastructure. As a result of these factors, the Cloud IoT Core platform seeks to provide a more turnkey style system implementation.
Joe Dawson, principal software security analyst for Intertek, outlined the risks posed by insecure IoT devices, as well as the challenges faced by device developers. Dawson spoke of the primary security issues posed by insecure devices. These include devices accessing personal information, individuals gaining unauthorized access to devices and their corresponding services, and compromised devices being the staging ground for various cyber-attacks. Frequently this takes the form of common problems like weak default passwords that are stored on the device in clear text. However, this can lead to even greater compromise if connected cloud services are also vulnerable.
Additionally, developers face unique challenges in the face of working with disparate operating systems, utilizing unique device drivers, relying on common open source or third party libraries, and restricted to proprietary vendor code. Overall, the discussion revolved around how cybersecurity itself is a moving target, which demands both diligence and vigilance from vendors and customers alike. In response to this, Dawson highlighted some recent regulations developed to address IoT cybersecurity concerns, including California SB-327, UK Code of Practice for Consumer IoT Security, European Telecommunications Standards Institute (ETSI) TS 103 645, and the General Data Protection Regulation (GDPR).
Aswin Krishnan, COO of UberKnowledge, provided a discussion on the need for applying a security framework to mitigate risks associates with Smart Cities. Krishnan argued that smart cities are no longer an idea for the future, as the technology is already being implemented. Unlike traditional physical infrastructure, smart cities are reliant upon enormous pools of data generated by countless sensors embedded throughout the city. If this data (as well as the process by which it is stored and shared) is not protected, the financial and social costs to rectify a breach can be enormous.
In order to address these threats, Krishnan discussed an actionable AEIOU framework. (A) Armor is provided through comprehensive steps such as secure device development and patching, as well as device hardening and credential management. (E) Envelope is ensuring that the data is trustworthy and verifiable, protected from collection to transit, and securely stored and disposed of when necessary. (I) Intention is verifying that the device is performing as intended, and the average customer can understand its behavior. (O) Option is effectively mitigating the capabilities of the device, by allowing the customer to opt out of specific unnecessary functions. Lastly, (U) Ubiquity provides security by ensuring that the security principles in place are being enforced across all products and services.
Two BlackBerry colleagues, Jasmin Mulaosmanovic, product management director, and Richard Schaefer, senior enterprise solutions manager, provided insight into the recent endeavors that BlackBerry has made in order to bolster their presence within the IoT security market. The most prominent component of BlackBerry’s offerings has come in the form of BlackBerry Spark. BlackBerry Spark is an IoT specific platform designed to incorporate secure connectivity from the kernel to the cloud. The pair mentioned how BlackBerry recognized the need to provide secure access to isolated Industrial IoT systems by both workers and external systems. Additionally, BlackBerry has made strides to promote not only secure communication efforts, but also maintaining privacy that is essential for the success of smart cities.
Imran Hajimusa, senior consultant at Exponent, spoke about the fact that there is an exceptional dynamic in place as to information security and privacy. While some have argued that security and privacy can be considered synonymous, Hajimusa outlined that there are in fact unique requirements for both. Hajumusa argued that even though a particular system may be deemed secure, such a system is not immune to a breach of privacy. He argued that the “use of personal data by an authorized entity for the purpose that it was NOT intended may result in violation of privacy laws. For example, in the year since GDPR was instituted, enforcement has resulted in more than EUR 65 million in fines.
The reality is that human factors account for more than half of all breaches. Automation can help to address some of these concerns, but it is not a silver bullet solution. The combination of Artificial Intelligence (AI) and Human Factor Analytics can help promote privacy in addition to security. Additionally, Hajimusa addressed the Secure Inclusive Design (SID) efforts, which are upcoming regulatory changes seeking to incorporate Privacy of Things (PoT), Human Factors Analytics, and Machine Learning into secure data system considerations.
The conference closed out with a discussion lead by Nils Gerhardt, senior vice president and chairman of the board at GlobalPlatform. This organization has sought to galvanize different industry initiatives surrounding IoT data protection into a one consolidated, standardized, and structured security framework. Through this endeavor, GlobalPlatform seeks to ensure that a foundational root of trust is established for each IoT device. Gerhardt highlighted how the organization’s newest initiative, IoTopia, seeks to bolster this root of trust effort by providing specific guidelines and standards to help facilitate “secure by design” best practices. In addition to this program, GlobalPlatform provides certification services that help to promote the standardization of IoT security as a whole.
Cybersecurity is a fluid and dynamic environment, in a perpetual state of evolution. With the incorporation of new technologies that introduce greater capabilities and functionality, also comes the introduction of new risks and threats to information security. This complication is increased exponentially with the sheer scope of the IoT and the multitude of devices utilizing disparate operating systems, communication methodologies, and hardware components. IoT security is finally being placed on the same stage as traditional cybersecurity demands. While the requirements that need to be met in order to address this ever changing landscape are slowly being recognize, the future struggle will definitely be an uphill climb.