During the past two decades, the IT & Communications industry revolutionized our world by greatly enhancing what our minds can do. The various “screens” that we use everyday act as windows into a new dimension, a Digital World where accessing, processing and exchanging information is within the reach of anybody.
With IoT, we are going one step further. By allowing any “Thing” to collect, process and exchange information, we are essentially bridging the digital and physical worlds. Home automation, connected cars, smart cities, and healthcare are all verticals where the boundaries between digital and physical are disappearing.
In the past years, we have seen the rise of cybersecurity threats as the main concern for this Digital World: online fraud, data breaches, denial of services attacks, cyber espionage, national state attacks, etc. These concerns directly apply to IoT but IoT also introduces a new dimension: safety. Given the capabilities of IoT systems to interact with the physical world, an attack can very well transcend to physical damages.
From a security perspective, IoT introduces many challenges. We have to deal with billions of devices that use hundreds of different types of software and hardware with very limited processing power, and communicate with numerous, still non-standard or even competing protocols. This means complexity, which is one of the main enemies of security. It also means that we need to develop new security technologies to replace existing solutions that just don’t work in such constrained, fragmented and large-scale environments.
The industry is working hard in order to develop new technologies, and we will definitely see many innovations in the coming months and years. But this doesn’t mean that we should wait. There are things we can do today to enjoy IoT systems with reasonably good security.
During the past years, we have learned, the hard way, that no IT system can be protected 100 percent by defensive systems. The paradigm has changed. We need to do things differently.
First, we need to assume that any given system will be eventually compromised. Having the means to quickly detect an attack and control its impact is what makes all the difference. This new breed of cybersecurity solutions leverages big data technologies and data science processing techniques to find threats by shifting through terabytes of information on the public and underground Internet to detect vulnerabilities and indicators of compromise found within internal IT systems.
This very same approach has to be applied to all IoT systems. The IoT is not only about the devices. Data aggregators, routers, internet connectivity and back-end systems are all parts of any IoT system which, at the same time, employs traditional IT technologies that we know how to secure. In many past IoT incidents, the entry point of the attackers were not the devices, nor did the attackers use any new techniques.
For example, today’s cars are probably the most complex, networked, computer-enabled systems we use in our everyday lives. Numerous sensors, computing units and critical control systems regulate how a car is operating at any time. Sophisticated infotainment systems provide us entertainment and connectivity onboard. All those systems are increasingly connected via the internet to external systems so that they can be accessed and managed remotely.
During the past year various possible hacks of connected cars have been demonstrated by security researchers. Instead of breaching the more tightly controlled critical onboard systems directly, the remote management web portals and the infotainment systems were first examined and found vulnerable to known types of attacks. Having established an entry point, gaining control of critical car systems like throttle, brakes and steering was possible.
The good news is that these attacks were just applying known IT attack patterns to a new and less mature use case so protecting those systems does not require new security solutions, just thoroughly applying the lessons already learned. At the same time, agile and effective remediation when something goes wrong is critical. In these examples, some cars were swiftly patched remotely, like any other IT System. In other cases, millions of car recalls were required. Having contingency plans for incident response is definitely a practice that everybody should apply as soon as possible.
These examples tell us that we need to examine all IoT systems with an end-to-end vision and start with the basics: end-to-end system security design, secure communications, network segmentation and encryption to isolate and protect critical functions, continuous SW patching and vulnerability scanning, robust authentication and access control, continuous threat monitoring, and incidence response readiness.
Even if we still need to develop new technologies to deal with the most complex scenarios, we can already enjoy secure IoT applications in our Digital World if all actors in the IoT ecosystem apply the cybersecurity lessons learned so far and get help from the experts in the field.