The internet of things is set to change security priorities
IT leaders must protect against the security risks introduced by the growing interaction between technology and the physical world.
The "internet of things" is a term not devoid of hype and hyperbole, but at its heart is a concept that is already gaining momentum.
Technology and telecommunications firms are linking "things" as diverse as smartphones, cars, industrial sensors and household appliances to the internet, enabling intercommunication and autonomous machine-to-machine (M2M) data transfer.
The first ripples of change arrived with the widespread adoption of radio frequency identification (RFID) tags, but the true transformation has yet to occur.
Data security and privacy concerns
What are the most significant data security and privacy concerns of the internet of things (IoT)? Data security and privacy concerns are not new to the IoT phenomenon -- we have dealt with similar issues from the early days of RFID adoption. For example, when the US State Department first started equipping US passports with RFID tags, passport data could be read from as far away as 30ft via equipment available on eBay for $250.
The State Department had to make changes to the RFID tags, and even though the new generation of tags is more secure, the risks associated with the IoT will reach new levels as interoperability, mashups and autonomous decision-making begin to embed complexity, security loopholes and potential "black swan" events.
Read more security articles
- Connected devices raise concerns about IoT data security vulnerabilities
- Video: How security leaders justify costs
- Security awareness training made easy
- Lifecycle of an advanced persistent threat
- Security Think Tank: High levels of control require detailed security intelligence
- Security Think Tank: Context-aware tech does not eliminate human touch
- Security Think Tank: Context, the 5 Ws and H of security
- Security Think Tank: Context-aware security is about more than buying technology
- Security Think Tank: Begin switch to context-aware security now, says Gartner
- Security Think Tank: New tech trends fuel need for context-based security
- Security Think Tank: context-aware security is business-aware security
Privacy risks will arise as the objects within the IoT collect and aggregate fragments of data that relate to their service. The collation of multiple points of data can swiftly become personal information as events are reviewed in the context of location, time, recurrence, etc. The regular purchase of different food types, for example, may divulge religion or ongoing health concerns. This is one aspect of the big data challenge, and security professionals will need to ensure that they think through the potential privacy risks associated with the entire data set.
The route the data takes to the provider is also a concern. Many early smart meters, for example, do not push their data to an internet service gateway directly, but send it to a local data collation hub (which is actually just another smart meter in someone's home) where it is stored until the data is uploaded in bulk. This process has the potential to place sensitive data in insecure locations.
Object-level security
Security best practice has always indicated that the loss of physical security is tantamount to a logical breach, yet some early elements of the IoT incorporate that very flaw into their design. CISOs will need to be mindful, therefore, of the location and focus of the security provision.
Initially, the security functionality is unlikely to be placed within the object, due to lack of local resources or capacity. It will usually reside within the web service that sits in front of the object and its functionality. Objects will focus instead on message integrity and secure communication. As technology develops, the security level will move closer to the object, before eventually becoming embedded.
Given the potential volumes of M2M traffic, internal storage systems will struggle to scale in a cost-effective manner, and Forrester research suggests that the final repository of the uploaded object is likely to be cloud-based.
This focus on a shared infrastructure raises all the cloud issues we are so familiar with: challenges around identification and authentication, data access, legislative boundary restrictions, state data access laws, and liability cover. CISOs will need to partner with their cloud services provider to ensure that suitable controls exist for every aspect of the service and that these comply with local laws and regulations. One area that is likely to enable object-level security and, incidentally, improved cloud security, is the advent of innovation around "trusted execution environments."
This is where completely independent processing areas exist on the silicon, inaccessible by operating system, super user, or rootkit.
These safe zones, which chip manufacturers such as ARM are designing, have the potential to aid with the significant threats associated with objects, such as unauthorised cloning or firmware updates and object impersonation or tampering. Tampering is a key risk, as the sensors will often be physically accessible by the very people who would want to meddle with their results -- customers interfering with their smart meter, for example, to reduce their energy bill or re-enable a terminated supply.
Standardisation for the internet of things
Identity is the foundation for assigning access and privileges
The foundation of IoT is built on the concept of identity, both for users and for "things." It is imperative, therefore, that developers and manufacturers agree on identity standards. This will involve defining elements such as the authority responsible for assigning identity, a standardised naming model for object identification and authentication, and processes for object renaming and retirement.
Communication protocols and frequencies enable interconnection
The industry will need to design, optimise and widely adopt standard communication protocols before IoT can become truly mainstream. Examples include the message queuing telemetry transport (MQTT) protocol, the M2M equivalent of HTTP. Similarly, communication frequencies will be necessary to enable interoperability between different objects and services.
Security may be an afterthought, again
Considering the progress made toward making the IoT a reality, it is likely that this new wave of innovation will not bake security in at the hardware layer, at least initially. Security professionals will, once again, have to do their best to apply security controls at the network and application layer.
Changing security priorities
As technology becomes more entwined with the physical world, the consequences of security failure escalate. Already we have seen examples of car ignition systems failing, allowing engines to be started in the absence of the real authenticator. Since a computer now governs much of a car's engine, it requires little imagination to consider the potential disaster scenarios.
As the internet of things becomes embedded in everyday life, reaching through industrial control to personal devices and infrastructure such as transport and power, these scenarios become more complex and have graver consequences. It is for these reasons that the prospect is for client safety, industrial operations and national infrastructure to overshadow the protection of client data and to become information security priorities.
Courtesy of the object gateways and consolidators, the first two stages of the IoT will happily exist on current infrastructure and protocols. The true IoT, however, will require a foundation of IPv6, a protocol that offers almost limitless IP addresses and one that is currently being almost force-fed to web engineers. The adoption of IPv6 will take time. Unfortunately, this may be the only piece of the IoT puzzle that is approaching standardisation (see panel below). The opportunity for innovation, and standardisation, exists at different levels.
This is an excerpt from the Forrester report "Prepare your security organization for the internet of things" by Andrew Rose, who is principal analyst, security and risk, at Forrester Research.