IoT Security Challenges, Opportunities

Vendors see the importance of cybersecurity, but not everyone has gotten the memo yet.

popularity

The specter of cybersecurity is haunting the Internet of Things—or more specifically, the lack of it.

Big companies in information technology and telecommunications have embraced the IoT as a significant business opportunity, and the field is inspiring hundreds of startups in Silicon Valley and elsewhere. Venture capitalists hungrily eye the IoT, betting on which companies will be the Amazon or Google for the Internet of Things. And Amazon and Google are looking for opportunities in conjunction with the IoT’s expansion by harnessing artificial intelligence, machine learning, and other emerging technologies.

Still, the subject that often stops IoT’s happy talk and rampant optimism is security. Can IoT devices be more secure? Of course. Yet not all are willing or able to implement the necessary measures for cybersecurity success in the real world.

The Internet of Things World conference and exhibition in Santa Clara, Calif., included a nearly day-long track on IoT security, sponsored by Electric Imp, a supplier of a connectivity platform and software development tools. Security was the topic of discussion in multiple conference sessions in addition to that specific session over the three days of the show.

IoT World took place just days after the WannaCry ransomware struck more than 200,000 computers around the world, demanding ransom payments in Bitcoin, the electronic currency not tied to any bank or country. There was no apparent connection between IoT devices and the WannaCry attacks, but the memory of last October’s distributed denial-of-service attack on Dyn DNS remains fresh for many people in the IoT business.

Ovum, the market research and consulting firm, identified security as one of five key themes in its “2017 Trends to Watch: IoT” report. “IoT security will become a core focus for both enterprises and providers, and will be part of every deployment discussion, as well as coming onto the radar for regulators,” the firm predicted in March.

“There are two sides to this, the consumer IoT and the enterprise IoT,” said Ronan de Renesse, Ovum’s practice leader for consumer technology, told Semiconductor Engineering. “At the enterprise, the awareness of security risks for IoT is much stronger. For consumers, in many cases, it’s not high costs.”

Cybersecurity vendors were out in force at the IoT World exhibit floor, but what was particularly noteworthy is that companies are starting to look at security from different angles. Rambus introduced and demonstrated its IoT Device Management service as part of its CryptoManager security platform. Rubicon Labs of Austin, Texas, and San Francisco touted its IoT identity platform as an alternative to public key infrastructure (PKI) security technology.


Fig. 1: IoT Device Management implementation. Source: Rambus

“We try to provide security all the way, from the device itself,” said Benjamin Binet, vice president of IoT marketing at Gemalto. “A SIM card, or a MIM card, is a security container.” IoT devices need a secure element, such as a chip or a software container, he added. “We have encryption solutions. We do encrypt data,” he continued. “The market is booming” for encryption, he said.

Gemalto’s “monetized offer” is “to protect and ease the deployment of software into the IoT devices,” Binet noted. “Right now, a lot of software is being on-boarded onto devices worldwide.”

IIoT and enterprise-level IoT

Industrial and enterprise IoT was the subject of eight extended programs at the conference, compared with four programs for consumer IoT, and that counterbalance was reflected on the exhibit floor as well. There seemed to be fewer consumer-oriented gadgets in the aisles and booths, as compared with the 2016 show, and more presentations of IIoT connectivity, security, and technology this year.

Eric Winsborrow, president and CEO of Distrix Networks, said his Vancouver, B.C.-based company, founded in 2006, initially had focused on U.S. government deployments for secure sensor networks and smart power grids. Distrix once worked on software-defined networking technology for the Pentagon’s Predator drone.

While many security solutions for networking technology are based on the Internet protocol, Winsborrow said that 90% of industrial equipment is not connected with IP. Instead, it relies on Profibus and other non-IP networking. The only way to secure that is with point-to-point security over any network, not just IP-based networks, he said.

Comparisons of IT and operational technology (OT) are a Silicon Valley construct, he noted. “OT is a Silicon Valley term. There is a cultural gap” when it comes to IP-oriented Silicon Valley ventures.

