Skip navigation
All Places > CA Security > Blog > Authors Joann Kent

CA Security

3 Posts authored by: Joann Kent Employee

In part 2 of this series I touched on some of the challenges involved in protecting IoT devices and what products currently exist that attempt to fill the security gaps.  In this entry I will dive deeper into the technical side of IoT Security.

Regardless of functionality, the security challenges that these devices face can be categorized into the following vulnerability layers:

Layers

Communication – Securing communications to and from the device.  Dynamic data encryption in the form of TLS is the industry standard, likely to remain in use for some time, and is easily implementable.  The technical challenge here is in protecting the artifacts required to ensure that the encryption remains secure; namely private keys.   There are existing solutions that can be deployed but it is crucial, in this and in all other layers, to remember that storage and runtime space on the device will likely be extremely limited.  As an example, the Raspberry Pi Compute Module is a prototyping kit intended for industrial applications and contains 512MB of RAM and 4GB of flash storage.  How many CA products can run under those limitations?  The range of memory and storage will vary depending on the device functionality, but the variance will likely not be that great.

Access – Securing and controlling remote access to the device.  Fundamental to all security systems is determining and enforcing who can and cannot gain access.  This functionality is well understood and implemented in the web-space, which should translate well into IoT.

Execution – Securing and controlling code execution on the device.  Un-monitored devices are ripe for being used in all sorts of virus and bot attack schemes; securing and verifying what code and when it can run is vital.

Data – Securing any data, especially Personally Identifiable Information (PII), on the device.  Due to storage constraints, very few devices will actually contain data that requires protection, but it may happen. When it does, this data must be properly handled and protected.

Physicality – Controlling, evaluating and monitoring the physical realities of the device.  This aspect of an IoT device is tricky.  Consider the previous example of a temperature sensor.  What if there is a sudden spike or dip in a reading?  How would the device monitor be able to tell if the change is due to the movement of the sun or an attack on the device?  Securing the device physically is the concern of the device owner; however, we should provide tools such as data analytics and machine learning to aide in the determination of the legitimacy of device’s readings and how to determine and react to potential attacks.

Properly protecting IoT devices will certainly be a challenge; however, one advantage we have is that we will be able to build on our own understanding of cybersecurity.  While existing products may or may not be sufficient to the task, existing knowledge and understanding will take us a long way. 

My next post will look at the market landscape for security within the Internet of Things.

110711-446.jpgIn Part 1 of this series I gave a high level outline of the threats and vulnerabilities in today’s Internet of Things (IoT).  In this post, I want to discuss a couple of existing solutions to this problem.

Why is it so hard?  The IoT device is security’s biggest challenge because the device is always “in the wild”.  In traditional IT Infrastructures, sensitive code and data remain safely behind sophisticated network security and within securely locked facilities.  IoT devices though, cannot rely on these security features; we can no longer say “Well, if someone has gotten onto the server then you have bigger problems”, because with IoT devices, the risk and likelihood of access is very real.

We must take a holistic look at device security and consider all avenues of protection and remediation.  It is not enough to simply try to secure communications and restrict virtual access to the device.  We have to secure aspects of functionality traditionally protected at a much higher, and wider level.  As an example, consider a temperature sensor – what if the temperature readout suddenly spikes 10 degrees?  Is the change because someone tampered with the device or because the sun is now shining directly on it?  Behavioral analytics and machine learning would help answer this question and allow for an alert to be sent if tampering is suspected.

Who is watching?  The need for comprehensive solutions to the IoT security problem has not gone unnoticed.  Companies such as Cisco, Symantec and digicert have published white papers discussing the dangers facing IoT and why we should all be worried.  These papers also include analysis into the types of security that need to be implemented, and the limitations and challenges that will be faced.  The offering of specific IoT solutions as an answer to these challenges though, is thus far inconsistent.

Cisco has published some thorough thoughts on the topic and point to their wide array of security products as potential solutions.  Symantec has dedicated a large portion of their website to discussing IoT security in general, while their solutions are focused on two distinct IoT flavors:  Automotive and Industrial Control Systems.  Digicert is branching into three other areas:  PKI Solutions, Healthcare IoT and Enterprise IoT, with the functionality being offered differing in each realm based on the deployment needs.  IBM is taking a somewhat different approach by publishing an IoT library called Libsecurity.  IBM wants application developers to take on the responsibility of security themselves via tools that can be used to bake security into their applications from the beginning.

Why are there no simple, packaged solutions suitable for all types of IoT?  Each of the above, and all the other emerging solutions, solve only a small fraction of the problem because this is an area where there will be no silver bullet.  The Internet of Things is a broad, all-encompassing term that is quickly becoming as overused and overloaded as “the Cloud”.  Each company to enter into this space is defining what IoT means to them and then setting out to solve their definition of the problem.  The challenge for the customer though is sifting through the different security offerings and trying to decide what is useful for them.  From what I can tell, there is no one yet who can claim IoT security expertise and given what is available, I think it likely to remain a “Wild Wild West” market for some time.

In my next installment, I will take a dip into the technical realities of security IoT.

Part 1 of a four part series on security and the Internet of Things (IoT).SIoTP1.jpg

  • In this part, I will discuss the state of the IoT Security.
  • In Part 2, I will explore and discuss existing security approaches and products.
  • In Part 3 I will dive deeper into the technical side of IoT Security.
  • In Part 4 I will initiate a discussion of the IoT Security market.

 

 

 

 

What you don't know can hurt you.  I ran into some pretty scary items while conducting research for this blog.  There is an IoT search engine that will scan the internet looking for open, unencrypted device ports and will report back what it finds.  Including, for example, the stream of a web cam monitoring a sleeping baby.  I also found:

  • A report about a security researcher able to remotely change the dose of an insulin pump or change the voltage levels on a pacemaker.
  • Discussions about hackers utilizing your home devices to gain entry into your home network and all you have stored there.
  • And many, many more.

 

Frightened yet?  I am.

 

The chilling facts.  The above examples of science fiction becoming science fact - from identity theft to tampering with medical devices - are easy to find.  New technologies are still not taking security into account and, consequently, we are developing an open and unsecure infrastructure.  The evolution is somewhat understandable as, who would want to hack a refrigerator?  But your refrigerator now could be a gateway to your finances.

 

Do you think this is all hype? Mountains made out of molehills?  Possibly, but hacks into your webcams and your home router are real; and consider this, the FTC is now involved(1).  ARS Technica reports that the FTC has "prosecuted more than 50 cases against companies that did not reasonably secure their networks, products, or services" and published a list of industry best practices for IoT manufacturers.

This may seem like fantasy, but it is not.  This is our reality today.  The average appliance consumer will not realize that by plugging in their device and configuring it on the wireless, they could open themselves up to identity theft, web cam stalking, and other malicious activities and attacks.

Education of the end user will help but until and unless manufacturers of IoT devices stop looking at security as an added cost, and start looking at it a fundamental cost of doing business, these vulnerabilities will remain in place and continue to make the Internet of Things a very dangerous place to be.

 

In my next posts I will discuss what is currently in place or being released and the possibilities that are open to us to bring security into this space.

 

(1) Porup, J.M. "“Internet of Things” Security Is Hilariously Broken and Getting Worse." ARS Technica. N.p., 23 Jan. 2016. Web. 26 Feb. 2016.