Internet of So Much Stuff: Don't wanna be a security id-IoT
IoT is not the same as IT... normal infosec does not pply
Michael Dell, chairman and CEO of Dell Technologies, last month announced a $1bn investment in IoT R&D over the next three years.
What does $1bn buy you in IoT? A new IoT division, to be run by VMware’s CTO Ray O'Farrell, a bunch of new IoT-focussed projects including Project Iris - an under wraps RSA security development - and some collaborations for things like processor accelerators to “increase the velocity of analytics closer to the edge.”
Dell talked a lot about the edge during its event - citing autonomous vehicles, factory automation and drones as examples of how computing is going back to the old distributed model again. In truth, Dell’s happy hunting ground. Nothing new here of course.
There are already plenty of examples from Dell, GE Digital and others showcasing the value of sensors and connected devices in making predictive analytics possible, for improving maintenance and support and keeping industry machines whirring for longer. Everything is connected.
Dell's money comes as Gartner has forecasted that 8.4 billion connected things will be in use worldwide in 2017, up 31 per cent from last year, and will reach 20.4 billion by 2020. Total spending on endpoints and services will reach almost $2 trillion in 2017. This is a huge market for vendors and typically they want to capture market share early – but at what cost to the longer term security of the technology?
Fear the reaper...
Daily, it seems, we receive reminders of the vulnerability of connecting so many disparate devices – currently around 20 billion, according to Statista. Claims by a number of security firms that the Reaper Botnet is already compromising IoT devices in readiness for an attack on internet hardware and services, are hard to ignore, although as yet unproven. It follows a number of high profile IoT-related security breaches over the past couple of years including the Mirai botnet attack last year and there is clearly concern.
So how much of the $1bn is Dell pumping into security? O'Farrell will not be drawn on specific figures or percentages, saying “security will definitely be a priority area for investment." It would be mad if it wasn’t.
O’Farrell talked up Project Iris, using IoT operational and security analytics to profile devices, while baselining normal behaviour and detecting and alerting on anomalous activities and compromised devices. The aim, according to O’Farrell, is to: “Leverage machine learning and with no requirement to changing the edge devices, Iris can secure large deployments of sensors and actuators.”
Hey, IoT vendors. When a paediatric nurse tells you to fix security, you definitely screwed upREAD MORE
Er, OK, but what about something tangible and cross-industry like IoT security standards?
John Moor, managing director of the IoT Security Foundation - an organisation born out of a Bletchley Park security summit in 2015 - reckons there’s a lot of confusion when it comes to standards in IoT. What we currently have is a lot of “suggestion and solutions, some useful, some not, some bewildering,” he tells The Reg.
You gotta have standards... do you, though? Do you really?
“As we’ve seen the Gold Rush towards IoT, many have made the comparison to the Wild West,” says Moor. “This then usually translates to a call for regulation – but we need to be careful we do not over-compensate. The scale and scope of IoT, together with the basic observation that ‘security is context dependent’ and therefore ‘no universal security solutions exist’– means that ‘IoT security is a wicked challenge’.”
The call for standards is not surprising. We are faced with a barrage of IoT marketing at the moment but it’s surely built on sand. Do we have to rely on vendor-specific ecosystems to get any sort of security ‘guarantee’ or will we ever reach a point at which the marketing actually delivers viable products with recognised security standards?
O’Farrell seems to echo this need for solid standards.
“However, we believe that the true potential of IoT can only be unlocked when IoT is a complete, interdependent ecosystem, one in which connected things, infrastructure, artificial intelligence and machine learning will all come together to make things smarter,” he told The Reg.
Naturally, of course, Dell Technologies is that ecosystem as far as O’Farrell is concerned although GE Digital among others would argue otherwise.
Apple Mac vs PC all over again?
Does this, therefore, really help the IoT cause? Do we really have to accept that to have a relatively secure IoT infrastructure we need to back a particular horse and stick with it? It all seems a bit Apple Mac versus the PC all over again. However, while standards for interoperability exist, it is the security element that is still holding it all back. So, do we need more standards?
According to O’Farrell Dell is working with policy makers and industry groups like OpenFog, IIC and others to ensure security is "top of mind when setting new industry standards." He cites the EdgeX Foundry, an open-source project to create a vendor-neutral IoT edge ecosystem.
"Participating in projects like this help foster IoT innovation and manage risk more effectively, which are two of our main objectives," he says.
Moor, however, is not so sure we need more security standards. "Standards for interoperability are a good thing for market adoption but when it comes to standards for security however, it is a different picture," he says.
"A lot of standards, very good standards, already exist and our view is that we need to make better use of what we have. Is creating more standards the answer? Well, I recall a conversation I had when we were contemplating what should be done to address security challenges ‘pre-IoTSF’. I was speaking to a senior security professional from one of the big telecom’s providers and he said to me: 'John, the great thing about standards is that there’s so many to choose from.' Too many standards are almost as bad as none."
The problem that a lot of people have is that IoT is something completely different and therefore requires different thinking when it comes to security. The additional problem is that vendors are already pushing products out into the field and at some point they will need re-engineering to cope with new security threats, or better still, ripped out and replaced. Who pays for this? Customers of course, in more ways than one.
"There is a growing awareness that IoT security is not like traditional cybersecurity," says Moor, "that IoT is not the same as IT and 'we can’t carry on like this'." He points to the recent proposed Cybersecurity Improvement Act 2017 in the US and the publication of the automotive cyber security principles for connected and autonomous cars in the UK, as political reactions to the industry’s fragmentation and confusion over IoT security. Politicians are clearly getting twitchy.
As if to drive home the point, in October, EU security and law enforcement agencies Europol and ENISA came together for a conference to discuss the issues of IoT security. Apart from saying a few obvious things, such as 'something needs to be done about it', the conference did come up with a European cup for cybersecurity inventions. Organised by the Spanish National Cybersecurity Institute INCIBE and with the support of ENISA, the European Cyber Security Challenge (ECSC) was to run in late October and early November.
What this will achieve is as yet uncertain. A chance to showcase skills perhaps. It seems a little off the mark and just adds to the overall confusion. Vendors and industries are surely better placed to make a call on what will and won’t work? Perhaps industry-specific security measures are needed to cope with the wide variety and varying use cases of connected devices and sensors?
"It is fair to say that since the Miller and Valasek Jeep hack in 2015, the automotive industry is moving en masse, to re-architect with security in mind," adds Moor, suggesting that it takes a good kicking to really get an industry thinking more productively about security.
IoT security challenges will be with us for the foreseeable future - hackers are agile and will move from exploit to exploit and from new opportunity to new opportunity as systems are connected and placed online.
It's not a lack of standards that's the root cause of the IoT problems of recent past, present and the future - it's lack of both individual and co-ordinated action.
The challenge comes in making sure vendors uphold their duty of care and deliver fit-for-purpose security in products and services, in having vendors take responsibility and in making them accountable for when things go wrong. Of going beyond grand $1bn statements that win headlines and prioritise yet-more product, but seem vague on the subject of security.
After all, if a children’s nurse gets it, the industry has no excuse. ®