IoT Security Starts with Asking Tough Questions

Journalists strive to write stories that answer questions starting interrogative pronouns. But such questions are also indispensable for IoT companies launching IoT projects as well.

Written by Kshitish Soman
10th January 2017

By now, everyone and their dog should know about the sorry state of Internet of Things security. There have been tales of hacked Jeeps, botnets that can bring down the internet, and, more recently, allegations of hacked elections. And yet there has been more of a focus on IoT security misfires than on actually making the IoT more secure. But with technologies like self-driving vehicles, the connected factories, smart cities, and self-checkout grocery stores poised to go mainstream, security of the IoT should be one of our top priorities.

Many security vendors are looking to cash in on the situation, proffering solutions that promise to solve our IoT security woes. Some of these are solutions looking for a problem while others are simply hype riding on hope.

If you talk with security professionals, you’ll quickly realize that securing the IoT is a never-ending game of cat and mouse. IoT security is not a battle you can simply hope to win once and for all.

This intro article aspires to provide the foundation for a comprehensive approach to IoT security. A sequel on mapping out security countermeasures will follow. While this article won’t provide you with a one-size-fits-all solution, it will give you the tools to ensure that you have mapped your risks.

Asking the Right Questions

In technology, analyzing a problem requires taking the time to ask and answer hard questions. Securing the IoT is not different. Like any large systems implementation, the IoT space has its own software and hardware security concerns. But, unlike a typical technological system, with the IoT, the physical world includes more than securing computers, networks, and other assets whose primary purpose is to support software functions. So, as your organization works through these questions, think about everything that can materially impact the IoT in the physical and virtual world.

An effective IoT strategy must answer these six questions:

1. Why Do We Need to Secure Our IoT Application?

As a software implementer, I often see this question is not answered, or the answers to it are simple and naive. Here’s an example: “Why should we secure the IoT? Well, duh! Everybody is doing it! Security should always be a priority.” Bad answer! (Everybody’s not securing their IoT applications, but that is the subject of a separate article.)

Coming up with a good answer to this question requires carefully considering how your organization functions. Answering the ‘why’ portion of the question could include legal, regulatory, compliance, and liability factors that may be outside of your immediate environment. Also, it’s worth noting that as time goes on, the ‘why’ will likely change, which could require you to update your security strategy.

2. What Is It That We Are Trying to Secure?

Again, the answer to this question may seem simpler than it is. It’s not enough to say: ‘Well, we are securing our software and data.’ Often, the answer is quite complex for software implementation projects. And it’s going to get even more so in the world of the IoT where physical and virtual are intertwined. When dealing with the IoT, you are looking to secure various asset types. These could include edge assets (such as sensors and processors), networks, cloud computing systems, data, servers, people, controlled assets, and many others. For example, if you have humidity sensors in your IoT implementation, and a hacker manages to either tamper with them or subject them artificially to out-of-boundary humid or dry conditions, what would that do to your overall system?

3. Who Can Interact with Our IoT Solution?

Fortunately, this question tends to be relatively simple to answer. But the ‘who’ doesn’t just include the various people who interact, both directly and indirectly, with your technology. With the IoT, the ‘who’ can also be non-human. It can be a computer system, machine, tool, or something else. The type of interaction between humans and machines has expanded from just touch (think levers, buttons, touch-screens, keyboards, mouse, and so on) to other methods of input, including methods such as speech and sound. You also might have to worry about sensors or even whole networks of connected sensors. To summarize: The ‘who’ in the above question can refer to anything and anybody that has a relevant interaction that could be subject to misuse.

4. How Will My IoT Technology Be Used?

This question builds on the ‘who’ and ‘what’ questions above. For example, consider a healthcare professional visiting an older patient in a home-care setting. The healthcare provider interacts with the biological monitoring equipment differently than the patient. Here, we have two different parties representing the ‘who,’ one piece of equipment representing the ‘what’ (the biological monitoring equipment), and several interaction types for ‘how.’ The various ways in which these interactions happen may need to be secured.

5. When Will the IoT Technology Be Used?

This question adds the time dimension to the various interactions defined by the ‘how’ above. Context is important here. For example, in the above scenario with the home health worker, their visits to the patient may be periodic. Do we know this interval? What happens if an impersonator tries to gain access and do something with our IoT technology but doesn’t fall within our known time interval? Thus, defining when various interactions are permissible and when they are not, helps in defining the overall security goals.

6. Where Will the Technology Be Used?

This question adds a spatial dimension to the previous questions. If you are developing a baby monitor, would you grant access to users that are not physically present in the same geographical location? What happens when someone from, say, Asia tries to access a baby monitor in the United States. Or what about a neighbor who lives across the street? Should they have access to the device? And are you granting access to the baby monitor to just the baby room or the family’s whole house? This may sound like a lot of questions, but it is precisely scenarios like this that you must consider when attempting to secure an IoT device.

To conclude, building a tenacious IoT defense starts with relentless questioning concerning your technology. After considerable deliberation, you can come up with solid answers to these questions. But you should not be satisfied with your answers, thinking you have forever outsmarted hackers. Ultimately, the questions you ask should be something like Zen koans—they should open you up to potentially limitless investigation rather than fixed answers.

Still, as powerful as questioning is, it is not sufficient. The sequel to this article will address the next step: developing countermeasures to address your vulnerabilities that you uncovered along the way.