Addressing security complexities for the Internet of Things

IoT Evangelist, University of San Diego

The growth of ubiquitous computing and an increasingly networked society have altered the digital genetics of organizations at an unprecedented rate. With the Internet of Things (IoT), organizations have now expanded their footprints and business processes beyond their own data centers, using core infrastructures such as cloud computing frameworks or application programming interfaces (APIs). This complex IoT ecosystem is driven not only by business necessity but also by the elasticity of the IoT framework.

The IoT framework offers unique challenges for evolving organizational structures and diversifying business methods. IoT ecosystems introduce both structured and unstructured data sets where data size is based on both volume and veracity; plus, they often interact with complex business processes that require a higher degree of agility. However, agile IoT operations include operational overhead, which can be costly and often stretches across enterprises. Thus, identifying the IoT security frameworks that are vulnerable to process disruptions are vital as the IoT ecosystem changes.

The following systemic approaches address the complexities of securing an IoT ecosystem.

Software engineering: Because data breaches are frequent, the iteration of software engineering development lifecycles must become agile to meet software security metrics. Yet it can be quite costly to drill down on software design, functions, methods and algorithms. This operation may force reverse engineering in large enterprises that have millions of lines of code in production—as well as cause agility challenges in organizations that outsource software engineering departments. For this reason, IoT products will be expensive due to higher security overhead in software engineering process.

System architecture: Technology services may exist in many systems and subsystems that are often intertwined across data centers over various geographic regions. The complex technical aspects of such configurations require a broad range of product expertise and the ability to patch network elements—skills often developed outside the organization's infrastructure in the cloud. With the involvement of external vendors and possible reverse engineering—and because patching and bug fixing the complete IoT infrastructure may be outside the organization’s scope—securing the system architecture adds further overhead, increasing the IoT infrastructure’s operational budget.

Policy interventions: Developing industry-wide security metrics and data classification of IoT frameworks is essential because of differences in the severity of IoT data breaches. For example, the costs of implementing IoT security metrics on national power grids are much higher than the costs for retailers or educational institutions. With the advent of big data and the IoT, classifying the data and assimilating new products into IoT frameworks continues to be a concern. Technologies such as Unmanned Armed Systems (UAS) and connected cars bring not only opportunities but also business process disruptions—and may also spur public debate about privacy and security. Agile policy interventions at the local, state and federal levels are required to address these IoT security challenges.

Rules of engagement in cyberspace: Unlike conventional battlegrounds, cyberspace has an unlimited range. Cyber-war spreads easily across the Internet and is unregulated by design. Threats cross global borders, exposing nations to complex rules of engagement. Cyberattacks are a low-cost entry into the battlefield. Novice computer users can easily initiate Distributed Denial of Service (DDOS) attacks using TCP/IP stacks. For example, in a very simple DDOS attack, a few lines of code that loop the ping command can flood the ICMP packets on public-facing services like Domain Name Server (DNS). The need for broader international collaboration, along with balanced national security and privacy, is an IoT security task for any state or government.

Training, education and public awareness: Along with security design issues, the IoT involves an ongoing learning process for engineers, policymakers and end users. During design, engineers should have knowledge of domain data, inherent security limitations and the wider ecosystem of the IoT framework. However, securing an IoT infrastructure is not merely a technical problem but is also a complex cultural problem often associated with end users. Often, sophisticated cyber attacks use the computers of unknowing users who have little understanding of malicious software. However, advancing technical skills and knowledge requires training as well as STEM education focusing on IoT frameworks, security threats and the ethical use of IoT infrastructures—which may promote the development of an IoT-friendly generation.

IoT infrastructure risk assessments: Organizations define strategy and identify corporate risks. The broader need to determine IoT security metrics to assess risks is vital in any organization as the IoT ecosystem expands. A preliminary assessment of business risks helps enhance the security of the IoT infrastructure and also pinpoints possible business process interventions in anticipated risk. An IoT security strategy must address risk assessment, develop trust-based systems and address customers’ privacy. Conducting IoT security drills helps simulate risk assessment and response of the incidence management team.

Interdisciplinary operations and research: The IoT is interdisciplinary; that is, it requires collaboration to understand its complex processes and ecosystems. Different industries and disciplines bring unique data sets, procedures and techniques that may not be well understood by software engineers or system engineers who manage IoT infrastructures. Operations departments must utilize all experts across departments to improve business processes, secure IoT frameworks and develop unified interdisciplinary collaborations. With IoT, collaboration is a necessity, not a value-added proposition for an organization.

Documentation: Often, broader IoT frameworks are visible to executives of an organization while operational IoT frameworks are limited to engineers and mid-level managers.  Managing strategies and operations within the organization are bigger challenges in the IoT landscape. Developing knowledge-based articles on strategic management and standard operating procedures for system operations, failures and integrations are necessary to minimize business risks. Managing the large code bases and state-of-system architectures requires granularity and accessibility of the documentation across departments. For example, memory leak is a common problem in Java applications, but it’s rarely fixed in the code base and is visible to the engineering department only. In these cases, creating useful documentation and controlling the cost of fixing code are primary matters.

Clearly, the Internet of Things comes with a myriad of security challenges and other issues that must be considered when developing secure IoT frameworks. It’s no wonder IoT security is a topic on everyone’s mind. While IoT security is challenging, it doesn't have to be overwhelming. Considering a holistic security approach at every phase of development for the IoT helps ensure IoT ecosystems are secure and reliable.