Information Security

Defending the digital infrastructure


News Stay informed about the latest enterprise technology news and product updates.

Internet of Things security: Who is responsible and how is it done?

Securing the Internet of Things is almost too big a problem to think about. Who's responsible and how will they do it?

Advocates say the Internet of Things is a multitrillion dollar business opportunity, but it's also a potential disaster for privacy and safety. Before we connect everything around us to the Internet, we need to think about security.

Internet of Things security is difficult to discuss because the concept is so immense. When you make "everything" IP-connected, how do you lock all of that down? Cars, cows, oil rigs, medical devices, refrigerators. There is no perimeter that can encircle all of that.

"The challenge we have is that each of those areas is really pretty separate," said Bret Hartman, 

The challenge we have is that each of those areas is really pretty separate. The technologies working in those areas tend to focus specifically on their own area. It's not going to be one-size-fits-all for [Internet of Things] security.
Bret HartmanVice President and Chief Technology Officer, Security and Government Group, Cisco

"The technologies working in those areas tend to focus specifically on their own area. It's not going to be one-size-fits-all for [Internet of Things] security."

Companies and individuals will also find that they lose a lot of control over where their data is and where it is going. When consumerization struck the enterprise, power and control over data and connectivity shifted from IT to the user. IT is still adapting to that shock. Now another shift is coming.

"Power is shifting from the user to machines," said Dipto Chakravarty, executive vice president of engineering and products at ThreatTrack Security Inc. "And when it shifts to machines, connectivity is the inverse to security. The more connectivity you have, the less security you have -- unless you can layer it in properly."

Internet of Things security: It's not easy

Locking down the so-called "things" on the Internet of Things is a daunting task because security takes computing power, and many things have only the bare minimum -- if that.

"Usually these endpoint devices aren't very big. They don't have a lot of compute power to do much, especially around security," Hartman said. "There are IP-addressable light bulbs. There's not a whole lot of processing power left in there for security."

Furthermore, wherever you have an IP-connected thing, you also have an operating system. Operating systems need to be patched. When they aren't, hackers find vulnerabilities. Botnets will find millions of new recruits in the form of zombie appliances and other "things."

These things are all communicating with each other, too. And they influence each other.

"How much is going to go wrong if someone hacks a cow's monitoring system?" asked Eric Hanselman, chief analyst for New York-based 451 Research. It's all just passive data collection. It's not a big deal." But data about a cow's health might go to another "thing" on a farm that crunches that data and spits out new data. Then that data goes elsewhere, all across IP networks.

"These are typically paths that are poorly protected. The bigger problem is not so much the endpoints, but the fact that the data paths themselves create a new attack platform."

"What if your microwave was taken over and it kept telling your fridge to shut down?" said Chakravarty of ThreatTrack. "You wouldn't know there was something wrong with your microwave. The user is slowly stepping out of the equation. We may be carrying a phone, but it's not just a phone. It's a transmitter and receiver that can propagate information exactly like a router would on a network."

Internet of Things security: How do you do it?

Some engineers say network monitoring is the way to solve the problem.

"It's much more about using the network fabric to watch traffic across all these devices and limit [that traffic] where there appears to be some abuse or potential attack happening, " Cisco's Hartman said. "In an industrial control system, you might change [a robot's] settings with a management console, but you wouldn't expect two robotic arms to reprogram each other. So you can look at that kind of traffic and say this shouldn't be happening. You can control and limit the traffic that goes among these [robots]."

Internet of Things security will also require encryption key management infrastructure and identity management systems that can scale into the billions, said Earl Perkins, research vice president for Stamford, Conn.-based Gartner Inc.

"We'll have to figure out a way to protect data in an environment like this, whether it's on [an] Internet of Things 'thing' or in an intermediate location," he said. "We'll have to revamp the way we look at encryption key management and identity management. We'll have to combine capabilities from identity management and asset management, because [people] are going to become [their own] personal cloud networks. The Internet of Things that you carry on your person and that you have at home are like a cloud of devices that surround you. You have an identity and the things have identity, but how do you keep [up] with the relationships between you and the identity of those things?"

