The recent hack of a Jeep Cherokee, in which security researchers took control of the vehicle from ten miles away, controlled windshield wipers, entertainment system, steering, transmission, and even disabled the brakes, causing it to end up in a ditch, has raised awareness about the Internet of Things (IoT) – in a very bad way.
It prompted the recall of over 1.4 million vehicles, and raised questions about who is responsible for the cyber-security of connected cars. And that, in turn, points to the risks associated with having other components of the IoT accessible on the Internet.
There are a lot of Things to worry about. They include everything from cars and toasters to machinery in factories, devices controlling essential services like the power grid, and even intelligent thermostats and home security systems. Analysts at Gartner define IoT as “the network of physical objects that contain embedded technology to communicate and sense or interact with their internal states or the external environment” and predict that there will be 26 billion such devices by 2020. That dwarfs the 7.3 billion PCs, smartphones, and tablets expected to be in use by then.
The trouble is that researchers from organizations ranging from the U.S. National Institute of Standards and Technology (NIST) Computer Security Division to analyst firm Info-Tech Research Group agree that currently the IoT’s state of security is like the Wild West.
One big problem, says Elliot Lewis, vice-president of Info-Tech’s security and risk research practice, is that there are no real standards. Anyone wanting to talk to devices on the IoT must figure out which of 20 or more protocols in use is supported by each device. Vendors building aggregation hubs – devices that collect information from sensors and send it off to backend systems – must therefore support all, or at least many, protocols.
Things are further complicated by vendors, notes Earl Perkins, research vice-president at Gartner. “There are a few vendors that have stated direction and focus consistent with a strategy and roadmap for IoT security as they define it,” he says. Each vendor couches its IoT strategy in terms of its expertise. For example, a network security vendor may offer a way to segment IoT traffic from the rest of the network, and an encryption vendor may show how it will manage keys for IoT devices.
“Color the IoT security market at this time as embryonic,” he says.
Lewis agrees. In fact, he says, at the moment at least, much of the IoT is virtually impossible to secure, a point of view upheld in a recent NIST report that attempts to lay out some best practices. Sensors, he points out, range from tiny broadcast-only devices that can send data and not do much more to devices with some processing power and perhaps a bit of storage. The aggregation hubs are also difficult to protect.
Their job is to pull together all of that incoming sensor data and, he says, it’s difficult to filter out irrelevant inputs. That puts them at risk of denial of service attacks. In his opinion, the place where security can best kick in is at the backend, where network and database security tools already exist. However, that may not be true for long. CenturyLink CTO Aamir Hussain says that his company is working with some startups who are building edge solutions to head off problems before they hit the backend.
In any case, Lewis says that the people with the power in the IoT are those who build the sensors and decide on their communication protocols. Companies like GE, Honeywell, Lockheed, and Boeing need to agree on standards that others can build to – if indeed it’s possible to create standards for so many disparate devices. He recommends monitoring the various bodies that are attempting to establish standards to see who is participating, and with whom, to get a sense of the way the industry is leaning.
“We’ll have to see how the industry plays out,” he says. “There will be a lot of confusion.”
“IoT presents some unique challenges in terms of scale, diversity and integration to name a few concerns,” Perkins adds. “Some vendors are ignoring IoT security altogether because they believe it is another fad that will pass soon and they can get back to ‘real’ work. Yet other vendors are looking at their partner model to determine who would be the best team to join, since it is extremely doubtful that one vendor can provide an end-to-end answer for most IoT security scenarios.”