Partner Perspectives  Connecting marketers to our tech communities.
10:15 AM
Lorie Wigle
Lorie Wigle
Partner Perspectives

Securing the Internet of Things

Factors specific to IoT devices make them a unique security risk.

What makes securing the Internet of Things (IoT) so different from securing other computing platforms? Three things that are top of mind are the long lifecycle, the volume of production, and the machine versus human mode of operation.

Unlike traditional computing devices, which have an expected lifetime of three to five years, an IoT device may be in use for decades. During its life, it might be connected to different backend systems, change ownership, be reconfigured, or remain in its original role and configuration. It may or may not be upgradable, and similarly may or may not accept additional software functionality such as virus scanning or malware detection and removal. As a result, security solutions for these devices particularly benefit from robust hardware-based security, and legacy devices need to be protected behind purpose-built gateways. No one company can deliver all this for the IoT. Developer kits and platforms will enable innovation into vertical and horizontal markets, delivering specific solutions that are purpose-built and that represent new business opportunities.

Due to the volume of production, IoT devices come off the manufacturing line with a common configuration and specific, limited functionality. They all have the same default user ID and password, if appropriate, and the same vulnerabilities. The limited functionality makes it easier to protect them with narrow whitelists that confine actions and communications to a trusted set. But when they are deployed, it is easy to leave the defaults in place, thinking they are inaccessible or too small to care about. However, we have already seen these devices used as points of entry, so strong, unique passwords are just as important as they are on your laptop or bank account.

Finally, many of these devices operate in machine-to-machine mode, rarely seen by a human operator. Others may be in human contact all day, but are considered nothing more than a tool. Some have no display at all, or maybe just a few lights to communicate basic information. In virtually all cases, they do not have sufficient display and input capabilities to be configured, patched, or upgraded directly. Robust remote monitoring and management, supported by secure communications, keeps the operations center informed of anomalous behavior and enables it to remediate security breaches when necessary.

There is no simple solution or silver bullet that will secure such a diverse collection of devices. Multiple vendors and integrators will likely be involved over a device's lifetime, requiring a collaborative mix of proprietary, standards-based, and open-sourced components. There is also no single, perfect security level. Different devices at different points in the system and at different companies have different risk profiles. Building just the right level of security is achievable, by evaluating the risk, usage, and capability of each device.

The focus of IoT security is more on the data than the device. Protecting the data, when stored, in process, or in transit, enables you to provide security and privacy simultaneously.

Lorie Wigle is building a new business focused on securing critical infrastructure and IOT more broadly at Intel subsidiary McAfee. Lorie has been with Intel for nearly 30 years in a wide variety of marketing and technical roles. She has an MBA from Portland State University ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Strategist
1/30/2015 | 1:33:18 PM
Re: Not enough power to do what is needed

Thank you for the thoughtful comment.  We very much agree with you on the importance of power consumption as a system constraint and potential inhibitor to strong security. Our researchers in Intel Labs are looking at very low power implementations of standard algorithms. As an example, we have implemented AES in about 2K gates using near threshold voltage (NVT) technology. This will result in lower bandwidth but will also consume much less power than more typical implementations.

Second we are experimenting with non-standard crypto primitives. As an example of this we are advocating the use of the Simon block cipher family, which can be implemented in as few as 700 gates. We have evaluated this design and believe there is enough public cryptanalysis that we can consider it secure for most IoT usages. We have also evaluated schemes for other primitives that show promise.  Lastly, it is our intention to work on low-power primitives in selected standards, for example, ISO/IEC JTC1 SC27.

User Rank: Strategist
12/11/2014 | 12:36:15 PM
Not enough power to do what is needed

Frequently what gets over looked when discussing the Internet of Things or Medical Devices especially implantable ones is the power it takes to run them.

Batteries have limited energy as we all know.  If you want to place an IoT device someplace that will be inaccessible you want it to run as long as possible.

Energy Harvesting is making fast in roads to charging batteries.  Still their energy is usually measured in Micro-watts.  Take a sensor under, or embedded in a bridge as an example.

To extend battery life IoT devices frequently run at low clock frequencies 4 MHz down to a few kHz for as long as operation takes, or the highest possible frequency for the shortest amount of time.
[ See CDC/NIOS document "A Technology Review of Smart Sensors with Wireless Networks for Applications in Hazardous Work Environments" by John J. Sammarco, Ph.D., P.E., Robert Paddock, CSQE, Edward F. Fries, and Vijia K. Karra, Ph.D. page 33. ]
Either way everything in these systems has to be viewed in terms of energy expended.

Most of the world is now accustomed to the desktop/phone/tablet etc where in comparison to an IoT device energy resources to run strong encryption algorithms, deal with strong authentication is infinite.  The IoT device doesn't have the energy available, with current technologies, to do what we'd really like to do when it comes to security that we think nothing about doing on the desktop

In the future hopefully We either have Mr Fusion as a power source or strong encryption algorithms that consume little in the way of energy...

Do you have any plans or suggestions?

Crowdsourced vs. Traditional Pen Testing
Alex Haynes, Chief Information Security Officer, CDL,  3/19/2019
New Mirai Version Targets Business IoT Devices
Dark Reading Staff 3/19/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Reading Schneier's Friday Squid Blog again?
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-03-18
An unquoted search path vulnerability was identified in Lenovo Dynamic Power Reduction Utility prior to version that could allow a malicious user with local access to execute code with administrative privileges.
PUBLISHED: 2019-03-18
Five9 Agent Desktop Plus 10.0.70 has Incorrect Access Control (issue 2 of 2).
PUBLISHED: 2019-03-17
Phamm (aka PHP LDAP Virtual Hosting Manager) 0.6.8 allows XSS via the login page (the /public/main.php action parameter).
PUBLISHED: 2019-03-15
CircuitWerkes Sicon-8, a hardware device used for managing electrical devices, ships with a web-based front-end controller and implements an authentication mechanism in JavaScript that is run in the context of a user's web browser.
PUBLISHED: 2019-03-15
An Integer overflow vulnerability exists in the batchTransfer function of a smart contract implementation for CryptoBotsBattle (CBTB), an Ethereum token. This vulnerability could be used by an attacker to create an arbitrary amount of tokens for any user.