The internet of things has drawn the attention of the White House and Congress amid growing concerns about the woeful state of IoT connected device security, most recently demonstrated when Mirai malware spread across botnets. Indeed, the lack of security in IoT devices portends a brave new world.
The concerns are warranted as the future of IoT presents millions of connected devices, each node gathering and storing its own individual data collections and sharing that information with other connected devices through wireless communication technology via the internet and the cloud. By infecting just one device and gaining unauthorized access to the network, a malicious actor can cause large-scale mayhem. Organizations must quickly figure out how to keep track of the IoT devices connected to their network and how to secure the transmission of data to and from those devices.
Challenge 1: Smart devices everywhere
Smart devices are appearing just about everywhere — homes, cars, workplaces — in fact the idea of “smart cities” exemplifies the broadening spectrum of IoT influence on not only business, but also society. One notable example is the Dubai Electricity and Water Authority’s (DEWA) plan to install over one million smart meters by 2020 across the city. DEWA CEO Al Tayer spoke at the organization’s Creativity Lab workshop in August and said, “DEWA contributes to building a smarter Dubai that uses integrated electronic data, connected with each other through IT systems and synchronized network[s] using the internet and cloud computing.”
Just as DEWA plans to use smart meters to enhance Dubai’s city functionality, organizations around the world are doing the same for their business by connecting even the most unexpected IoT devices to their network like smart wearables, smart printers or smart coffee makers. With countless IoT devices on the market already, keeping track of every single connected device and the data it’s transmitting can become a tedious task, especially because of the many ways devices can now connect to a wireless network. Wired networks are becoming increasingly outdated as wireless options make network connections simpler and more convenient for anyone who has access, including remote access to critical infrastructure.
IoT devices need to have some sort of attestation to help businesses ensure that the IoT devices connected to their network are authentic and their users’ credentials are verified. In the case of DEWA’s future plans for Dubai, what happens if the data traveling from one smart meter to the next is intercepted by another connected device without accredited credentials? It will be interesting to watch DEWA’s security efforts unfold, as it may provide a case study for other governments and organizations to follow.
Challenge 2: Smart device security
As Qualcomm’s executive chairman Paul Jacobs recently told Reuters, “It’s very important for IoT to make sure you have a way of securing and updating devices.” So, why is it not happening at the scale required?
As we saw recently, the infamous Mirai botnet, comprised of approximately 500,000 IoT devices worldwide, issued progressive DDoS attacks against Dyn network that limited access to major websites like Twitter, Reddit and Netflix. After that, it affected internet speed and access altogether in some parts of Liberia, and attackers even attempted to hit the campaign websites for presidential candidates Donald Trump and Hillary Clinton.
These types of intrusions have been happening for years. Back in 2008, an attack on a 1,099-mile-long Turkish oil pipeline was recorded as one of the most significant events to-date in the history of cyberwar. According to Bloomberg News, the attackers gained access to the operational controls of the pipeline’s oil pressure after exploiting vulnerabilities they found in the cameras’ communication software. From there they could manipulate the pressure, unbeknownst to operators, using the wireless operating system as a digital weapon to manipulate the pipeline into a disastrous oil bomb causing approximately “30,000 barrels of oil to spill in an area above a water aquifer.”
The ramifications for such attacks can be devastating; and in the case of the Turkish pipeline, the consequences “cost BP and its partner $5 million a day in transit tariffs during the closure.”
Unfortunately, these types of attacks are not slowing.
As data traverses large networks of interconnected devices, more can be done to protect data and authenticate the devices to shield them from unauthorized access. Since traditional network security perimeters may not apply for the IoT, we need to treat each device as its own network access point. public key infrastructure, or PKI, presents a scalable solution to address many of today’s IoT security challenges.
Solution: Public key infrastructure (PKI)
IoT deployments present a new challenge in providing unique identity for each device given the large numbers of connected devices currently, and the anticipated exponential growth. PKI addresses device identification and security with authentication, encryption and digital signing. Strong security requires unique credentials for each IoT device. PKI provides a scalable way to do this using cryptographically sound credentials that provide much better security than passwords. And, PKI solutions can be automated to meet IoT scale concerns as opposed to traditional device access control processes that are done manually. New approaches to PKI incorporate custom profiles and adaptive pricing models to match evolving use cases with efficiency.
PKI cryptographically complements identity management, giving organizations the ability to monitor their IoT devices and protect their data throughout the device lifecycle. Scalable certificate lifecycle management allows for device identity provisioning, credential rotation to keep authentication up-to-date, and revocation when a device is no longer needed or its user should not have further access. If devices show anomalies in performance, the PKI-based identity allows companies to identify such devices and take mitigatory action. PKI makes IoT security management easier and achievable.
Businesses need to prioritize so that connected devices have strong identity attestation, strong authentication (no passwords), and encryption to preserve system integrity. To make this goal a reality, thoughtful security design must begin during device development and manufacturing, and continue when companies deploy these connected devices within their networks. Ultimately, owner-controlled security using PKI may be the most important next step to secure IoT’s future.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.