An unfortunate reality about IoT advances is that security has been a lagging concern. IoT security shares this with other emerging tech: Silicon Valley finds a new idea and rushes to advance it, and only later remembers to secure and protect it – after the exploits show up.
"The Internet of Things is suffering serious growing pains. The failure to include strong encryption in communications is largely due to two reasons: the lack of universal standards, and the rush to produce a minimum viable product," said Walter Paley, director of marketing at SafeLogic, an encryption company that covers IoT security.
"Without standards that all vendors conform to, IoT will continue to be duct-taped together and improvised, forcing early users to build a patchwork of products. It’s the old VHS versus Betamax argument, BluRay versus HD DVD. It doesn’t really matter which standard is adopted, as long as it is one or the other," he said.
The result is unsecured devices in the field. An example of this would be in the medical field. Manish Rai, vice president of marketing and product management for Great Bay Software, which specializes in endpoint security, says in today’s hospital there are 10 to 15 biomedical devices per bed and nearly half of them are connected to the network. The focus on these devices has traditionally been on patient safety rather than on security.
"Hackers are beginning to realize that the value of protected health information (PHI) is far more valuable than personally identifiable information (PII) and the weakness in the hospital network makes them a greater target than in the past. What makes this extremely dangerous for the patient is that the hacker is tampering with biomedical devices like infusion pumps, which can then become a life-threatening situation," he said.
For organizations to realize the full value of IoT, they must address security holistically, said Rai. "First, they need to physically secure IoT, especially sensors and smart meters that are out in the field. Second, they need to secure IoT connections. IoT connection security should provide the ability to easily identify, authenticate, onboard, segment, and monitor connected devices and then enforce access policies consistently and continuously. Finally, they need to secure data collected by IoT devices.
Everyone says secure the IoT network, but the issue is how. Julian Weinberger, director of systems engineering at NCP engineering, which specializes in remote network access, advocates machine-to-machine connections via VPN – perhaps not surprising stance, considering his position.
"Comprehensive VPN software solutions fit easily into the existing infrastructure and require no additional hardware. Moreover, data traffic is secured at the device itself ensuring no unencrypted traffic ever leaves the machine," he noted in a blog post on IoT security.
There are three areas to take into account when setting up a VPN in such an environment:
• Connections – decide whether the application requires on-demand or always-on access as well as command line or API control.
• Authentication – secure authentication can be achieved by some form of software/hardware network certification.
• Centralized Management – a central way to remotely configure IoT device either via a system image or software distribution roll out, patching/updating software, scaling up/down VPN connectivity and managing authentications.
Network access control via the deployment of VPNs can significantly mitigate or totally eliminate IoT security threats. Without reliable VPN connections, IoT places machines in the network at risk of interruption or failure—resulting in downtime, lost revenue and even litigation. VPN software can easily scale up to managing and securing the connections of thousands of machines on the network and their interaction with the data center.
William Webb, an IEEE senior member and the CEO at Weightless SIG, a non-profit organization developing interconnectivity for IoT devices, said the problem isn't in the devices, since most are separate from each other. Smart washing machines and refrigerators, for example, don't provide access to other devices. It's the central servers and wireless access points that are the targets and where security needs to be deployed.
"Typically, end-servers are weakest link," he said. "You don’t hack a smart car, the wireless range is pretty short and you'd have to drive around following the car to stay in range, which isn't practical. So you hack the server from the maker's head office and make it look like it came from the head office. The weakest spot is where the data is hosted."
Wireless networks are fairly secure, as are cellular networks. Both have strong protective algorithms around them to encrypt data from end to end. So a good wireless technology for IoT should have all that built in.
And the big players are doing their part. Microsoft, for example, has promised to add BitLocker encryption and Secure Boot technology to the Windows 10 IoT edition, the IoT version of its desktop operating system for devices and platforms such as the Raspberry Pi.
In Webb's experience, security is an afterthought because these IoT startups are more interested in getting a product out and proving the concept than securing it. "Some of these IoT systems haven’t given enough thought to securing the central server because it never crossed their mind that there would be issues in the first place," he said.
Webb thinks IoT should start out with proof of concept in areas of the least potential harm or interest, such as agriculture. "I would be inclined to start things like agriculture, monitoring soil conditions or whether livestock are in the right area, so if someone does hack into it the downslide is very slim with very little area of interest," he said.
The most critical are smart cars and health care, both of which have had their scares. Earlier this year hackers demonstrated how easy it was to hack a Jeep Cherokee, taking full control of the vehicle from miles away.
Those devices are interconnected and talk to each other, unlike other IoT devices, and they need to be secured. For that reason, Webb believes those device makers in those markets will go slower onto the IoT until security is worked out.
So what needs to be done? One change that's needed in IoT security is that many IoT devices can't be updated. These days, everything from a watch to a TV to a car can get a software update, but not some IoT devices. Two years ago, security expert Bruce Schneier pointed out this IoT security issue, and it has largely not changed. And given how bad consumers are at updating Windows, it should not fall to them to update all their IoT devices.
"Manufacturers should come up with a better solution for automatically updating software and firmware in a world of IOT devices that will be easily forgotten and running in the background," said Hank Thomas, chief operating officer for Strategic Cyber Ventures, a cloud security services provider. "It should not be left up to the consumer to do this as we move forward. There will simply be too many devices and consumers already don’t regularly perform these updates on their current devices."
Thomas said IoT manufacturers need to organize development teams to include skilled cybersecurity and cyber threat intelligence experts into every development cycle. "If done properly, you will find innovative security solutions to many security challenges that you don’t see today, mostly because current development teams don’t include security and intelligence expertise to help guide the process," he said.
Then there's the lack of digital signage. Cesare Garlati, chief security strategist at the prpl Foundation, said the software in so many embedded devices contains what he calls "a potentially fatal original sin: it’s not signed. This means that an attacker could reverse engineer the code, modify it, reflash the firmware and reboot to execute arbitrary code."
Webb advocates a slow rollout, with the first products in fields where security doesn't matter much, like car park sensors and trash cans. Then IoT device creators can gradually introduce it in systems a little more mission critical.
"As we do that we will see some hacks. I don’t think there's anything out there that doesn’t get hacked,” he said. “There will be consequences, hopefully no one will die. But out of that there will be a mix of solutions and standards that will fix those and increasingly make the system more and more robust. We’ll build up security and systems and have more and more defendable systems," he said.