The Internet of Things needs to be built from the bottom up with a ‘security first’ architecture, according to new research.
While some vendors are beginning to take the issue seriously, progress is sluggish and standards are moving too slowly to head off the emerging cyber-security threats, a report from IoT specialists Beecham Research says.
In a future where IoT and machine-to-machine applications are integrated into everything from peoples’ fridges to power stations and transport networks, a major failure in the system could have catastrophic consequences, according to Beecham’s technology director Professor Jon Howes.
“A successful attack could leave us very close to anarchy,” said Howes who was one of the authors of the report. “There have not been many full blown IoT attacks yet, so it’s easy to say it will be OK, but something like Heartbleed shows we are really fallible.”
Key to solving the problem is a new approach to security that moves beyond current IT paradigms to take account of the extended lifecycles, low processing power and potential inaccessibility of connected devices, the report says.
Technology needs to be engineered from the silicon upwards with security in mind, but also with the assumption that it will be compromised, which will require long-term support for devices such as connected washing machines or alarm systems that will remain in use potentially for decades.
“While we may have some visibility of potential attacks over a few months, we need to protect IoT devices in the field for 10 years or longer,” said Howes. “Devices must be securely managed over their entire lifecycle, to be reset if needed and to enable remote remediation to rebuild and extend security capabilities over time.”
An added complication presented by the IoT, the report’s authors point out, is that integrating devices not typically associated with computing introduces experts from other fields to the design process, who may have little experience of dealing with security, increasing the potential for vulnerabilities to be built into products.
While most providers have begun to tackle the “low-hanging fruit” of data encryption, principles for confirming identity, authentication and authorisation of devices are needed that are interoperable across vendors and also across the myriad communication technologies likely to be used to support the IoT.
With the majority of connected devices lacking the processing power to support on-board anti-virus software system-wide heuristic solutions that remotely monitor devices for suspicious code or behaviour will need to be developed, according to the report, as well as the ability to quarantine devices from the system while fixes are found without disrupting their physical world functions.
“The challenge we have is we have to change the way we think about security as an industry. Far too often security is something that’s treated like a bolt on,” said Haydn Povey, technical associate at Beecham and former director of secure products at ARM Holdings.
“Fundamentally, we to need to get security in from the ground up if we are going to create an environment where the IoT functions as expected.”
According to Povey, convincing vendors that security is a potential money spinner rather than an unwelcome cost will be vital to ensuring action is taken. Asides from avoiding massive damage to the brand, security technology such as the ability to remotely roll out patches also opens opportunities to continually improve the performance of products, he says.
“Security has to go from a burden to a value creating system. People won’t pay for security but they will pay for the things it enables,” he added.
And while the authors welcome the work of industry organisations such as the AllSeen Alliance and the Open Interconnect Consortium, which are looking at aspects of security within the IoT, they say governments need to take a more active role in coordinating a response to the problem.
For more information about the report Evolving Secure Requirements for the Internet of Things visit Beecham Research’s website.