The DDoS attacks on Dyn and the WannaCry ransomware assaults are efforts by nation states with sophisticated tools, according to Winsborrow. They seek out complicated vulnerabilities — unprotected IoT devices, security cameras in particular, with default passwords in the Dyn attacks and unpatched Windows XP computers for WannaCry. “What’s necessary is to build security into your products,” he said. “That’s a Valley problem. They don’t believe security should be in there.”

Distrix isn’t alone in targeting the IIoT. Cambium Networks, once a division of Motorola Solutions, has combined the wireless broadband products of Canopy Networks and Orthogon Systems. Motorola Solutions divested the division in 2011, selling it to Vector Capital. Cambium offers wireless communications technology for the IIoT.

But for all of these segments, security is emerging as a key concern.

“As we talk more and more about cybersecurity, there are a lot of compatibility issues,” said Steve Brumer, a partner in 151 Advisors, a global consulting firm. “One crazy thing about IoT, as you know, is it’s not easy. You need a lot of partners, products, in the ecosystem in order to provide a solution, whether it’s smart agriculture, whether it’s connected car, whatever it is. There’s no one throat to choke in our IoT end-to-end business. And I’ve been doing end-to-end almost 20 years. I did the first Coke machine with a CDPD [cellular digital packet data] module back in the 1994-1995 timeframe, so I’ve been doing it a long time. But it’s still confusing. There are still a lot of moving parts within a solution for a customer, whether it’s in home or whether it’s industrial. And with that comes very different answers for how you handle security. I’m not saying it’s a common platform, a common standard, because there are so many workgroups and SIGs working around the world, from the IEEE to everybody else – we’re looking at cybersecurity in the IoT space. But no one’s come out and said, ‘This is the standard, this is what we’re going to use, everybody’s going to use it, and it’s free, it’s open-source, or whatever.’ None of that is happening, and I’m not sure it will happen in my lifetime.”

The problem becomes worse as chips become more heterogeneous, as systems become more complex, and as completely unrelated technologies and systems share the same communications infrastructure. “The problem is you may have 10 different products with 10 different processors, and one application,” said Brumer. “How do you get them all to talk the same security language? The only common denominator may not be even the module. It could be the SIM. But confusion breeds opportunity.”

Artificial intelligence
AI, machine learning, and augmented/virtual reality have begun creeping into IoT World, as well. Samsung Electronics demonstrated virtual-reality technology and its Artik IoT Platform, related Artik modules, and various IoT products and services. While Artik is “a critical component” in Samsung’s IoT strategy, there is much more at work for the company, said Ed Abrams, vice president of enterprise IoT at Samsung Electronics America.

The product line extends to artificial intelligence with the Bixby assistant, which will be added to Samsung phones and other products, as well as the Linux-based Tizen operating system for IoT, according to Abrams. The security capability is derived from the Knox feature on Samsung phones. The core technology of cloud services is complemented by Samsung devices – phones, tablets, VR headsets, edge devices, and Artik modules – and by an ecosystem of industry partners, the Samsung executive noted. The acquisition of Harman International is one aspect, alongside partnering with VMware and other companies.

Samsung is depending on its partners as it expands into IoT for health care, hospitality, insurance retail, transportation, travel, and other industries, Abrams said.

Conclusion
The complex nature of the IoT business means there are plenty of business opportunities, from AI to IIoT. But concerns about security are widening. As the IoT catches on, everything and everyone is connected. And that has raised a specter of insecurity that is likely to hang over this increasing connectivity for years to come.

Related Stories
Security: Losses Outpace Gains
Complexity, new and highly connected technology, and more valuable data are making it harder to keep out hackers.
IIoT Grows, But So Do Risks
Things are coming together for the Industrial Internet of Things, but security is a huge and growing issue.
Data Leakage And The IIoT
Connecting industrial equipment to the Internet offers big improvements in uptime and efficiency, but it adds security issues.
Smart Manufacturing Gains Momentum
Problems remain for legacy infrastructure, but adoption will continue to grow as gaps are identified and plugged.
IoT Security Risks Grow
Experts at the table, part 2: Mirai, Shodan, and where the holes are in security; establishing a chain of trust from a solid root; how to future-proof security.
IoT, Architectures, And Security
ARM CTO Mike Muller discusses how markets and technology are changing in a very candid one-on-one interview.