The IoT Security Risks and Benefits of IT Convergence
Over the past few years, one of the major IT trends has been that of system convergence.
This trend is not just in relation to converged systems or hyperconverged systems, although that is certainly a part of it. Convergence points to a much larger trend that might be better described as “system standardization.”
This standardization takes many different forms. For example, many software vendors now make their applications cross-platform so that they can work on a variety of operating systems. Similarly, code libraries are seeing greater adoption than ever before, meaning that countless devices are being built with code from those libraries. Further, cloud computing platforms require this kind of system standardization to enable applications to be scalable, secure and interoperable in the .
As systems continue to converge, the convergence will inevitably introduce security challenges, but it will also create new opportunities.
The IoT Security Risks Posed by Convergence
The primary security challenge that is posed by widespread IT convergence is that vulnerabilities can be exploited at a much greater scale than ever before. Consider how bad actors have used the previously mentioned examples of convergence to increase the scale of their attacks.
Conventional wisdom has long held that if an application contains an exploitable vulnerability, an attacker could conceivably use that vulnerability to take control of a system that runs that application.
But what happens when application vendors begin releasing their applications on multiple platforms? It is at least plausible that an application-level vulnerability could potentially allow a malicious actor to successfully wage a multifront attack against every platform on which the application is designed to run. Of course the ability to conduct such an attack would depend greatly on the nature of the vulnerability.
The same concept also applies to the increasing use of code libraries. If a library includes an exploitable vulnerability, the vulnerability will presumably exist in any system that uses that particular code library.
This was the nature of the Ripple20, which affected an array of systems, from boutique vendors to Fortune 500 companies.
Earlier this year, vulnerabilities were discovered in the Trek Inc. TCP/IP library. These vulnerabilities, which came to be collectively known as Ripple20 left hundreds of millions of IoT devices vulnerable to attack. These devices included consumer products and industrial sensors, medical equipment, and more. In essence, a poorly written, but widely used code library left untold millions of devices vulnerable to attack.
Of course IoT devices can undermine an organization’s security, even if a device does not incorporate a software library that is known to be problematic.
Because IoT devices tend to create vast amounts of data, devices are often linked to cloud storage. Depending on how an organization’s cloud resources are configured, an attacker who has gained access to cloud storage via an IoT device may be able to use the successful attack as a stepping stone for compromising additional cloud resources that have nothing to do with the organization’s IoT devices.
Convergence Presents IoT Security Benefits
Although convergence undoubtedly introduces significant security risks, it also presents new opportunities to improve IoT security. As previously mentioned, convergence (at least from the standpoint of this article) is closely tied to standardization. In the case of the Ripple20 vulnerability for instance, countless vendors had adopted an industry-standard TCP/IP library.
While standardization poses certain risks, it also reduces complexity and it causes the systems that depend on those standardized resources to behave in a predictable way. Predictability is extremely beneficial from an IoT security standpoint, both in the virtual world and in the physical world.
If a variety of IoT devices all use a common TCP/IP stack for example, then those devices should behave in a similar way on the network. This opens the door to allowing a machine learning algorithm to learn what is normal for those devices. As such, even a small deviation from the norm (something humans would likely not notice) could be detected by a security tool that has learned devices’ normal behavior patterns.
Another way in which this type of convergence has the opportunity to improve security is that the resulting standardization enables security professionals to direct their attention to the areas that are likely to make the most difference.
Consider the previous example, in which a variety of devices share a software library. Because that software library is so widely used, there is incentive for the security community to do everything that it can to discover vulnerabilities that exist. This will ultimately help the vendor that created the library to further harden it against attack.
Additionally, convergence may ultimately make it easier for an organization to collectively manage its IoT devices. This type of centralized management can be especially beneficial from a security standpoint because it allows an organization to positively identify its devices (and to spot rogue devices), and to apply patches to devices in a more timely manner.
Over time, IT convergence may create a world in which IT components, and IoT systems, are largely modular, and designed to interact with one another. In fact, It systems are already doing this to some extent with software libraries, and with containers hosting microservices. This modularity will undoubtedly lead to increased standardization of components and will also make applications more resistant to attack.