The Internet of Things (IoT) has caught the attention of every industry on the planet. The notion of smart sensors deployed everywhere that source important information promises to transform and inform for greater efficiency, profitability, and situational awareness.
The line between embedded and enterprise has historically been fairly clear – client and server firmly rooted within the enterprise technology while a myriad of "black box" processors, platforms, and software made up the embedded space.
The emergence of IoT blurs the line between enterprise and embedded. And with it comes an entirely new area of security and what it means to "secure the enterprise." Enterprise IT departments are waking up to the fact that traditional security perimeters are increasingly vulnerable as IoT becomes intertwined with daily enterprise life. Embedded systems developers can no longer assume their system is sitting safely out of reach of the hackers.
In this month's column, we'll hear from the enterprise and the embedded side – both surprisingly aligned with their understanding of the implications of IoT and increased security for these systems within the enterprise.
For an example of problems that may arise as a result of IoT and the enterprise, look no further than the Target breach from 2014. This breach came in through the HVAC system via stolen credentials from a heating and cooling company. From the HVAC launching point, hackers gained access into the payment system network and acquired credit card information.
Another example, perhaps more ominous, involved a German steel mill where the hackers were able to control a blast furnace so that it could not properly be shut down, causing "massive" damage.
Point/counterpoint: The participants
Karl Volkman is the CTO of SRV Network and has been in enterprise IT for 33 years. SRV Network is a managed services provider for mid-size firms. They do outsourcing from desktop through purchasing to planning. I was fascinated by reading some comments from Karl relating to the IoT influence and security issues within the enterprise and I wanted to pursue this further with him.
Alan Grau is the President and Co-founder of Icon Labs. Alan has been engaged with embedded systems development since 1991 first with Bell Laboratories and Motorola before starting Icon Labs. Icon Labs is focused on a variety of security aspects and solutions for embedded systems and IoT and there may be no better authority on practical embedded security than Alan. Companies like McAfee, Intel, and ARM have all worked with Alan on a variety of security related embedded projects.
I asked Karl and Alan questions about cyber security in an attempt to find out how closely aligned the enterprise IT side is with the embedded development side of IoT.
How do you define cyber security as it relates to the IoT?
VOLKMAN: To me, cyber security is about protecting technology. In the past, this might be information, but with the advent of enterprise uses of IoT, it's everything. This extends the protection to authorized access and use. Things that have made headlines today have been information breaches like financial data. Other considerations involve taking down web sites by flooding Internet connections. With IoT there is a new dimension involving hacker control of an IoT device and the consequences if it occurs.
Anything that sits on the network is prone to an attack or unauthorized control. For example, smart lighting seems fairly low risk. But depending on the situation, unauthorized control of lighting systems could facilitate in a crime or possible accident or injury.
The Target breach is an example where IoT was used to gain entrance into enterprise information. Anything that has specialized software that controls embedded devices could be at risk.
Sometimes the entity that gets compromised isn't the actual embedded device per se – it's some kind of gateway system that leads to the enterprise network with sensitive information or the mission critical IoT network. From there, the attacker can use that device as the launching point for other malicious behavior.
There is a social aspect to cyber security as well. People leave passwords in obvious locations or choose passwords poorly. Social media can provide information on people, passwords they might choose, and where they work. This human interface and social aspect should also be considered within the scope of cyber security.
GRAU: From the IoT perspective, security means allowing only authorized users in and keeping bad guys out. One dimension of cyber security that's often overlooked is preventing accidental breaches or misconfiguration. A recent study mentioned 70 percent of cyber incidents are internal and of those internal incidents, over 70 percent of those were accidental. Whether accidental or malicious, they stem from the same problems and require the same kinds of capabilities.
Comprehensive cyber security needs to start with secure boot, download authentication, and code signing as a foundation. Other required components are secure communication, authentication, and security management. The unique thing about cyber security as it relates to IoT is not the problem being solved but that these security solutions often require a specialized implementation or at least some amount of unique customization for the environment.
What are the IoT security trends and market drivers?
VOLKMAN: I believe there is an emerging realization that there is no one magical thing I can deploy that will protect me. There has always been investment in "safe perimeter" capabilities like firewalls and intrusion detection. This isn't enough and investments must include things that will quickly tell me when I'm being attacked. We need to understand that as IoT integrates with the enterprise, attacks will happen and focus needs to shift to early notification when things are attacked or compromised. IoT systems need to be designed to minimize damage resulting from a security breach. So security strategies must include capabilities for fast identification and notification of possible breaches.
The interaction between embedded systems and controls is becoming broad and automated. Breaching of these systems has the potential for far greater negative impact. For example, auto infotainment system connectivity with smart phones and in-car Wi-Fi represent potential gateways to the power train and other critical systems within the auto. Perimeters are important, but action needs to be taken to minimize damage if vulnerabilities are exploited.
GRAU: Time to market pressures have and will always be with us. Within the IoT world (or any emerging embedded industry), the trend is to quickly develop, rush the solution to market, and leave security considerations for later. Maybe the initial deployment involves simple password based authentication and/or SSL/SSH access. But this isn't enough. Most IoT devices don't have a well thought out security strategy. The current trend is to not do much at this point. Fortune 500 companies that lead their market space tend to address security more. These companies tend to have decent security perimeters already and understand the need to augment security.
