The Internet of Things (IoT) – A Deluge of Devices. By all accounts, there will be 30-50 billion internet-connected devices by 2020. This is a massive cyber-attack surface to protect. The number of devices expands by the thousands every day; creating a daunting challenge for cybersecurity. 

What is the IoT? The IoT is a network of dynamic, interlinked components that sense context, transfer data, process information, and initiate action (MIT, 2018); this forms a control loop. The IoT includes devices, vehicles, and infrastructure. The power of the IoT is that the physical and digital worlds seamlessly interact. This is the foundation for the digital transformation underway in almost every industry.

Since the IoT can initiate action, it presents a different set of cybersecurity priorities compared to the typical Enterprise IT environment. It’s critical to understand these differences since so much of the attack surface is being driven by the IoT.

Upside – IoT Unleashed. In a “smart, hyper-connected” IoT environment, every device and system will:

1) Connect to one another, and share data.

2) Be smart enough to make decisions.

3) Act on decisions independently, without human intervention.

This provides synchronization and coordination in real-time, at scale. The impact is higher productivity, proactive and preventive action, improved customer engagement, better customer experience, and new, powerful business models. It has the potential to unlock $11 trillion of economic value by 2025, per McKinsey Global Institute. This is the upside.

Risk – Shackles on Digital Freedom. While pursuing the promise from connectivity and smart devices, significant risks have to be addressed. In a cyber-attack, connected devices can be controlled by a threat actor and directed to take harmful actions. For illustration, here are some possible IoT cyber-attack scenarios. Watch the 2016 movie Zero Days for more color.

  • Industrial IoT – The control loop of Sensors, Controllers, and Actuators is compromised causing valves to open and close incorrectly, and robots to take the wrong action or move at the wrong time. As a result, assets are damaged and possibly destroyed, plants go down, people get hurt, and if data is exfiltrated, IP is lost.
  • Connected & Autonomous Vehicles – A moving car gets hacked. The attacker corrupts sensor data causing the car to deploy airbags, lock the doors, turn on cruise control, accelerate, and disable the Anti-lock Braking System. In an autonomous vehicle, the navigation system is fooled, and the car is misdirected. In these scenarios, people are injured or die, property is damaged, and accidents snarl transportation systems.
  • Critical Infrastructure – An attack is directed at systems that deliver electricity, water, communications, and climate control. They are turned off, or destroyed. Everything in the functioning economy could be impaired or disrupted at a local, regional, or national level; perhaps for long periods of time. This could cause a large scale loss of life.
  • Health Care – In an attack on health care delivery infrastructure, data from remote monitoring and dispensing devices is altered causing the delivery of lethal doses of medication.

To take on the risk challenge, how should we look at IoT cybersecurity? It’s valuable to understand how IT and IoT priorities are different. Decision makers need to understand this difference as they consider extending IT cybersecurity to protect the IoT environment.

IT Priorities – Confidentiality, Integrity, and Availability (C-I-A) – C-I-A is a well-known acronym for the IT cybersecurity “triad”. For IT environments, the rank order of priorities is typically C, then I, then A. The focus of the IT environment is data.

  • Confidentiality is limiting data access to people that need it. Methods for maintaining Confidentiality include: encryption; passwords; two-factor authentication; security tokens; and air gapping of systems.
  • Integrity is maintaining data consistency, accuracy and trustworthiness over its entire useful life. Methods to maintain Integrity focus on ensuring that data is not altered while in transit, or by unauthorized individuals while data is at rest.
  • Availability is ensuring that data can be accessed when needed. Methods focus on maintaining hardware, software updates, bandwidth, redundancy, and back -ups.

The IT environment is typically mobile devices, computers, and servers interacting with one another in dynamic, unpredictable ways. The operating systems and communication protocols are relatively standard and ubiquitous. Software updates are frequent, helping to maintain some level of security. The IoT is different.

IoT Priorities – Different from IT. Connected devices, in a control loop, require different priorities:  Control, then Availability, Integrity, and Confidentiality. The focus is on process control. The IoT in this environment is often called Operational Technology (OT).

  • Control of the process is critical, with prescribed inputs and outputs, in a static, deterministic environment. Losing control of the process makes bad things happen in Industrial, Automotive, Infrastructure, and Health Care application scenarios.
  • Availability of the process to deliver as planned. Losing availability impairs speed and precision. This can be devastating in critical applications.
  • Integrity of the control data so that it’s trustworthy and accurate. Using incorrect data can cause controllers to drive the wrong actions, and smart devices to make the “right decision” with bad data, causing a bad outcome.
  • Confidentiality of data is the lowest priority since in a control loop, exposed data may have little use to an attacker.

Implications. Along with different priorities, the IoT presents unique challenges, including multiple protocols, infrequent software updates, and limited device security. For decision makers, it’s important to recognize that the IoT requires a thoughtful, outcome-driven approach to cybersecurity, not simply an extension of the IT approach and toolset.

Our team at ADI is working on solutions to overcome the IoT cybersecurity challenge. We seek to unshackle Digital Freedom.

What Market Voices Are Saying. Per Lux Research, the IoT Security Market has emerged. Patent activity in IoT Security has been increasing by 24% per year since 2012 (including devices, applications, countermeasures, and approaches) and the pace is accelerating.

Shout Out to a Digital Freedom Fighter. To our brilliant Cybersecurity Engineers working on the Universal Security Platform to make it is easy for ADI Customers to implement security in their Industrial Control System (ICS) designs, supporting IoT cybersecurity.

Anonymous