One of IoT StreamConf‘s most popular panels was the Security as a Core Tenet of the IoT Stack expert panel, with thought leaders in Internet of Things security converging on best practices for securing IoT applications at each layer of the Internet of Things technology stack. A tough topic, there are a number of different design patterns, implementations, and operation considerations when it comes to securing IoT communication.
Each panelist brought a unique perspective to the topic. Moderated by Paul Roberts, Editor of The Security Ledger, the panel consisted of:
- Todd Greene, CEO, PubNub
- Ross Mason, Founder & VP Product Strategy, MuleSoft
- Daniel Miessler, Research Lead, HP Fortify on Demand
- Josh Corman, CTO, Sonatype
- Justine Bone, CISO, Hoyos Labs
Internet of Things security is paramount
“I ask you, now that my car’s brakes have been disabled by my friends. My steering column can rip out of my hands. My buddy who’s a Type 1 diabetic can give himself a lethal dose of insulin with a vulnerable bluetooth stack. You can do remote kill switch on every emergency response vehicle in the country of Brazil. Is a 4% fraud loss rate acceptable? I think the answer is no.” – Josh Corman, Sonatype.
As an industry, the IoT has failed to make it clear that if you put software on something attackable and connect it, it’s exposed. We have to aggressively and sanely excel the benefits of connected devices, while mitigating the risks. If we move too fast in developing new IoT applications, but don’t make security a paramount consideration, we’re leaving ourselves vulnerable for massive breaches with massive consequences.
What is the IoT stack?
It’s actually more than just a singular stack. The IoT stack varies from use case to use case, from implementation to implementation.
Today, it’s really a Wild West of letting the development team figure out where the vulnerabilities exist, and find a way to counter those. If they have a strong security expertise on the team, maybe they’ll do it right. And if they don’t, they’re opening their solution up to any number of breaches. The idea is where to go from a stack perspective, and making decisions to evolve the stack overtime.
For example, one major design pattern is to take as much security off the device and into the network. The more you expect the device to do, from a processing, encryption, and connectivity perspective, the harder it will be to upgrade those devices. Pushing security into the network opens the doors for a more flexible improvement of security for connected devices and solutions.
Implementations of IoT
There are three major categories of IoT, and security in each of those categories differs. We have commercial in the middle, and on one side we have consumer, and on the other, we have industrial.
- Consumer: devices connecting and controlled through a mobile device. A lot of the security considerations are around the WiFi network and boundaries controlled with the network technologies. For example, home automation, connected car, or wearables.
- Commercial: sits between consumer and industrial, commercial IoT adds. For example, consumer good manufacturers connected to manufacturing plants, or commercial vehicles connected to a geolocation application, connected billboards, retail, vending machines, etc.
- Industrial: heavy implementations including industrial processes and supply chain. Data volumes are high, and applications are mission critical. For example, manufacturing, transportation, medical, or energy.
Authentication and the Internet of Things
Traditionally, we have layers of authentication. We don’t authenticate to a laptop, but rather a server through our laptop, usually in the form of a password. The server knows at the other end that the user is authentic.
However, connected devices like your car for example, may not have a keyboard for you to type a password. When we think of the IoT, and personalization, how do we know who is connected, and how can we ensure that it’s the correct user?
Right now, a user is commonly represented by two things: our biometrics and other devices we carry (most likely a phone or wearable). For two-factor authentication, the biometrics will authenticate to the phone, and the phone will then authenticate to the backend infrastructure. This is one example of a way we can authenticate a human in front of a connected solution, your connected car.
Going forward, security must be at the forethought of every IoT application. With increased reliance on IoT applications, vulnerabilities will continue to develop, and measures need to be taken to ensure that they are patched. More importantly, as we push the IoT forward, we need to avoid reinventing the wheel with every new application.
If you’re interested in learning more about the Internet of Things, we’ll be discussing the challenges of IoT communication in depth in our “Rethinking the IoT Security Model” live webinar, June 17, at 9am. This webinar will review 10 key challenges of securing IoT communications and will map out a strategy for a new security model that will enable ubiquitous, secure, bi-directional communication protocol for the Internet of Things.