In Part 1 of this series I gave a high level outline of the threats and vulnerabilities in today’s Internet of Things (IoT). In this post, I want to discuss a couple of existing solutions to this problem.
Why is it so hard? The IoT device is security’s biggest challenge because the device is always “in the wild”. In traditional IT Infrastructures, sensitive code and data remain safely behind sophisticated network security and within securely locked facilities. IoT devices though, cannot rely on these security features; we can no longer say “Well, if someone has gotten onto the server then you have bigger problems”, because with IoT devices, the risk and likelihood of access is very real.
We must take a holistic look at device security and consider all avenues of protection and remediation. It is not enough to simply try to secure communications and restrict virtual access to the device. We have to secure aspects of functionality traditionally protected at a much higher, and wider level. As an example, consider a temperature sensor – what if the temperature readout suddenly spikes 10 degrees? Is the change because someone tampered with the device or because the sun is now shining directly on it? Behavioral analytics and machine learning would help answer this question and allow for an alert to be sent if tampering is suspected.
Who is watching? The need for comprehensive solutions to the IoT security problem has not gone unnoticed. Companies such as Cisco, Symantec and digicert have published white papers discussing the dangers facing IoT and why we should all be worried. These papers also include analysis into the types of security that need to be implemented, and the limitations and challenges that will be faced. The offering of specific IoT solutions as an answer to these challenges though, is thus far inconsistent.
Cisco has published some thorough thoughts on the topic and point to their wide array of security products as potential solutions. Symantec has dedicated a large portion of their website to discussing IoT security in general, while their solutions are focused on two distinct IoT flavors: Automotive and Industrial Control Systems. Digicert is branching into three other areas: PKI Solutions, Healthcare IoT and Enterprise IoT, with the functionality being offered differing in each realm based on the deployment needs. IBM is taking a somewhat different approach by publishing an IoT library called Libsecurity. IBM wants application developers to take on the responsibility of security themselves via tools that can be used to bake security into their applications from the beginning.
Why are there no simple, packaged solutions suitable for all types of IoT? Each of the above, and all the other emerging solutions, solve only a small fraction of the problem because this is an area where there will be no silver bullet. The Internet of Things is a broad, all-encompassing term that is quickly becoming as overused and overloaded as “the Cloud”. Each company to enter into this space is defining what IoT means to them and then setting out to solve their definition of the problem. The challenge for the customer though is sifting through the different security offerings and trying to decide what is useful for them. From what I can tell, there is no one yet who can claim IoT security expertise and given what is available, I think it likely to remain a “Wild Wild West” market for some time.
In my next installment, I will take a dip into the technical realities of security IoT.