The Internet of Things (IoT) is not just a device connected to the Internet – it is a complex, rapidly evolving system. To understand the implications, analyse risks, and come up with effective security solutions we need to look ahead and take into account other components, such as Big Data and Artificial Intelligence (AI).
On Thursday, 8 June, at 1:30PM CEST, I am participating in a panel discussion called “Emerging Threats and Paradigm Shift” during the IoT Week 2017 in Geneva, where we will talk about many of these issues. In this post, I’ll expand on some of my thinking that will inform my comments on the panel.
It is still common to think of an IoT as a “thing” – a smart object, something that is not just a general-purpose computer, connected to the Internet. But this is not what the IoT already is, and certainly not where it is heading. And if we want to address the challenges the IoT brings, we need to look ahead.
We do not want just to have a light bulb whose colour we can change using a smartphone application. We want to automate our whole house so when we dine the ambient light is different from when we read a book, maybe different depending on the season, room temperature, or mood.
We do not want just to measure traffic movements along the city transportation system, but tie it with the temperature, air pollution, and other data gathered by thousands of sensors. And we want to optimize it by managing traffic lights and signalling preferred routes to cars.
Even now, the IoT is a complex system, where devices are just one component. Each component might be the system’s weakest link, so we need a holistic approach to security. Besides the complexity of the IoT system, we shouldn’t forget that it strongly ties with Big Data and AI, each with its own host of issues. And behind each of the components there are specific security challenges, and various parties involved.
The IoT is a system that should be analysed and addressed as a whole. Focusing on isolated components without holistic risk and threat analysis tends to provide temporal fixes (if any), and may significantly hinder the innovative potential of the IoT.
IoT Security is the responsibility of many
When we look at it as a system, we can enumerate quite a number of parties that can and should contribute to the IoT security:
- Vendors of sensors and actuators (devices)
- Middleware developers
- Application developers
- Protocol developers
- Middleware platform operators
- Application services operators
Outside the technical realm the number of entities is also significant:
- Retailers and resellers
- End-users: Home and Office users
- ISPs and service providers
- Insurance companies
- Policymakers and regulators
To scale up we need a collective approach, addressing security challenges on all fronts. The Online Trust Alliance IoT Security Framework provides a great foundation listing the baseline requirements for security and privacy.
Guidance and recommendations, along with reusable security building blocks, are essential components of addressing the IoT security challenge, but why is security so hard? We need a collaborative security approach to ignite action and change in addressing IoT security challenges.
IoT security is hampered by negative economic factors, such as negative externalities and information asymmetry. This is not unique to the IoT; our recent analysis of data breaches revealed similar issues.
For instance, device vendors do not provide strong security because they do not bear the costs of security exploits. And consumers have no way to assess the security of the IoT system as a whole, thus diminishing motivation for the vendors to deliver secure solutions. Vendors are under intense competitive pressures to get their products to market as quickly and cheaply as possible, and to iterate with new versions rapidly. Security by design, done properly, costs money, requires skilled staff or consultants, and slows down the process. It cannot be “bolted on” as an afterthought – but that is how it is treated by many vendors, if they give it any attention at all.
When devices reach the end of their supported lifetimes, they usually do not vanish or become inoperable. They often end up in developing areas of the world where they may continue to operate for years or decades longer – un-locatable, unpatched, and vulnerable. There are other examples.
To understand how we can change this situation we need to look at the forces that can potentially drive improvements in this area. In my opinion, there are three main ones:
- Market forces
- Regulation forces
- Societal forces
Market Forces
We hear loud voices that qualify the state of affairs as market failure. Indeed, businesses need to internalize some of the insecurity costs now spread among many others.
First of all, business should recognize the value of security. This may take time, but as the trends show it wouldn’t be too long before their customers see that value and demand adequate security and privacy protection. And then, those vendors who were looking forward and are prepared will have competitive advantage.
Now, companies also need affordable security. Why are known patches not applied? In many cases it is negligence – yes, but to a great extent it is because many companies do not even have a process in place for vulnerability management, nor a patching policy. Security is a process, not a state, and must be treated as such.
An important component here is affordable security – rational frameworks, security building blocks, automation, and information sharing.
Regulation Forces
The question – what and how?
One of the approaches is to use some level of regulation to support baseline security recommendations for connected devices. The challenge is to make it effective without stifling innovation. It must be not too coarse so that the requirements are meaningless, and not too rigid so that compliance tests are unbearable. How do we make sure that compliance requirements do not hinder agile development and feature and security updates to the devices? And as we know the IoT is not just devices, so it should be extended to systems and services.
As we said, security is not a state, it is a process, so the security posture of a vendor, or developer, or service provider in terms of QA and information security management processes gives better assurance than a one-off compliance check. For instance, a once compliant device may not meet the same requirements with the next software update. And here again, how to make this affordable, such that not only giants can afford certification?
And of course, not all IoT systems have the same security requirements, but for many of them security means safety and such systems should be in focus.
Importantly, regulators and policymakers should focus on supporting societal activities and foster the culture of security.
Societal Forces
We shouldn’t underestimate the societal force – at the end of the day, all parties involved are interested in innovative and secure IoT. They simply cannot afford losing consumer trust.
I mentioned several key players that take part in the development and operation of the IoT ecosystem. But simply calling on them to take responsibility and clean up their part of the street may not be effective enough.
Understanding the relationships between them, their motivations, and their incentives helps steer their behaviour and operation toward most favourable outcomes. For example, raising consumer awareness of the risks of connected devices can help establish ranking or certification programmes, like the one led by Consumer Reports in the USA: “The Digital Standard.”
What is crucial here is “norm setting” based on industry-developed and agreed principles and recommendations. A great example of such an effort is the Internet Society Online Trust Alliance IoT Trust Framework that includes 37 principles addressing privacy, security, and sustainability of IoT systems.
“Platforms” – the middleware that glues sensors and actuators in one coherent system, plays a key role here, not only by ensuring that the system is secure by design, but also by providing necessary pressure on the component suppliers (for example, through programs like MFi by Apple). They are in a good position in assessing security and privacy of the system as a whole, sometimes including the apps. Think of an IoT as a distributed smartphone!
If leading platform operators agree to a reasonable security baseline, like the already mentioned Trust Framework, and enforce compliance, that will have a significant impact on the whole IoT ecosystem.
The Internet and distributed information systems built on it demand a significant paradigm shift in how security challenges should be addressed. There is no perimeter one can protect, the “outward” risks are as important as “inward,” and care needs to be taken not to damage the fundamental properties of the Internet that allowed it to flourish. The key here is finding points of maximum impact for creating a collaborative environment centred around security and privacy. That is the only way to scale up to match the IoT phenomenon.