One of the hottest topics at the RSA Conference in San Francisco this week was the proliferation of the Internet of Things (IoT), and the astounding exposure billions of connected devices bring. They’re everywhere in our lives, ranging from step trackers, smart TVs and Hello Barbies that record conversations, to automobiles, and key infrastructure like power plants and bridges. All have either been exploited, invaded our privacy, or are vulnerable to being hacked—sometimes with devastating consequences.
There were fourteen IoT panels and presentations, an IoT Sandbox, and a half-day seminar, Securing the IoT with Trusted Computing, bringing together thought leaders from computing, hardware, services, and government to “wrap their arms around this massive amount of data.”
Defusing the IoT Time Bomb
Wednesday’s panel, Defusing the IoT Time Bomb—Security and Privacy Trust Code of Conduct, conducted by the Online Trust Alliance, included panelists Harvey Anderson; Chief Privacy Officer AVG Technologies, Paul Plofchan; Chief Privacy Officer of ADT, and Symantec’s Brian Witten; Senior Director, IoT.
The panelists are all leading members of OTA, a multi-stakeholder working group, who are creating a Code of Conduct and a foundation for certification with 30 principles addressing security, privacy and sustainably, from purchase to end of life. Their focus is connected home environments and personal devices.
There are billions of connected devices collecting an incredible volume of data. By 2020, the estimates range from 20 billion to 50 billion devices in the ecosystem. What concerns the OTA is today’s “highly personal, dynamic, persistent data collection” and what happens to that data down the road.
One approach is to control the data ecosystem from the device side. “Over the last few years, we’ve been working with a couple of hundred partners to embed security in over a billion devices now, and also published a vendor-neutral IoT security reference architecture,” said Brian Witten about Symantec’s initiatives in the IoT space.
Every panelist saw the issue as being consumer-driven, as well. “Trust is the fundamental currency we’re playing with,” said ADT’s Paul Plofchan.
They agreed that minimizing the amount of data that gets shared online is best practice:
- If your company collects any data, you’re in the data business
- Minimize your data—only share online what’s necessary
- Utilize proximal networks to lessen what gets pushed to the cloud
The full draft of all thirty principles of the Trust Framework is posted on OTA’s website here.
From Recording Dolls to Hijacked Powerplants
Opportunities and Challenges to Securing The Internet of Things covered “the explosion of connectivity: anything and everything that is connected,” from wearable devices to the Ukrainian power plant crippled by a cyber attack.
The panelists were: Suzanne Spaulding; Under Secretary for the National Protection and Programs Directorate (NPPD), U.S. Department of Homeland Security, Joe Sturonas; Chief Technology Officer, PKWARE and Symantec’s Jeff Greene; Director of Government Affairs for North America and Senior Policy Counsel.
The moderator Michael Kaiser, Executive Director of the National Cyber Security Alliance asked, “What does a safe, secure, trusted IoT look like?”
Suzanne Spaulding issued a challenge:
“It reminds me of how the Internet was built. Clearly, it was built without security in mind and we bemoan that all the time…My challenge to the creative and innovative people in the room and at this conference and around the country is: Think about that as if we were building a new Internet. How can we do it in a way that makes those 50 billion devices more secure, but also makes the entire Internet more secure?”
Most sobering were concerns on the industrial and critical infrastructure side. With the Ukrainian power plant attack last December 23, critical infrastructure was disabled by a cyber attack for the first time, leaving 225,000 people without power. “This is no longer academic…we have now crossed the Rubicon,” said Ms. Spaulding, noting that service was only restored through redundant physical infrastructure.
Jeff Greene cautioned: “First, they [the Ukrainians] had strong protection and segmented networks, and the attack still got in. Secondly, in the US, most physical redundant systems are gone.”
It wasn’t all gloom and doom, with Jeff ending the session on a positive note:
“Most all of us can be extremely safe online, in our shopping, in our devices, if we take the basic precautions…Everyone has the ability through basic security steps, whether it’s password management, patch management, multi-factor authentication—actually using the security you’ve probably already paid for on your computer and not just shutting it down. You will make yourself a hard target…When we are all doing that, we are winning.”
Baking In Device Security For Dimes, Not Dollars
In Tactical Survival Tips for Building and Leveraging Internet of Things (IoT) Systems, Brian Witten dove into “building serious security into constrained devices.”
In the past, security updates were delivered by disk or downloads, but with IoT devices, security must be integrated by design to be effective. In the face of fragmentation through dozens of operating systems, thousands of protocols, and a wide variety of chipsets in use, the task is daunting.
But considering the life cycles of these devices—up to 19 years for industrial systems and 11 years for cars, for instance—being able to maintain their integrity is essential. “Building it right—once” by delivering updates on a granular level (40K images) can be done in a cost-effective manner at scale.
Brian outlines how to do so with the Four Cornerstones of IoT Security for Makers/Builders/Vendors of IoT Things:
- Protect your devices; high assurance boot + runtime protection
- Protect communications; design in strong authentication mechanisms
- Manage your devices; build in update mechanisms for granular updates
- Understand your system; leverage analytics to catch strategic threats
Read a case study about building comprehensive security into cars here.
Although some of the experts feel we’re in the Wild West of the IoT, the overall sense is that opportunities abound to get this right, and to protect ourselves through basic security hygiene, too.
As Jeff Greene said:
“Cyber criminals are changing, they’re evolving. But they’re not doing it because they want to; they’re doing it because they have to. They didn’t get into crime to work hard. If the old exploits were working, they would just keep using them….Think about it as impacting the business model of the criminal.”