Three key capabilities in IoT security
This article was submitted for IoTWorldNews publication
“The same intelligence that enables devices to perform their tasks, must also enable them to recognise and counteract threats.” - WindRiver
IoT adoption is growing at pace as organisations discover more efficiencies, develop new revenue streams and business models as the number of connected things grow. A recent Gartner research note showed that 29% respondents were currently using IoT with an additional 14% planning to deploy projects in 2016 and 21% planning to implement post 2016. In 2016 alone we will see a 50% growth in adoption rates globally according to Gartner. This is juxtaposed against a recent Microsoft study showing that security is the biggest hurdle for enterprise IoT adoption in 2016 and will remain so in 2017.
In the previous two articles I covered off security as a guiding principle for the IoT ecosystem and the need for a holistic, architecture based approach encompassing people, process and technology. In this article we delve deeper into three crucial capabilities that will underpin a secure approach to IoT security. These capabilities are by no means exhaustive but for organisations looking to deploy IoT projects they are simple and achievable pillars as part of their overall security architecture strategy.
There is an old adage in security and that is “you can’t protect what you can’t see”. Visibility is crucial in any cybersecurity ecosystem, to know what assets you have and the ability to manage those assets is a prerequisite for securing those assets and the data that is either stored, processed or transmitted. But when we deploying IoT at a rate of 3 million things per day, reaching 100 billion by 2025, exactly how is this achievable? To complicate matters there are multiple competing communications protocols for both short distance (6LowPAN, Zigbee, Z-wave, Bluetooth LE) and wide area (Symphony, SigFox, LoraWAN, NB-IoT) and an estimated 300 IoT platforms currently deployed.
The ability to discover devices and if applicable the user entity associated will be key and this is where the network and IoT platform layers will assist greatly. As devices are provisioned, the entity (user mapping to device) needs to be shared to a common repository which is dynamically updated as devices respond to heartbeat/keep alive requests from the gateway/platform. Due to the size and dynamic nature of the data, this repository will need to be distributed across the IoT ecosystem encompassing both datacenter and edge analytics. This IoT data lake can then be mined and correlated for threats and/or malicious or suspicious activity. Has there been a spike in CPU on the sensor? Has there been irregular amounts of keep alive packets? Has the device exceeded it’s baseline of data? IoT analytics is in early adoption with IBM’s Watson IoT, SAP Hana and Cisco Fog computing just some of the options from the mainstream technology vendors. In the near future, the developing field of Artificial General Intelligence applied to IoT will help to analyse and identify threats from the massive amounts of data that the IoT will generate.
In an ideal scenario sensors are deployed, switched on and self-provision usually by having a certificate pre-installed and “calling home” to an update server to download it’s configuration. This process is automated else we could not scale effectively. An example is a sensor which tracks telemetry for fleet vehicles in the field. As the sensor is powered on it would update it’s factory settings by collecting the VIN, license plate and unique identifier for the vehicle it’s tracking. Ideally, in the same manner as the device has automated the provisioning process, it should also then ensure the key exchange process is secure, have the ability to boot into a secure known good state and be updated over the wire with new firmware and security updates as they become available.
We can build upon this scenario by building whitelisting capability into the sensor. During boot phase it checks it’s known good state against a defined whitelist of processes it can execute and if there is suspicious activity have the ability to fail gracefully and reset itself to a known good state. If our analytics platform detects anomalous or suspicious activity then the device is quarantined into an unroutable VLAN or a dynamic ACL pushed to the gateway the device is connected to. Other options could be traffic from the device(s) routed differently through the network to another inspection device where machine based learning or sandboxing technology is implemented. Unfortunately what I’ve just described is mere hypothesis at this stage of IoT maturity. The emerging field of Blockchain within IoT is a promising development to deliver a de-centralised and resilient IoT ecosystem.
If Visibility and Automation are the two key pillars of a secure IoT ecosystem then Orchestration is the glue that holds it together. If we explore best practice in terms of a device being provisioned into an IoT ecosystem;
Provisioning & authentication
Configuration & control
Monitoring & analytics
Firmware & security updates
Overlaying a secure architecture over this best practice approach;
Figure 1 - Proposed security architecture, Cisco Systems
We can quickly ascertain that in a secure ecosystem there are a lot of moving parts from secure provisioning and authentication through to post installation firmware and security updates. The only effective means to ensure coherence in this secure IoT ecosystem is having the capability to orchestrate components in an automated fashion. Using the example in Automation, Orchestration enables the device to self-provision, self-authenticate and ensure it has a known good state when it connects. From the edge network (Fog network) orchestration enables the device to be assigned the relevant resources in the data centre/cloud layer and also revokes this if suspicious or anomalous activity is detected by the analytics platform. This revocation can be in the form of certificate or network access using Network Access Control. Organisations who have the ability to orchestrate these functions also maintain Visibility into their IoT ecosystem and are able to automate security at scale.
VAO (Visibility, Automation and Orchestration) are three crucial capabilities organisations need to develop to ensure secure practices within the IoT ecosystem. These capabilities are largely people and process focused with technology as an enabler. VAO does not operate in isolation either and is only effective as part of a holistic, architecture based approach to security in the IoT ecosystem.