IoT Security Reality Check

Lorie Wigle, Intel Security’s VP and GM of IoT Security Solutions made a good point at SAE World Congress last month when she said, “The news feed is full of articles of hand wringing about how it’s the Internet of Threats not the Internet of Things and the reality is we have technologies we’ve developed over the last 30 years in security and IT systems many of which are perfectly applicable to the Internet of Things.”

Intel thinks about the IoT as falling into three broad categories:

1. Mobile: smartphones, wearable devices, cars.

2. Smart home. While it might not be ubiquitous today, in 5 to 10 years, smart homes will be as commonplace as smartphones, Intel contends.

3. Industrial/industries/infrastructure: retail, point of sale systems, ATMs, smart shelves, manufacturing, energy, transportation infrastructure, etc.

She pointed out that these categories are useful because we need to think about what the threat environments are for each of them.

“As we think about these areas of vulnerability and the threats that we need to defend against, we think that you need to take a very holistic approach. There are metrics that we can use to protect all of the devices in the Internet of Things, including the whole system, not just the end node device but the connectivity on the cloud and the analytics associated with the overall system. We need to implement detect capabilities, and you can think of those on a couple of different levels. At one level, we have to technologies that we can embed so that we can be sure that we are talking to the device we expect to talk to, that there is identity associated with that, and we can attest to that identity and that not only is the hardware is right, but that the software is right. The second level of detect in this context is really looking at behavior of the overall IoT system, and performing analytics on that so we can detect anomalies. We can never assume that any system is going to be perfectly secure, in fact, you’re probably safer to think that you’ve been compromised, and looking for that compromise so that you can remediate it — which is really the third step, which is correct. It doesn’t matter how it happened, you need to be able to correct the problem and resume normal operation,” she said.

“The other thing that is really important about the Internet of Things that is different from IT security,” Wigle continued, “is here we are interacting with the physical world: physical objects, physical things happen as a result of these systems in many cases. “It means that if there is a problem, we need to fail in a way that is safe so again, having that paranoid perception of, ‘I’ve been compromised. How do I make sure that I still operate in a safe way?’ Lastly, we need to adapt, and that’s both adapting as a result of what we’ve seen in our individual IoT system but also increasingly, we have access to threat information. In automotive, think about the ISAC (Information Sharing and Analysis Center). In a lot of different industries now we have threat sharing. Some companies like Intel Security has McAfee Global Threat Intelligence, so we should be taking in that data, and adapting as a result of it.”

Of course she was speaking from a hardware-maker’s perspective as to what should be built into its IoT systems. “On one level, IoT isn’t all that different than what we’ve done before — we’ve got a series of things that are connected through sensors, maybe they are connected to a gateway, maybe directly via a network,” she observed.

All the same, Wigle said Intel’s ‘very strong recommendation’ is that each of the devices that are part of this system should be equipped to address the threat lifecycle of protect, detect, correct, and believes there are a couple of things that can be built in to do a lot of that work:

1. Hardware and software identification. Having hardware-based ID that can be used to make sure that the device you’re getting data from is a device that can be trusted and is one you respect. The software part of that is that the software hasn’t been modified — you’ve taken a measurement of it, and you can verify that it’s not been tampered with.

2. Trusted execution environment. If you’ve got a safe place to execute code, and to store material, we can perform higher level functions: encryption, protecting the data, protecting the version, etc. Today, we’re not dong a good enough job of necessarily implementing the hardware and even if we have the hardware capabilities, the software isn’t necessarily taking advantage of it.

*

Oh, and by the way, apparently today is the 4th annual World Password Day, according to Intel. The company said in a news release that they are encouraging consumers globally to take the pledge to commit to strengthening and changing their passwords. “World Password Day aims to educate and drive conversations about how to make our online accounts and activities more secure. This year, Intel Security is urging everyone enhance the security of their online accounts by setting up multi-factor authentication.”