The IoT Security Equivalent to a Doberman
Security is all about countermeasures to threats. If you were worried about your house getting robbed, there are many strategies you could use to lower your risk. You could put an alarm sensor on the door and install a camera to monitor it. You could get a Doberman guard dog and an extra deadbolt. You could buy an armored door that would be nearly impossible for a criminal to kick down—or, if you have a lavish budget, you could even buy a bulletproof door. If you did all of the above and went to the same lengths to secure every other door and window in your house, you could drastically lower your risk of being burgled.
In any case, having multiple safeguards is a hallmark of good security design. The first step is to carefully assess your vulnerabilities, while the next thing you should do is map out countermeasures to address those risks. As the door scenario shows, each countermeasure you put in place should supplement your other defenses. The bulletproof door resists kicked in, knocked down with a battering ram, or even shot at. The door sensor can help ensure that all of your doors are closed, locked, and can only be opened by members of your family. By electronically monitoring these sensors, you could send an alarm to police in the case that an intruder manages to get in.
Related—Read the First Part of This Article: IoT Security Starts with Asking Tough Questions
An effective countermeasure either prevents a bad guy from breaking in or intervenes in some way once he does get in—just like a Doberman's bark will scare away most intruders and the dog will threaten to attack the ones that get in. It’s also possible that any countermeasure will need to evolve over time. Given that break-ins are a constant and evolving threat, if a countermeasure doesn’t adapt, its efficacy will likely diminish in the long run. With these general strategies in mind, let’s turn our focus to IoT.
Functional: This may seem like an odd example of a countermeasure, but product functionality can and often will be your first line of defense. You should aspire to integrate product functionality that helps to secure both the physical and virtual/software dimensions into your product.
In the physical world, for example, you can manage the level of functional control of the device in several ways. You can constrain where you place the product, its shape, and how it can be physically accessed.
Your software systems should be coded from the ground up with security in mind. The pioneers of the internet designed the World Wide Web to be open and fast. In the internet’s earliest days, few people thought seriously about security. Look how that turned out.
Learn more about IoT security at Internet of Things World, held May 16–18, 2017 in Santa Clara
But don’t think that everyone has learned from this example. In fact, many in the IoT space have not. As McAfee writes in their 2017 threat roundup, Some of the companies that are IP-enabling their devices are destined to “make rookie mistakes […] and otherwise repeat the history of Internet security.” So please, make sure that your software was designed to be secure from the beginning. No code is unbreachable, but trying to secure code that was designed to be convenient rather than safe is like trying to out-wrestle an 800-pound gorilla.
Authentication ensures something is what it claims to be. The term could apply to a person, a thing, an edge processor, and a sensor. All of these are tangible things that we can know and approve. Having the right authentication in place will prevent spoofing and other impersonation methods and ensure only people and things who need to have access get it.
For the sake of demonstration, let us consider a hypothetical case of an IoT-based HVAC controller in a household with two parents and with two kids who are both under ten years of age. In our scenario, the two parents and the two children are authenticated and tagged to be residents of the household where the HVAC controller is used so that they may have access to various functions provided by it. Without the proper authentication, an outsider, such as a visiting plumber will be tagged as unidentified.
Authorization ensures the person or thing is authorized to use a particular function. Authentication and authorization are not the same but almost always used together. Whereas authentication ensures that people and things are identified as legitimate, authorization ensures that access is granted only to resources and functions that should be accessible for a particular authorized person or thing. In our hypothetical scenario, the adult residents need to have the ability to freely interact with the HVAC controller and use all its function. The mother and father will have been authorized to use it in any way they please. Children below 10 have a different level of authorization; they are only granted access to see the display. On the other hand, a plumber who visits your household, that person shouldn’t have the authorization to control this HVAC device.
Encryption provides a method of securing information by temporarily scrambling to conceal it both at rest and in transit between data exchanging parties. This technique prevents unauthorized access or eavesdropping. Encryption is a standard method of ensuring that data and information are secure. In our hypothetical scenario, we encrypt data from the HVAC controller as well as data sent over any network to other processing assets. This includes data sent to or from the cloud or components of the HVAC system. Encrypting all of these elements will help prevent intruders from interpreting and understanding the data in the case that an intrusion does happen. Suppose your HVAC controller is connected to your HVAC system via Wi-Fi and somebody manages to sniff packets by sitting outside your house. Will they be able to read the data, or worse yet, spoof or manipulate it? That’s not what you want.