Another promising trend is industry organizations forming around security issues. The ISA/IEC 62443 standards for industrial control security are an important step toward progress and companies are working to achieve compliance. This moves the ball forward and provides a means to ensure a consistent way of measuring security. But it's also important to understand compliance doesn't equal secure. Compliance by itself is a big step forward, but not enough. Significant thought, design, and implementation must occur in order to understand how your IoT solution might be attacked and what kinds of things need to be protected to minimize damage if it is compromised.
Who is investing and why?
VOLKMAN: Larger companies are investing, but smaller organizations recognize the need and don't know what measures to take and risk assessments can cost a lot of money. Today, IT departments understand what a desktop computer network and server farm is, and which elements may be attacked and how. Perimeters and detection systems can be deployed. But the addition of machine-to-machine (M2M) or IoT environments have points of attack that aren't well understood because they are black boxes with little or no documentation.
Companies deploying M2M and/or IoT are asking what they need to be concerned about. There is growing awareness that all the devices on the network need to be addressed with respect to security. One of the biggest problems right now is these individual devices don't have any kind of security software protection built-in. If there is, it's not exposed in a way enterprise IT can incorporate it into their security strategy. There hasn't been any consistent "this is how you address security for this kind of device."
Money continues to be spent on perimeter solutions. Conversations start around "what's the worst that can happen," then assessing and prioritizing security solutions to deal with the biggest threats is a good first step.
Every company is different. Most corporate leaders have fears or heard of issues where companies are hit this way or that way. They listen to news reports, which can be informative, but they may be missing the point. It's critical to determine which security breaches are most problematic for your specific business and how to protect against those. Addressing security isn't cookie-cutter – you have to address them based on your unique circumstance.
One thing I think the industry could benefit from is the notion of a fail-safe. When a system does get compromised, is it possible for the IoT device to be put into a "safe" mode and send a notification that compromise has happened. This involves building something into the device itself.
In my opinion, the best security strategy involves:
- Protecting against the "known bad"
- Identifying things that are "outside the norm"
- Building in fail-safe operation and notification in the event the system is compromised
GRAU: In this new combined enterprise/M2M/IoT world, people are using a traditional mindset. They establish perimeters within perimeters, which puts tons of money into Cisco's pockets. The trouble is these perimeters don't address these new IoT/M2M vulnerabilities. These are embedded devices that most traditional network IT companies do not understand with little or no built-in security or interfaces for security management.
Industrial control companies are starting to invest in more secure solutions and the big players are investing, but not the lower tiers. Of course there are companies like ours (Icon Labs) that are completely focused on embedded security and are actively developing software and toolkits for IoT developers to leverage. Silicon manufacturers are starting to incorporate security aspects like ARM's trust zone feature to enable security, but there still has to be software that uses it.
Larger companies understand that embedded system compromise stems from download execution, and gaining control of the embedded device. So things like secure boot software, and secure software validation between the embedded operating system and application becomes an important security feature. All these linkages must be maintained to have a good level of security. Then focus switches to manageability. Can the system integrate with a remote policy and security information and event management (SIEM) systems within the enterprise that allows anomaly detection. It's all these additional security aspects around the introduction of M2M and IoT where we at Icon Labs are focused.
Most embedded devices sit somewhere on a network with a remote access interface. If a hacker starts probing and runs a dictionary attack, they could potentially do that for days or weeks without anyone noticing, as opposed to a desktop environment where the user would notice slow response or lots of warnings and report this to IT.
Embedded devices typically don't distinguish these kinds of attacks and the lack of visibility for the administrator can be a huge problem. If there are no controls on modifying the configuration of an embedded device, a hacker that spends weeks running attacks can finally breach the device and potentially change configuration without anyone noticing. Smart devices need to be smart about security. Immediate notification should be sent in cases where login attempts or communications with the device is outside the bounds of normal. There needs to be more refinement in the area of detection. For example, attempts to change firmware or configuration without proper credentials should be blocked and a notification created for early warning. But the vast majority of these IoT devices don't expose any kind of security interface for administrators to utilize.
Aligned security approaches and goals
Both experts from the enterprise and embedded IoT spaces had the same key take-aways without ever talking to one another:
- Security must go beyond perimeters
- IoT and M2M devices must have interfaces for fast detection and notification of possible breaches
- IoT and M2M devices themselves must have a comprehensive security plan within the device
It appears the enterprise and IoT security experts are aligned. There is a real need for embedded IoT and M2M solutions to grow up when it comes to security. Without action with respect to IoT security, the results could be far more devastating than getting some credit card information.
 "Target Hackers Broke in Via HVAC Company" http://krebsonsecurity.com/2014/02/target-hackers-broke-in-via-hvac-company/
 "Cyberattack Has Caused Confirmed Physical Damage for the Second Time Ever" http://www.wired.com/2015/01/german-steel-mill-hack-destruction/