The Equifax data breach—which potentially exposed Social Security and credit card numbers and other personal information for up to 143 million Americans—is only the latest in a string of cybersecurity attacks that will likely continue. While security remains a top challenge in the IoT world, it hasn’t been enough of a priority.
"We're trading security for convenience," said Bill Diotte, CEO of Mocana, during a keynote talk at the recent Internet of Things Device Security Summit in Santa Clara. He added that many don’t totally understand the level at which security and privacy are being compromised.
The frequency of major cyberattacks is increasing, Diotte said, citing that 2017 year-to-date attacks are up 164% compared to all of 2016. Most of these attacks have had a major financial impact—to the tune of more than $800 million per incident. And, this figure excludes costs to remediate the problems, impact on brand, and other peripheral effects.
Part of the problem, he said, is that many have tried to secure their IoT network using traditional IT tactics such as perimeter defense, passwords, simple SSL connection, and encrypted transport. "That IT model does not work very well with IT complexity," Diotte said.
So why is it so difficult to create secure products? From short release timelines to the lack of cyber resources, limited budgets, and the complexity of multiple vendors, the pressures are many. The time is, indeed, ripe for device makers to focus on developing trusted devices.
Attack, or Be Attacked
The promising news around security is that awareness of its importance is increasing and there are great secure chip technologies on the market. However, Diotte tempered this with the fact that many available security options are point solutions that designers have to stitch together—a difficult task, to be sure. "That reveals the ugly part of it," he said.
While the outlook seems rather dreary, Diotte rallied summit attendees to fight back together and build hardened, trusted, self-protected IoT devices. The internet of trusted things entails devices that operate from a known good trustworthy state. This places the onus on device and chip makers, who must ensure that:
- Their updates are cryptographically signed as known good updates
- Their solutions can provide secure communications between a trusted gateway and the cloud
- Their solutions have a strong foundation, driving trusted communications and trusted applications
To support these efforts, Mocana offers its IoT Security DevKit featuring the company’s IoT security stack, a strong cryptographic engine, SSL/SSH/WiFi security, automated key and certificate management provisioning, and sample apps. The kit is available in the cloud. Mocana also provides a "security blanket" for IoT and the cloud, with its software integrated into the software development kits of major cloud computing platforms.
"We think that 'protect' will always be greater than 'detect' in the IoT world," said Diotte.
As the devices we use each day become smarter and connected, it's up to engineers to build trusted products that are protected against cybercrime.
In the second keynote at the IoT Device Security Summit, Ian Ferguson, VP of the Internet of Things Services Group at Arm, spoke about "Unlocking the Value of IoT." He highlighted various challenges he sees for IoT beyond security and authentication: perception of security being too complex, a fragmented ecosystem, long product lifecycles, lack of willingness to pay for it all.
For Ferguson, there are three keys to unlocking the value of IoT deployments: scalability, agility, and extensibility. Regarding scalability, if an application, like an oil rig, has thousands of connected sensors, a consistent level of security has to be integrated throughout all of the layers. Agility involves ensuring that whether new features or updates are deployed, they are all protected, so that end users just notice the new functionality. Extensibility ensures that future growth or changes in the IoT implementation are considered. While he believes that progress is being made, the quality of security is inconsistent—and this is a point that everyone involved, from edge to the cloud, must own.
From hardware root of trust to certificate-based authentication and failure reporting, a variety of security frameworks has emerged. There are also various methods for implementing security via separation:
- Protecting sensitive assets by separating them from application firmware and hardware
- Defining a secure processing environment for this data, the code that manages it, and its trusted hardware resources
- Requiring secure boot so that only authenticated, trusted firmware is running
- Securing the installation of initial keys and firmware during the manufacturing process
What Ferguson is most concerned about, though, are the economics. Cellular network build-outs are expensive. Pushing for < $1 microcontrollers is a recipe for disaster for security. Cloud services are very cost-effective, but most of the data won’t be migrated to the cloud due to issues around privacy, bandwidth limits, and latency. Somehow, Ferguson said, the money needs to flow back down the value chain, where IoT data is monetized and there is revenue to be gained from services returned to the IoT value chain.