The Internet of Things will also require a sophisticated approach to risk management. Not all of the devices on the Internet of Things will be new. Organizations are strapping IP connections onto legacy devices and systems to extract data. Those legacy systems will pose a higher risk than something engineered from the ground up to be an IP endpoint.

"You need to add intelligence to be able to deal with the level of risk [presented] by these older types of data sources," 451 Research's Hanselman said.

Internet of Things Security: Who owns the problem?

Clearly, there is a lot of work to be done in securing the Internet of Things. Before you even tackle the problem, you need to figure out who is responsible for it. Billions of new devices will start collecting and sharing data, and a wide assortment of companies will be enabling that. Who owns the problem?

"The issue is not clear at this point," Hanselman said. It's not even clear who would be held liable for damages associated with Internet of Things security breaches, he said. "If you look at the laws being handed down right now, the loss of privacy doesn't have an established value yet in the U.S."

The law is even murkier when it comes to liability for hacks of things that result in personal injury or real-world property damage, he said. For instance, the law is unclear about liability if someone hacks the braking system of a car, resulting in injury, damage or death. Is the car's manufacturer responsible for the security breach? "There will be case law that will establish this, but right now, they are out on a legal limb," Hanselman said.

In many cases, the manufacturers of the "things" on the Internet of Things won't be responsible for security. Instead, companies that provide the applications or connectivity will have to take charge.

"The problem of making sure the devices are secure will probably reside with those that provide a service through the device," Gartner's Perkins said. "It could be whoever is providing the application and service itself, or it might be the service provider that provides the network. It may be both. One of the big problems ahead of us is going to be the liability and legal implications of these devices running wild."

Let us know what you think about the story; email: Shamus McGillicuddy, news director or follow him on Twitter @ShamusTT

Article 1 of 3

Next Steps

The Internet of Things could wreck your cloud

Where Internet of Things and facilities management meet

Google spent $3.2 billion on IoT player Nest Labs

Dig Deeper on Internet of Things (IoT) Security Strategy

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

What worries you most about Internet of Things security?
The biggest problem facing us is that complexity is the enemy of
security. The more devices, the more data, the more complex things get
and the more insecure our networks become.

Here's what I see is going to have to happen at the basic level:
  1. Segmentation
    of networks according purpose: The Internet of Refrigerators, The
    Internet of Automobiles, The Internet of Toasters, etc. IPv6 addressing
    can easily handle this. It will take adopting a standard.
  2. Endpoint
    OSes are going to have to be specialized according to the device type.
    Today's "do everything" approach simply won't cut it. You don't want
    your toaster, or your automobile for that matter, accessing your bank
    account. Limit access to only control and function commands. And don't
    allow devices to communicate in e-mail-like fashion.
  3. MFA of
    devices is an absolute must. For example, when installing a smart
    appliance like a refrigerator or toaster, require a pre-registered
    location by GPS coordinates and require possession of an RFID chip
    encoded with device serial number and locked to the registered GPS

The trick is going to be coming up with a simple way to accomplish these things.

I would add that none of these devices should be tied into any network where any sensitive information resides. These things should only be able to access information about similar types of devices. Even then, it's going to be risky and we will probably have to come up with a totally new security paradigm to address these devices.

Of course, there's no way to secure it in the context of modern IT paradigms. Since devices require constant patching/updates, and it's done through direct download, the doors are open.
I would submit this is best handled at the gateway/hub before exposing devices to the Internet. A "smart" gateway would control access and data exposed to controlled endpoints/apps. The gateway would control updates/patches to firmware. The gateway would store the data to configure and promote the privacy and security and likewise store who could change the configurations.
I am curious to see the role the SDN control and network programmability can play in securing the IoT at least from the perspective of access control in the beginning.
It just occurred to me that physical security will be a nightmare. If ranchers can't keep teenagers from tipping cows, how are they going to keep hackers from physically altering cow monitors in the middle of the night? :)
The rancher-hacker battle is just one of the situations that has likely not been considered by IoT enthusiasts. This will be nothing if not interesting. 
That's a damn good article intelligibly explaining the risks of IoT. Note that it mentions only examples with existing devices. Wait till things get worse with self-controlling devices, like so called "self-driving" cars.

Get More Information Security

Access to all of our back issues View All