IoT security requires a systemic approach
This article appeared in iotworldnews - https://iotworldnews.com/2016/08/iot-security-requires-a-systemic-approach/
Whichever vendor or research analyst you subscribe to, the proliferation and uptake of IoT is exploding with Gartner predicting approximately 21 billion devices connected by 2020 with 3-4 million devices added yearly. Cisco Systems estimates the IoT technology wave will be worth USD $14.4 trillion dollars to the global economy as we connect the unconnected, people to things (P2P), machine to people (M2P) and machine to machine (M2M). It’s no wonder then that security and risk issues are of top concern to executives as they balance the opportunity value versus risk to deploying IoT en masse.
The opportunity for the industry to incorporate security considerations into the IoT platform via hardware (Intel’s hardware assisted security comes to mind), standards/regulatory policy (implemented haphazardly) and best practice frameworks (lack thereof) has been missed and with it our leading contingency to adequately secure IoT and ensure we realize the full value of this transformational wave. Exacerbating this is the current approach in IoT security, which emphasizes technology and utilises traditional reductionist models such as perimeter- and device-based security, air-gaps and manual security processes.
The explosive growth of IoT, complexity and diverse ecosystems that exist such as hardware and communication protocols calls for a holistic, system approach to security.
Systems approach to IoT security
While systems theory traces it’s roots to pre-Socratic philosophers it was modernized in the 20th century by biologist Ludwig van Bertalanffy as general systems theory. It is best described by Aristotle great quote “the whole is greater than the sum of it’s parts” and prioritizes holism over reductionism. It defines a system as interrelated parts all interacting together to achieve a common objective. It’s other main premise is that the system requires self-regulation and self-correction through feedback loops.
In the context of Cybersecurity this means viewing IoT as a complex interconnected eco-system comprised of multiple elements such as things/devices, software/firmware, communication protocols, cloud-enablement platforms, data and people. Conversely appropriately securing this interconnected eco-system requires an integrated security architecture applied across people, process and technology.
Characteristics of a systemic approach to security
Systems theory applied to IoT security has four characteristics:
Interconnected process encompassing people, process and technology
In their paper “A systemic approach to IoT Security” the authors envisage an iterative tri-modal model comprised of People, Process and Technological Ecosystem. Any security approach that fails to consider this is inherently reductionist in nature and unlikely to succeed.
Simplicity over complexity
Bruce Schneier was quoted in 2001 as saying “complexity is the enemy of security” and this is a truism in the context of IoT. Due to the volume of things and data, proliferation of cheap hardware and lack of standards current approaches to security are complex in nature. Where openness and interoperability is key, security is often stitched together haphazardly in a “Frankenstein” manner. Security architectures and systems need to be simple with fewer moving parts that utilize open API’s and orchestrated from a central platform.
SIA (Scalability, Integration & Automation)
With an expected 21 Billion things to be connected by 2020, any security architecture or system needs to scale quickly while maintaining simplicity. Another characteristic of systems theory is self-regulation, which for the purpose of this article I’ll call automation.
Why the connected journey will leave you exposed to security risks
Moving towards a safer, smarter, and more secure connected home
Minimizing vulnerabilities of IoT
This encompasses the ability to scale security in an automated fashion in both instantiation of a control and automated response to a threat. An example would be a health provider with bio-medical equipment. As new capability or bio-medical devices are added, network/endpoint security is automated by instantiating controls on the device and network level. If a threat is discovered on these devices or segment, an automated response to quarantine or throttle the devices is deployed.
Eco-system of partners
No one, two or even three vendors can solve the challenge of IoT security. Similarly just as IoT requires an eco-system approach to flourish, security for IoT requires a broad consortium using open protocols and platforms. Part of this may include sharing of threat intelligence to allow accelerated responses to threats.
If we are to realize the potential of IoT then the security and privacy issues must be adequately addressed. Due to the challenges of diverse platforms, haphazard standards and a global Cybersecurity skills shortage, a different approach is needed based not on technology but rather IoT security as a holistic eco-system.
Lani Refiti is Security Lead at Cisco Systems, Advisor to Australian Information Security Association (AISA) and IoT Alliance Australia work stream on security (IoTAA). He has over 19 years experience in security and has a keen interest in IoT.