To secure the Internet of things, assume failure

With billions of connected devices, each potentially vulnerable, you can't harden every endpoint -- so consider this practical security alternative

The Internet of things (IoT) is due to become reality sooner rather than later. Instead of a handful of Internet-connected devices in the average home, we might see dozens. From thermostats to refrigerators to water meters to hot water heaters, these devices will soon be transmitting data to and receiving data from sources on the Internet.

As we gear up for the onslaught of the IoT, Holger Reinhardt, Product Architect at Layer 7 Technologies, has some thoughts on how we tackle the seemingly herculean task of maintaining security across the billions of devices that will eventually have active Internet connectivity. -- Paul Venezia

How will we secure the Internet of things?

As major players in IT and manufacturing converge technologies, enterprises will face a growing challenge to assure the validity and security of the data they share in a world of interconnected devices.

As IoT promises to transform every industry, organizations need to look beyond securing every endpoint. Given that we're talking about billions of devices, it's inevitable that some, even many, will be hacked. While vulnerabilities in connected consumer products like Nike+, Fitbit, and baby monitors get most of the public attention, exploits in industrial systems are less talked about -- and have much more serious implications.

What can an organization do to mitigate the risk of vulnerabilities in embedded devices? There's plenty of passionate debate about which protocol or technology is more secure. It seems each week yet another company offers yet another end-to-end IoT security solution.

If the past is any indication, those discussions will be rendered moot by the sheer number of potentially connected endpoints and the human inclination to chose convenience over security. If you need evidence, recall that an overwhelming number of e-commerce sites are secured only through HTTP basic Auth over server-side SSL. Or have a look at the most recent survey of the sorry state of password policies of leading cloud providers.

A practical perspective

I consider myself a realist when it comes to security. The only secure IoT product is a "thing" that is not connected to anything and has no user. Remember that it was a USB stick, not the Internet, that was used to breach physical network isolation in the Stuxnet case.  

We don't need yet another technology to tackle the security challenges of IoT. Instead, we should be looking at the way we design and build products. Have you ever known product designers, developers, or architects to do insecure things like store passwords in plaintext or use hard-coded passwords under the guise of convenience for users?

We should challenge ourselves to be creative and build reasonable, secure products that are easy to use. A good example for this secure-by-design approach is Apple's new fingerprint reader on the iPhone. Yes, it can be hacked like anything else -- but it's a big step up from using easy-to-guess passwords or no password at all (see this recent National Cyber Security Alliance/PayPal study, which finds that only one-third of users set a PIN on their phone). Its genius lies in making security inherent and pervasive.

There are well-known security best practices in existing technologies, which -- if applied consistently -- would eliminate or greatly reduce the vulnerability of connected things. Meaningful password settings, encrypted storage of personal information, using OAuth simple device profile or OpenID Connect rather than storing individual account information -- any of these would be a big step toward less vulnerable IoT.

Design with failure in mind
But no technology will ever stop a determined attack on any kind of system, especially in a massively distributed system like IoT. To deal with the risk of acting on compromised or manipulated data or unauthorized access, IoT systems should be designed with failure and breach in mind. Rather than pursuing (and promising) the impossible dream of secure endpoints, we should go with the best possible endpoint security and design critical decision-making processes to "trust but verify" through data correlation.

Credit card companies are a good example of that approach. While today's credit cards have some commonsense endpoint security features (such as chip or PIN entry), credit card companies are constrained by the fact that the use of the credit card cannot be too burdensome to its users. Instead, they rely on seamless strong authentication, risk analysis, and correlating user and past purchase data to detect fraud.

Consider the case of the Twitter incident back in the spring: A single compromised Twitter account caused the Dow Jones Index to fall by more than 100 points within minutes. Fast-forward to IoT and imagine that each Twitter account is a sensor (for instance, a smart meter) and tweets are the sensor readings. Further imagine that the stock market is the grid manager balancing electricity supply and demand. If we were to treat each data point from each smart meter as absolute truth, a potential attack on the smart meters could easily be used to manipulate the electrical grid and -- for instance -- cause the local transformer to blow up or trigger a regional blackout by creating a feedback loop.

IoT systems should be designed with the inherent assumption that data will get compromised or lost or corrupted. At the same time, they should not treat any endpoint as secure or any data set as a source of absolute truth.

Consider the source
What could a more resilient IoT system look like? It starts with realizing that not all data is created equal but has an inherent quality or weight inferred by the characteristics of the data source and how much it is trusted. Any algorithm using this data would need to not only take into account the literal data points but also to weigh the data based on the capabilities of its source, its identity, and the level of trust in its integrity. Think of it as "red-yellow-green" labeling of data as it is being received.

All the best practices and technologies needed to address these problems exist and can be applied today. It is a people (designer, developer, consumer) problem and a product design process problem -- not a technology problem.

What is stopping us from doing the right thing? Essentially, our legal processes have not caught up with technology. And they won't for as long as the lack of security merely inconveniences us rather than threatening us with loss of property -- or even life. Conversely, we're pretty good at applying security best practices in aviation because most serious problems with an aircraft in flight are inherently catastrophic. Let's hope the recent news of hackers accessing airplane flight control systems acts as a wake-up call for the industry.

Building connected products using existing technology with meaningful authentication, authorization and encryption settings is possible with little or no additional effort today. All it takes is the realization that security needs to be there by design and not by accident or afterthought.

New Tech Forum provides a means to explore and discuss emerging enterprise technology in unprecedented depth and breadth. The selection is subjective, based on our pick of the technologies we believe to be important and of greatest interest to InfoWorld readers. InfoWorld does not accept marketing collateral for publication and reserves the right to edit all contributed content. Send all enquiries to newtechforum@infoworld.com.

This article, "To secure the Internet of things, assume failure," was originally published at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter.

From CIO: 8 Free Online Courses to Grow Your Tech Skills
Join the discussion
Be the first to comment on this article. Our Commenting Policies