Can I trust my 'Connected Gear'?
I visited an old friend last Christmas, seeing him decorate his Christmas tree with a combination of old and new decorations, I cracked an IoT joke; since all things will eventually become connected, why not the Christmas tree? A quick check on Google confirms that there are plenty of connected trees and accessories available today.
One interesting finding is the smart connected Christmas tree ornament that can display photos from the mobile phone, or broadcast messages via text or email. It even includes a “time machine” feature, which will automatically retrieve, group, and display photos from prior years, letting the user relieve those wonderful times!
We looked for security information about the device and as expected, couldn’t find any. This set us to thinking how the device could be secured when connected to a home WIFI network and how to prevent anyone connecting to the ‘portal’ or the ‘setup’ page of the device, or even how to prevent malicious use of the device as a launch pad to attack other home IoT devices. Get into a bit technical, how should we patch this device if there is an obvious vulnerability? This reminded us of Shodan, the IoT search engine that, among other things, lets user access vulnerable webcams. All sorts of security questions come to mind.
Common to millions of IoT devices today, security has become ever more critical. Millions of cyber-physical systems are now connected, giving an additional avenue for ill-intentioned parties to directly affect and exploit physical objects even the party is not present in that location. This is a new threat that has not existed before.
In Atos Ascent Journey 2020 we highlighted this trend as part of the “Digital Shockwave” and as something which is here to stay. In fact, we recognize the most significant business disruption will come from a combination of connected sensors, devices and objects (Internet of Things), coupled with new ways to analyze, action and monetize the resulting data streams. While this disruption will change the way we do business and impact our daily life, it will also come with challenges that need to be overcome. For example, to stay secure in such an unprecedented, hyper-connect world we will need to ask questions that we would never thought of before such as; Is my connected gear secure?
The disruption caused by the Internet of Things is also driving new standards and innovations. One of the fundamental security challenges will be to understand the new standards and technologies associated with the IoT. For instance, old ways of dealing with Ethernet such as network segmentation and firewalling will no longer be sufficient to deal with the wide variety of network technologies. The way we handle security for very local networks (such as NFC, Zigbee, Z-Wave, LiFi and Bluetooth) may vary greatly to very long range technologies such as LoRa or Sigfox. Will we need different secure authentication mechanisms to deal with ad-hoc local connectivity between objects such as communication between connected vehicles?
Micro Clouds for the Internet of Things
In Ascent Journey 2020, we also predict that the implementation of IoT will migrate from the IoT Gateway into an ‘IoT Micro Cloud’ approach. The IoT Micro Cloud is discussed in detailed in our previous posting. With this approach, the IoT security defense strategy will eventually shift toward finding way to secure the interaction across the ‘Thing’ in the IoT Micro Cloud as well as the IoT Micro Cloud itself.
Remember that Christmas tree? There have been some nightmarishly difficult bugs to resolve, such as OpenSSL or Heartbleed so just imagine this repeated on millions of low tier, un-intelligent IoT devices! Hence, the interoperation between the IoT Micro Cloud and IoT devices (with certain standard of manufacturing) is becoming vital to ensure the security of the IoT in the future.
The intelligent Gateway of the IoT Micro Cloud will become the key security watch dog to monitor new devices coming online and also to detect any potential vulnerability that may exist in their cloud. The IoT Micro Cloud Gateway will also act as the intelligent gateway and will be the translator of the IoT world, ensuring protocol translation and interoperability for sensors previously inhabiting isolated silos. Hence, it will play a the most vital role in the IoT Micro Cloud implementation.
However, the Intelligent IoT Gateway in the Micro Cloud is certainly not the only answer to all security questions, as a combination of new approaches such as Named Data Network (NDN) could be deployed to perform effective local network segmentation of such a complex IoT Micro Cloud environment.
Next generation Security Information and Event Management (SIEM) systems with big data and deep learning technology can help to flag and deal with suspicious activity. The system will then integrate with the Software Defined Networking (SDN) which can provision or de-provision networks automatically, create adaptive responses for network devices, or reroute traffic and apply access rules based on the outcome of the intelligent security detection system.
More rigorous and consistent regulation by Industry and Authorities may be necessary to ensure a certain security standard and implementation of Cyber Physical System before the IoT cloud spins out of control. It may sound impractical to regulate all the ’thing’ in the Cyber Physical World but priority is the key word here. For instance the intelligent gateway on the IoT Micro Cloud must have certain standard of operation to deal with trivial and high tier IoT device. This is to ensure the Application Resource Island style of implementation can be deployed where a compromised low tier device can be isolated from the critical high tier devices within an IoT Micro Cloud. Likewise, the critical Cyber Physical device in major industry such as utilities, transport, healthcare etc also need to be secured by design.
So, next year, we can look forward to a Christmas Tree that is much less vulnerable to Cyber-Attack.