Tag Archives: Root of Trust

IoT Security – has to be Holistic

[published by the author on LinkedIn, December 19th 2016]communication-1439187_960_720

The Internet of Things is certainly getting a lot of media attention, particularly when cars, security cameras and retailers are compromised, in some cases resulting in significant financial exposure at worst and a simple DDoS at best.

However, this attention has caused significant focus to be applied to the device and its security. I was recently asked what is so different about IoT, devices have been calling home over dial up modems in the 1980’s to ask for help if they detected a fault, surely IoT is the same. It’s not, it’s very, very different.

Back in the dial-up days the device was a complex, single device and typically only reached home when in trouble or to report something has changed. The cost of the connection was significant so the communication only happened when it was needed.

The different premise of IoT is that there is now an inexpensive connection back to the host in such that its always connected. Now, rather than a remote device only making connection when it has something to say a device can stay connected and provide greater insight to is function. Furthermore, adding additional devices comes with a minimal delta in installation and connectivity costs. However, while many consider the few, say 10’s of devices the possibility of huge deployments comes with potentially significant operational costs.

The US Department of Energy; Energy, Efficiency & Renewable Energy report on the 2010 US Lighting Market (pub. January 2012) reports an average of 376 lamps per commercial building forming a total of around 2bn lamps, with some 44% being build using 4ft fluorescent T8’s. Bringing IoT into this arena and establishing daylight harvesting, air quality, humidity, temperature and room utilisation would significantly reduce the 349 TWh reported to be consumed annually.

If we take a tiny 1% share of the 5.5m sites reported that is nearly 21 million devices, providing a data stream back to the cloud for business logic and analytics to be applied and business decisions and operational decisions made. My point is that just the value of data harvesting (adjusting lux levels to accommodate sunlight & room use) brings huge business value and providers such as Ersúles and Enlighted are already installing compelling solutions. This is the real IoT, the bringing of IT business logic and analytics to the Operational Technology in such a way to deliver distributively new business models, models where you may subscribe to lux levels to save huge energy costs.

However, a recently viewed YouTube where a kettle was hacked and from that, using http://www.shodan.io (the world’s first search engine for Internet-connected devices) it was suggested that a whole city of smart kettles could be controlled. The advice given is to change the passwords, secure the web-server if there is one and switch off the WiFi access point. The pressure voiced to the consumer arena is to establish an “approved status” such as UL or the BS-kite to inform the consumer the device is deemed safe and secure, in fact a trusted device.

However, taking the commercial example, an estate of remote devices in the tens of thousands is not unimaginable, and taking the experience of the IT community of the past 30+ years, managing large numbers of remote devices is not at all easy. Managing different deployed hardware builds, different versions of platform, different applications variants, time-zones, and ensuring encryption, AV and security are maintained are all significant challenges.

Additionally, as the number of installed systems increases, the world of IoT is beginning to understand that while the telemetry data is enabling the exciting, disruptive business opportunity, the life-cycle of the remote device quickly becomes business critical. If the telemetry is bringing the business value (ie. leasing lux levels), then how to keep the lights on truly becomes a significant business issue. Furthermore, how can the device and channel of communications be kept secure, how can we know its a real device, how is the device operation maintained so the business critical telemetry, that the business has become dependant on, keeps flowing?

In the commercial arena, that of trains, planes, traffic management, commercial and public utilities, the belief is that the CISO and their IT team understand security and integrity, and hence it is not the big concern that has been seen already in the consumer space. However, with the scale of the devices heading quickly into the greater than huge, the scope of the challenge is not being fully considered.

Taking a very painful, and publicly reported example, where an IT department was in the team, along with the facilities team, is that of the US retailer Target. The hackers secured the data of some 30 million credit cards by gaining access to the HVAC and from there reaching the POS and deploying a modified application, or new binary image. The retailer is reported to now be potentially exposed to decades of fiscal uncertainty as 30 million lost data points are near impossible to control or contain.

As with a large deployed IT estate, the focus on the end device security has to be so much more than password strength, particularly as two factor authentication with the device is not really a viable option. Additional aspects such as trusted boot, signed executable binaries and device attestation over an encrypted channel to the cloud host would seem to be the table-stakes for any deployed IoT device, systems are out there than can help with all of that. In this instance, any personnel accessing the system (note: not the device specifically) would need to have two-factor authentication at the host and the communication only channelled through the encrypted channel to a target device who has managed previously to attest its security and integrity.

However, while the remote device security has now become the recent focus with the recent breaches fuelling more of the attention, there is a much larger “elephant in the room”, that of the systemic integrity.

The vision of connected health or connected/smart city or connected agriculture are exciting, yet taking the connected city that is likely connecting traffic management with underground (tube/subway) trains, bus, taxi, automated vehicles and vehicle parking to enable a traveller to be routed, probably via a mobile phone app, to their destination in an optimal, time/cost efficient way.

The travelling population will come to expect the integrated service. The multiple sources of telemetry coming from each subset would be brought together with the travellers information and travel history to dynamically build out the routing for individuals and groups with common needs. Furthermore, the inclusion of demand side energy management and commercials utilities would enable home and office heating and lighting to be part of travel plans. Yet, the security of the system will only be as strong as the weakest member, and a hacked system could bring a a city transport system to its knees or destroy the energy grid. The hacked security cameras originated DDoS impacting twitter, the POS records stolen via the HVAC, the Jeep that stopped are single telemetry sources under attack, what of the many?

The suppliers of technology to the Operational Technology (OT) world have significant experience in the challenges of device security and while well understood has just not been well implemented by many of the equipment manufacturers at this time. This is likely as the builders of the most vulnerable IoT systems mentioned have not considered these well known security challenges seen by traditional OT, perhaps as they simply leveraged maker platforms using a variant of Linux, or the IT folks they consulted traditionally left security to others to protect them, such as the AV, Malware and Firewall folks.

Yet IoT is not M2M, its not about a device talking back to a server, its about a mass of multiple telemetry sources bringing data to a business logic system that leverages analytics and intelligence to determine new, disruptive business models. This brings much greater planes of security vulnerability, and will demand a systemic, holistic approach to security.

Consider this, IT infrastructure security is very well understood, this likely makes “the cloud” a secure arena. Yet, when bitcoin appeared a line of trust needed to be established that allowed a software concept to be passed as a form of payment. The mechanism that enables bitcoin to function is a server data structure termed Blockchain, a standard, community defined line of trust that has attested integrity.

With multiples sources of telemetry being used to establish business outcomes, like Blockchain, the integrity and trust of the whole system needs to be maintained. A mechanism is needed that will ensure that when a business decision is executed by the system that every telemetry point used in that decision is attested for its integrity and is secure.

As we connect previously unconnected systems together, lighting, parking, rail, cars, planes, heating, passengers, etc. the attack surface for a security breach widens, potentially causing catastrophic outcomes for a Smart City, for instance. Forget securing the device, that is a tiny step, the next phase in IoT has to be a Blockchain like holistic system integrity such that the machines can be trusted to deliver the disruptive benefits that IoT eludes too.