Applying today's expertise to tomorrow's Internet of Things security challenges
Not a day goes by, it seems, that someone out on the Internet claims the world is doomed because the next wave of computing, the Internet of Things, is insecure. Some recent examples of this trepidation include a National Institute of Standards and Technology (NIST) official and notes from the last Black Hat conference. Other similar stories have been in the news, from November 2011 to July 2012, with worries that printers will bring down enterprises.
Everyone seems to be moving these kinds of concerns to the front of discussions, which is actually a good thing. Increased interest in security means that it will be given more attention and, over time, produce enhanced results. Hopefully, the attention will last far longer than the media frenzy on the topic.
Some aspects about the Internet of Things are new and different from connected technology of the past. Devices necessarily run in harsh environments. Not only must they run in physical environments that are often demanding—with hot and cold temperature extremes, challenging weather conditions and so on—but they also need to run outside the bounds of physically secured places. In addition, the devices may even communicate using multiple forms of communication, depending on their current state and/or position.
Within the Internet of Things, many more devices will be in existence than those we have worked with in the past. Estimates vary widely, but many put the number far into the many billions of connected devices.
Devices will operate under constraints. For cost and sizing purposes, the devices are expected to have widely varying levels of compute, storage and network capabilities along with heat and power constraints. We are all familiar with this situation, even with the mobile devices we use today as we run around looking for power plugs or always having the battery charger handy to top off our mobile device batteries. However, for many Internet of Things devices, someone isn’t around to plug in the charger and power plugs are not readily available. As a result, compute processing may be limited by how much power is available rather than the capacity of the processing chip in many circumstances.
Devices also operate much closer to the physical environment than we typically see today with mobile computing and cloud-hosted applications. In other words, Internet of Things devices will be used in mission-, life- and safety-critical situations. The devices are likely to have fail-safe modes of operation, be able to work in some usable manner even when all communications and limited power resources are available, and always bring themselves to a safe operating state. Good thing we have great engineers to make sure these characteristics are built into the hardware, firmware and software of all these devices.
Even with those differences, a lot of security technology can be reused and extended to secure Internet of Things environments. IBM is addressing the challenges of securing the Internet of Things with a wide range of solutions. These approaches include additional capabilities, when affordable and appropriate, in the devices themselves and using secure design principles in the design of the devices and the systems with which they communicate. They also include applying security monitoring tools and analysis algorithms to detect inconsistencies and potential breaches and applying security testing and analysis through the development and deployment of the overall solutions. This technology is expected to span from devices through supporting cloud and data center environments and extend into user-interface applications that are mobile device-based, browser-based or through some other form of computer interface.
The industry is quite likely to continue to discover the sweet spot in the risk-versus-spending spectrum. Different solutions, environments and devices may land at different points and be deployed for different purposes. In some cases, regulations may force certain decisions and technologies, but just as we are seeing with drone-related regulations, the technology advances are expected to outpace the regulations to demand compliance—at least for a while.