Having spent a good part of the short and elusive British summer studying the inner workings of IoT security, I am now most delighted to be in a position to present on the findings of my research. The full report on the topic is accessible to Machina Research clients, but as always we have made some of the observations available to the wider audience in the form of the report abstract and the press release, and in the following I will be sharing even more of them with the TechTarget community.
For starters, I would dare to argue that “IoT security” as a term is almost an oxymoron. The security needs of a light bulb and, say, an industrial control system are, not too surprisingly, worlds apart, so it is somewhat unhelpful to put them under one huge umbrella. That, though, prompts the question whether “IoT,” as such, is also an oxymoron, which for an IoT analyst is a rather uncomfortable thing to ask, so it may be better if we don’t track that train of thought any further. Either way, given this backdrop, it should go without saying that the security needs in the internet of things are fundamentally application-specific and contextual.
As a consequence, any enterprise that is working on an IoT deployment should carefully assess the risks involved with conceivable security incidents, and then determine how much money it is willing to spend on minimizing and mitigating them. The results may vary by geography: for instance, the new GDPR framework in the European Union will inevitably alter the economics of IoT projects in Europe. The “right” level of security is seldom “as much as possible,” and quite often that right level simply can’t be achieved without prohibitively compromising the application’s user experience or its underlying business case. When the risks and the costs don’t align easily, the only choice is sometimes to scrap the project.
With this long-winded caveat against over-generalization in mind, let’s delve into a few technological enablers that could be realistically seen as the main building blocks for a more secure internet of things:
- Threat intelligence and analytics: Increasingly sophisticated threat intelligence, driven by big data, is largely seen in IT-centric cybersecurity as the key to protecting enterprises against the dreaded zero days, and this area holds a lot of promise in the IoT as well. In particular, this is interesting when it comes to industrial IoT. On one hand, IIoT applications tend to involve such a large number of possible combinations of different hardware and software elements, sourced from different suppliers, that understanding all of the possible security implications can be extremely difficult. On the other hand, once a machine-learning scheme has established a baseline for what counts as the application’s normal behavior, the robustness of its anomaly detection should be more reliable than is the case with applications whose behavior keeps changing more dynamically.
- Virtualization and hypervisors: Having already transformed app development and deployment in the traditional IT, virtualization will also be entering the IoT scene in earnest over the next couple of years. The hypervisor-based (i.e., full) virtualization techniques represent a game-changer especially from the security standpoint by allowing enterprises to isolate an application’s mission-critical and non-critical features from each other on a highly granular level. This, for instance, has the advantage of streamlining the burdensome equipment re-certifications, which are typically required if the code affecting a feature that the OEM has defined as critical to the device’s security and/or safety is changed in any way. The approach does not yet make IIoT exactly DevOps-savvy, but over time it can certainly help smoothen some of the friction related to the IT/OT convergence. Besides hypervisors, the Trusted Execution Environment, or TEE, is another isolation technique that will warrant extra attention, following its breakthrough in smartphone security.
- Fog computing and intelligent gateways: While most of the industry interest related to fog computing has to do with its potential for edge analytics, the technology concept has also a distinct security aspect to it. Particularly with IoT applications that comprise a high number of dispersed and resource-constrained endpoints, a sufficiently capable master node, such as an “intelligent” gateway, should be seen as an anchor for the less secure end devices that reside below it in the network topology. Distributing security capabilities to the network’s edge through IoT gateways enhances security in various ways — including e.g., identity and access management, device authentication, cryptography, threat intelligence and incident response.
- Blockchain and distributed ledger: While its terminologically more famous incarnation, the blockchain, is without a doubt overhyped in the IoT context, the distributed ledger is something to keep an eye on. In settings where the number of both end nodes and their transactions can be appropriately restricted, it could become the new norm for ensuring the integrity of data over the application lifecycle of complex IoT systems. The ledger model could, for example, prove valuable in securing deployments such as vehicles, assembly lines and weapons systems, by providing different software-defined system components with trust that none of the other components have been compromised. As such, it could be instrumental for the evolution of what we at Machina Research refer to as Subnets of Things.
In all four areas, the focus is mostly on securing enterprise IoT, yet elements of them can be expected to trickle down also into consumer IoT, where the security outlook, in general, is currently much less clear. On the enterprise side, the pros and cons of security tend to be fairly tangible, but it may eventually take a regulatory nudge or two — similar to GDPR — to improve the situation also in consumer-facing devices and services.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.