Securing the Internet of Things: Where do you start?

Big Data Evangelist, IBM

Securing everything, everywhere, forevermore is the ultimate pipe dream, and it may not even be feasible. The world is too big, complex and dynamic to hold out that hope for long.

Nevertheless, securing every "thing" is becoming a critical issue as we move into the era of the Internet of Things (IoT). Some refer to this vision as the “industrial Internet,” the “machine-to-machine Internet” the “sensor Internet,” the “ambient Internet” and even the “RFID Internet.” More broadly, IoT refers to the vision of a world where sensors, intelligence and connectivity are embedded into every human artifact, every element of the natural world and even every physical person.

Security is critical to IoT's adoption because we want to make sure we can "trust" the sensors, actuators, rules engines and other connected componentry we embed in every element of our existence. Bringing this down to earth is as easy as pointing out that people's smartphones, tablets, wearable devices, appliances, entertainment centers and home security systems are all becoming "IoT " connected endpoints. How vulnerable will you be to security vulnerabilities and privacy violations from any and all of these?

Privacy issues are where most people focus in the IoT security debate. In the post-Snowden age, many people are not reassured by statements such as this from former CIA director David Petraeus, who was discussing the privacy vulnerabilities of IoT-equipped "smart homes:"

"Items of interest will be located, identified, monitored and remotely controlled through technologies such as radio-frequency identification, sensor networks, tiny embedded servers and energy harvesters—all connected to the next-generation internet using abundant, low-cost and high-power computing, the latter now going to cloud computing, in many areas greater and greater supercomputing and, ultimately, heading to quantum computing."

So far, nobody has a comprehensive vision for how, or even if, the human race will be able to manage end-to-end security in the coming IoT world. But many people have dissected this topic recently, and many others are sure to follow. For starters, here's the list of IoT security requirements that I discussed in an IBM Data Magazine article from this past summer (in which I defined  the role of big data in IoT security):

  • Incorporate robust security protections in the development of IoT products
  • Leverage widely vetted open security standards in IoT products
  • Embed modular, security-aware hardware and software designs in IoT products
  • Conduct independent review, auditing and penetration testing of security in IoT products

It's no surprise that the venerable Vint Cert has thoughts on this issue as well. At a recent workshop of the US Federal Trade Commission (FTC), Cerf approached IoT privacy protection within a larger architectural perspective. He discussed several key IoT challenges: standardized IoT interfaces, bulk IoT device provisioning and configuration, IoT access control and authentication, IoT privacy and safety, IoT instrumentation and feedback, and IoT device security patching.

On its end, the FTC raised several important concerns to supplement Cerf's and my discussions: IoT device vendor ecosystems, IoT device data de-identification and IoT device-level attack-prevention safeguards.

Yet another (largely non-overlapping) list of IoT security issues is in this recent E-Commerce Times article. The piece, authored by Ed Moyle, discusses 5 security capabilities that should be incorporated into IoT infrastructures: IoT threat awareness/intelligence, IoT inventory management, IoT application security, IoT vendor governance and IoT business integration.

The most noteworthy aspect of Moyle's discussion is the focus on building a security-aware IoT vendor value chain. This excerpt jumped out at me:

"Though it might not seem immediately apparent, securing the supply chain can be particularly critical when it comes to securing purpose-built devices. There are a few reasons. First, the practices of manufacturers (for example, their ability to build a hardened product) play a role. Second, implementers and VARs can leave configuration or other errors in deployment. Lastly, maintenance and support may require granting access to external parties so they can troubleshoot and provide that support. Building a capability to assess these external parties in the supply chain can give you some transparency and help you assess the level of risk these situations might introduce."

If your head's not swimming from IoT security issue overload, you're not paying attention. How do we get our heads around the multi-layered security challenges in this coming era? As an organizing framework, I'd propose that we approach it as follows:

  • Securing IoT endpoints: Do you trust the things themselves? Everybody recognizes that the first line of IoT security must be built into the things themselves. Considering the ever expanding diversity of IoT endpoints, in scale, features, deployments, etc., the endpoint-security standards must be framed in functional terms that are agnostic to underlying physical implementations.
  • Securing IoT engagements: Do you trust the things' engagements with the world around them? Security vulnerabilities are consequences of how IoT endpoints interact with users, with local and remote applications, with cloud and other infrastructures, and with each other. Securing the IoT depends on standards for how these engagement patterns leverage identity, authentication, access control, encryption, de-identification, privacy, intrusion detection, alerting, auditing, monitoring and other infrastructure services.
  • Securing IoT ecosystems: Do you trust the things' value chains? Security vulnerabilities may introduced anywhere in the constellation of solution providers, service businesses, certification authorities and others who build, deploy, test, manage and vouch for the endpoints and infrastructures. Securing the IoT depends on assembling the compliance, legal, contractual and operational frameworks to handle the interlocking responsibilities of all these parties for ensuring end-to-end security.

Where do we start to realize this vision of security-enabled IoT? The short answer is "everywhere" (yes, I know that sounds flippant, but it reflects the magnitude of the security challenge that will confront us all as this technology is deployed everywhere).

Fortunately, the IoT industry is beginning to address these challenges on many fronts, a fact to which the cited articles allude. As new IoT technologies take hold and new threats reveal themselves, the global security framework will grow more complex and layered.

Considering that IoT has only just started its long road to ubiquity, ongoing refinement of security infrastructure, tools and practices will go on indefinitely.