In the tech community, you’ll be hard pressed to go a week without hearing the term “Internet of Things.” Advancements in this area have already altered our lives and will continue to do so as more and more devices become connected. IoT has had huge implications on organizations and the general population, but what about the security for connected devices? Security is of the utmost importance, but there are many myths surrounding IoT security. Below you’ll find a roundup of some of the top IoT security myths I hear regularly. And I’m here to help put a rest to these myths.
10. “Tiny IoT devices don’t have power to do really powerful security.”
Even early 1980s grade 8-bit, 8MHz chips with only 2k of RAM can do elliptic curve cryptography with a 256-bit key-length and are effectively as strong as RSA crypto with 2,048-bit key length, which is strong enough for U.S. “Secret” level national security information. That crypto is done using such little battery power that signing or verifying data on the hour every hour for twenty years would only use a slice of an AA battery.
9. “Security is too complicated, especially in IoT. You can never win.”
It’s true that effective security never stems from any single silver bullet. Instead, just as most good houses need a few walls, a roof and a floor, effective IoT security can be composed from a short list of crucial ingredients:
- Good crypto to protect the authentication and potentially protect the confidentiality of data
- Cryptographic verification of any and all code and configuration before permitting the code to run with any configuration.
- Third-party runtime security by security professionals to mitigate any vulnerabilities in the code
- Over-the-air management capabilities, including update and software inventory management, telemetry and policy management for security agility
- Security analytics to find and fight sophisticated adversaries who don’t trip any alarms
These ingredients are simple and strong enough to protect top brands against the best attackers.
8. “Can’t update these devices.”
Many devices are difficult to update, but almost none are impossible. Industrial systems are deployed for 19 years on average. Cars and medical equipment are similarly designed to last decades. Now, we see industrial equipment vendors issuing updates for multi-decade old equipment as businesses bank on the integrity of those devices. We see the same for medical equipment, ATMs, point-of-sale devices, retail kiosks and now even cars.
7. “Security is too expensive for the billions of devices we deploy.”
At scale, security often costs only dimes per connected device. For any connected device north of $20, that seems entirely affordable, and reckless to jeopardize your brand by skipping or skimping on security. Some consequences are too expensive to risk when prevention is pocket change.
6. “We have air gaps, gateways & network segregation protecting us.”
Nearly all systems are connected in ways that their creators might not know, but attackers quite creatively find. This has been demonstrated repeatedly on military, intelligence and critical infrastructure systems, including, but not limited to, Stuxnet. Last year, an attack damaging a steel mill blast furnace in Germany went straight through a gateway designed to protect the operational network from such attacks. Gateways help reduce risk, but are not enough to provide adequate protection alone. Just as air gaps are not effective, VLAN’s and other logical separation are even less effective. For high-value systems, harden them from the inside and don’t gamble on the reliance of gateways, air gaps and network segregation.
5. “Blockchain vs. PKI”
Blockchain is a great ledger system for recording transactions and for digital (and physical) objects to carry such ledgers as they go. Unfortunately, most people forget that the ledger level core of blockchains rest on lower level foundations of traditional cryptographic operations for signing each transaction with traditional crypto ops, libraries, keys and credentials. Bitcoin, for instance, uses elliptic curve crypto with a 256-bit key strength, the same as often advocated for IoT systems with or without blockchain-style ledger needs. Key management is often an Achilles heel of most crypto-systems. That’s why more than a billion IoT devices already use the world’s most proven key management system, a Certificate Authority offering managed Public Key Infrastructure (PKI). Good PKI in the lower level foundation makes the ledger level core of blockchain stronger. In other words, blockchain is best leveraging good PKI.
4. “We just need vendors and standards groups to solve this faster.”
Vendors and standards groups are making progress, but that process takes time. Unless customers start asking for the types of security they need, such as the “ingredients” mentioned above, equipment vendors will continue selling equipment both without security and, more dangerously, with security as an adjective that doesn’t really measure up to adversaries.
3. “Ops teams running operational tech just need to learn from IT.”
IT vendors and staff have historically not been welcome in operational discussions and for good reason. Operational constraints are far different than IT environments and consequences far higher, often with radically different timescales. For better or worse, many technologies needed on the OT side have been used for years on the IT side. However, until IT vendors and staff learn to speak and appreciate OT language and culture, OT teams won’t have any confidence that the technologies have been selected and adapted appropriately for their environments. IT security has far too many tools in the tool chest for OT ops teams to manage. Picking the right tools and adapting them appropriately requires collaboration between IT and OT.
2. “Our systems are so obscure nobody can figure them out enough to do damage.”
Steel mills, water treatment plants, power grids, factories, power generation plants and countless other systems have been hacked as a result of that naïve belief.
1. “I can do it alone.”
History and recent headlines are littered with the shame of companies who attempted to manage security single-handedly. No one company — and no single vendor — can beat all the attackers by themselves. Defenders need to stick together. Hire professionals and be sure they have good partners in hardware, software and cloud computing, as well as what is relevant for your particular vertical.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.