Rethinking security for the Internet of Things

Many people scoffed in January 2014 when Cisco CEO John Chambers pegged the “Internet of Everything” as a potential $17 trillion market, five to 10 times more impactful on society than the Internet itself. Two years later, it seems that Chambers’ prediction for the phenomenon more commonly known as the Internet of Things (IoT) could be on the conservative side.

There’s no question that IoT is ushering in a new era of innovation, connecting the digital and machine worlds to bring greater speed and efficiency to diverse sectors, including automotive, aviation, energy and healthcare. But with sensitive data increasingly accessible online — and more endpoints open to attackers — businesses are quickly realizing that security cannot be an afterthought.

The bad news is that they’re relying on the same solutions that have failed in the past — and which continue to fail. Created four decades ago to secure communications between two human parties, Public Key Infrastructure (PKI) was never designed to handle the complexity of managing 50 billion devices on industrial-scale networks.

McKinsey estimates that the cost of ineffective cybersecurity will rise to $3 trillion by 2020. Given that the number of connected devices is predicted to reach 20.8 billion by 2020, there’s an urgent need to fundamentally rethink security for an always connected, high-volume, decentralized world of machines.

Data has an entire lifetime

Bruce Schneier observed that throughout the 1990s, everyone was focused on data in motion — communication between two parties — when they should have focused on data at rest. Emphasis on the former is a major reason modern security continues to fail. We need to consider data throughout its entire lifetime, not just secure transmission between devices, which becomes meaningless if the device itself is compromised.

Again and again, we’ve tried to retrofit security in after the fact. Bruce Schneier

In the machine world, data begins and finishes as data at rest. In between, it passes through myriad interacting devices, customer transactions, user activities, access, authentication, software deliveries, API interactions… the list goes on. By focusing only on communication, there’s no chain of custody or way to audit the lifetime of data hosted in different environments administered by different organizations. One compromise anywhere in the chain, and the reliability of the collected data and any conclusions derived from it will be suspect.

Machines are different than humans

PKI was designed for Alice and Bob to encrypt and share secret messages, not for massive-scale transmission among millions of machines. Communication is stateless; if Alice thinks her key has been compromised, she can simply generate a new key pair and register the new public key. Previous communications (those before the key compromise) will not be impacted.

Machines are stateful; the keys used to verify the integrity of their components have to be secured and managed throughout the life of the machines and the data they produce.

Confidential does not mean secure

The underlying assumption today is that machines and the sensor data they manage can be secured. But what exactly are we securing? Information security has three components:

  • Confidentiality: access to sensitive information is restricted and protected
  • Integrity: assurance that the information is as it should be, absent of compromise
  • Availability: those authorized to access this information are able to do so

The overwhelming majority of modern security solutions — encryption, firewalls, two-factor authentication, tokens — target data confidentiality, erecting barriers against unauthorized access. But machines, their communications protocols, software, rules and exposed APIs will always have vulnerabilities.

What happens when these weak points are breached and confidentiality has been compromised? In most cases, like Sony or Anthem, the breach isn’t even detected until months later, after which system administrators must identify which pieces of data were accessed and/or manipulated — an economically and socially costly task.

The way forward: Integrity

Unfortunately, I don’t think there’s a security expert in the world who thinks we can build IoT networks without vulnerabilities. So we need a new approach. When breaches are detected, we need to know what data has been changed, and how.

This is an integrity issue — and it should be the key focus of modern security in the age of “connected everything.” Focusing on integrity will require a different approach, and a new set of tools. Data integrity schemes based on blockchain, Merkle hash trees, scalable provable data possession (SPDP) and dynamic provable data possession (DPDP) are good places for the industry to focus its efforts.

We can work on scaling these technologies, making them reliable for large networks. This is a necessary complement to endpoint security, especially for the IoT industry. As Schneier points out in relation to integrity attacks, “Again and again, we’ve tried to retrofit security in after the fact.” And, he warns, “once the attacks start doing real damage — once someone dies from a hacked car or medical device, or an entire city’s 911 services go down for a day — there will be a real outcry to do something.”

The reality is that basing the integrity of networks and systems on the security of key-stores and the administrators who manage them is a failing strategy. Rather, truly effective solutions must continuously monitor the state of a network’s entry points and the data within. For all the energy and resources spent guarding against breaches, let’s devote equal attention to protocols for when — not if — they occur.