Masking/Anonymization/Pseudonymization provides various methods of preventing access to something by hiding it. For example, if our hypothetical plumber were to come and stand in front of the HVAC controller, the system would identify this person by using a detection system (facial recognition, etc.), and make the display go blank. Or if your HVAC system sends any sensitive data to the cloud of the equipment manufacturer, it can be anonymized to protect the Personal Information (PI) of the owners.
Limited Retention is a method of limiting the life of particular information or relationship/association to ensure it is not available after it has served its defined function. For example, in our HVAC controller example, the information may only be stored for one calendar year, and beyond that, only Metadata is stored for analytical reasons.
Elimination is a method of eradicating something that poses a threat. Elimination can be deployed both proactively and reactively. For example, you could eliminate data from your system’s components if an intrusion is detected. Or you can consistently and periodically purge information from your component to ensure old data is not sitting around available to be compromised. For those of us who have lived forever, remember how we used to format a floppy disk before we loaned it to a friend? In my case, I didn’t only delete personal files from my DOS disk, I would run a low-level format so that my friends didn’t find dangerous stuff about me on the disk! The same basic data management questions apply to the internet of things although the scope of data is exponentially greater in some cases.
Interruption is the process by which you can intervene in the act of a breach and try to further prevent loss of control and information. Your security countermeasure armory needs to have well planned and tested methods in which you can interrupt an active security attack. The interruption should result in a stop in the threat and prevent further attacks of a similar kind. This strategy is similar to the cops showing up at the door while the burglars are still in the house. Or in the case of our HVAC example. Consider this scenario, our two kid’s babysitter invites a friend over to hang out. The friend maliciously turns the HVAC up to 90F while leaving. The cloud for our HVAC system is connected to discovers that the heating has been set to 90F and it’s been more than 15 minutes and nobody seems to be doing anything despite the fact that history suggests something like this never happened. We could come up with countless IoT scenarios in public and private spaces. Like an out of control hacked washing machine on the second floor of a house. The idea is simply, interrupt, get back control, and stop the loss.
Recovery: Despite the best of efforts, security breaches may happen. You could lose control of your products and environment. You could lose valuable information. What happens if your HVAC system is hacked? What are the possible outcomes? Your job here is to outsmart the hacker, who is typically not somebody who thinks much about consequences. As Kevin Mitnick said more than a decade ago: “The hacker mindset doesn't actually see what happens on the other side, to the victim. As a hacker you think: ‘Well, they were kind of naive […]’”
Once you have detected an attack, your first step would be to interrupt and stop. Your next step is to start to look at recovering control and your data. An effective security countermeasure strategy will always include methods that cover the recovery option. Things go wrong, and you have to know how to remedy the situation.
You will have noticed that I have not spoken about firewalls, SSL encryption, or new-age things like Blockchain, and so on. If technology evolution has taught us a lesson, it is that the rate of change keeps getting faster. In a world of ever-accelerating change, it is easy to lose track of security fundamentals.
It’s also important to understand that security solutions change. Locking yourself down to one technology may prevent you from creating a broader countermeasure strategy. For example, firewalls or SSL are specific implementations offering multiple functions from the list of countermeasures we listed above. But what if a completely different solution replaces it in the future? Ultimately, you should make sure your security fundamentals are solid and that your security strategy itself is nimble.
In summary, take a step back and plan your countermeasures first, and then decide which tools, products, technologies, and methodology you are going to use to create your framework of countermeasures. And most importantly, don’t shy away from doing something that’s different. It’s all the better if you have a countermeasure that a hacker doesn’t expect; the most common approaches to security tend to be the easiest to threaten. And, never stop asking questions and revisiting your solutions; they will need constant monitoring and updates.
As William Evanina, head of U.S. counterintelligence and security says: “You have an enduring threat from a counterintelligence perspective, the threat is now, and it is enduring. If [hackers] decide to compromise me, they may do it now; they may do it in three years.”