IoT security is bad. It’s time to take a different approach
By Mary Branscombe
The Internet of Things is getting mainstream enough that we need new acronyms to differentiate medical (IoMT) and industrial (IIoT) connected devices from consumer doorbells, security cameras, weather stations, tennis rackets and nappies that are already streaming data. IDC estimated some $200 billion was spent on Industrial IoT modules and sensors in 2019 as we move towards the grand vision of Industry 4.0.
The idea is that we’re now onto the fourth industrial revolution (steam power and electricity having given way to computers for the third industrial revolution). And part of this grand vision is that smart, connected, machine learning-powered machinery that can configure, monitor, improve and diagnose itself becomes part of everything from the factory floor to cars and cities.
If you want to pull back from talking about the future of everything to just the manufacturing and production bits, that’s Industry 4.0. Then there’s edge computing; having moved a lot of compute from the server room up to the cloud, we can now push the most time-sensitive computation next to the machinery, falling back to the cloud for the analytics and modelling that makes that local compute so targeted.
Whatever we end up calling it, when IoT devices are controlling drug pumps, manufacturing operations, fleet management and the electrical grid, you want them to be secure. A firewall won’t help with that. in the first half of 2018 Kaspersky IoT honeypots detected 12 million attacks aimed at IoT devices coming from 69.000 IP addresses. In the first half of 2019 that was up to 105 million attacks from 276,000 unique IP addresses. Are you planning to block all the malicious IP addresses?
A perimeter firewall hasn’t made sense as the way to protect devices since modems and then smartphones made working outside the office common, just as walled castles are a bit out of date. Remote connection policies are an attempt to force everyone to go over the drawbridge where you can take a look at them and their identity papers. Conditional access policies are like putting someone very experienced on the gate: even if the identify papers are stolen or a good forgery, they look for suspicious behaviour like having got here impossibly fast or never having been here before but asking to go straight to the room in the tower with the treasure in. And once you’re inside the walls, you need to enforce access policies on every system with another drawbridge into every room, because the firewall can only check ‘north-south’ traffic coming in from outside, not ‘east-west’ traffic bouncing around inside the network.
Tempered Networks has what it calls a virtual air gap firewall, which replaces the IP address with a cryptographic identity stored in secure hardware. That’s one of many approaches to IoT security. G+D (the company responsible for a large proportion of SIMs) suggests using eSIMs for identity. Cisco Edge Intelligence promises anomaly detection – spotting compromised IoT devices by analysing network traffic. Microsoft has Azure IoT services that use Azure Active Directory for identity and device management (including updating devices, something that rarely happens today, using the Windows Update content distribution network). It also has Azure Sphere, a hardware platform for building devices with a custom Linux distro and a secure microcontroller unit that’s been picked up by Qualcomm, NXP and other hardware suppliers.
Arm – whose embedded processors are widely used in IoT devices – is adding a hardware root of trust to chips used in IoT devices, which can do things like blocking debugger access once a device has been deployed; this kind of lifecycle protection is a good way to give developers powerful tools for building systems that hackers can’t use to break into them. There are also some simpler precautions you can take for IoT hardware designed before these protections: making sure devices are never installed with the default password and using strong identities for each IoT device, so it can only communicate with systems it’s controlling or sending data to. IoT devices are sometimes attacked as a way into your network, so limiting privileged admin accounts and moving from basic authentication and passwords to MFA and biometrics or hardware tokens.
Just remember that the reason the S in IoT stands for ‘security’ is that you might have to put it there yourself. Or as Microsoft Distinguished Engineer Galen Hunt put it when telling us about Azure Sphere in 2018, “there’s been just enough IoT that people have begun to realise how bad it could be.”