Partner Perspectives  Connecting marketers to our tech communities.
12/11/2014
10:15 AM
Lorie Wigle
Lorie Wigle
Partner Perspectives
100%
0%

Securing the Internet of Things

Factors specific to IoT devices make them a unique security risk.

What makes securing the Internet of Things (IoT) so different from securing other computing platforms? Three things that are top of mind are the long lifecycle, the volume of production, and the machine versus human mode of operation.

Unlike traditional computing devices, which have an expected lifetime of three to five years, an IoT device may be in use for decades. During its life, it might be connected to different backend systems, change ownership, be reconfigured, or remain in its original role and configuration. It may or may not be upgradable, and similarly may or may not accept additional software functionality such as virus scanning or malware detection and removal. As a result, security solutions for these devices particularly benefit from robust hardware-based security, and legacy devices need to be protected behind purpose-built gateways. No one company can deliver all this for the IoT. Developer kits and platforms will enable innovation into vertical and horizontal markets, delivering specific solutions that are purpose-built and that represent new business opportunities.

Due to the volume of production, IoT devices come off the manufacturing line with a common configuration and specific, limited functionality. They all have the same default user ID and password, if appropriate, and the same vulnerabilities. The limited functionality makes it easier to protect them with narrow whitelists that confine actions and communications to a trusted set. But when they are deployed, it is easy to leave the defaults in place, thinking they are inaccessible or too small to care about. However, we have already seen these devices used as points of entry, so strong, unique passwords are just as important as they are on your laptop or bank account.

Finally, many of these devices operate in machine-to-machine mode, rarely seen by a human operator. Others may be in human contact all day, but are considered nothing more than a tool. Some have no display at all, or maybe just a few lights to communicate basic information. In virtually all cases, they do not have sufficient display and input capabilities to be configured, patched, or upgraded directly. Robust remote monitoring and management, supported by secure communications, keeps the operations center informed of anomalous behavior and enables it to remediate security breaches when necessary.

There is no simple solution or silver bullet that will secure such a diverse collection of devices. Multiple vendors and integrators will likely be involved over a device's lifetime, requiring a collaborative mix of proprietary, standards-based, and open-sourced components. There is also no single, perfect security level. Different devices at different points in the system and at different companies have different risk profiles. Building just the right level of security is achievable, by evaluating the risk, usage, and capability of each device.

The focus of IoT security is more on the data than the device. Protecting the data, when stored, in process, or in transit, enables you to provide security and privacy simultaneously.

Lorie Wigle is building a new business focused on securing critical infrastructure and IOT more broadly at Intel subsidiary McAfee. Lorie has been with Intel for nearly 30 years in a wide variety of marketing and technical roles. She has an MBA from Portland State University ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
LoriWigle
50%
50%
LoriWigle,
User Rank: Strategist
1/30/2015 | 1:33:18 PM
Re: Not enough power to do what is needed

Thank you for the thoughtful comment.  We very much agree with you on the importance of power consumption as a system constraint and potential inhibitor to strong security. Our researchers in Intel Labs are looking at very low power implementations of standard algorithms. As an example, we have implemented AES in about 2K gates using near threshold voltage (NVT) technology. This will result in lower bandwidth but will also consume much less power than more typical implementations.

Second we are experimenting with non-standard crypto primitives. As an example of this we are advocating the use of the Simon block cipher family, which can be implemented in as few as 700 gates. We have evaluated this design and believe there is enough public cryptanalysis that we can consider it secure for most IoT usages. We have also evaluated schemes for other primitives that show promise.  Lastly, it is our intention to work on low-power primitives in selected standards, for example, ISO/IEC JTC1 SC27.

bpaddock
50%
50%
bpaddock,
User Rank: Strategist
12/11/2014 | 12:36:15 PM
Not enough power to do what is needed

Frequently what gets over looked when discussing the Internet of Things or Medical Devices especially implantable ones is the power it takes to run them.

Batteries have limited energy as we all know.  If you want to place an IoT device et.al. someplace that will be inaccessible you want it to run as long as possible.

Energy Harvesting is making fast in roads to charging batteries.  Still their energy is usually measured in Micro-watts.  Take a sensor under, or embedded in a bridge as an example.

To extend battery life IoT devices frequently run at low clock frequencies 4 MHz down to a few kHz for as long as operation takes, or the highest possible frequency for the shortest amount of time.
[ See CDC/NIOS document "A Technology Review of Smart Sensors with Wireless Networks for Applications in Hazardous Work Environments" by John J. Sammarco, Ph.D., P.E., Robert Paddock, CSQE, Edward F. Fries, and Vijia K. Karra, Ph.D. page 33.  www.wearablesmartsensors.com ]
Either way everything in these systems has to be viewed in terms of energy expended.

Most of the world is now accustomed to the desktop/phone/tablet etc where in comparison to an IoT device energy resources to run strong encryption algorithms, deal with strong authentication et.al. is infinite.  The IoT device doesn't have the energy available, with current technologies, to do what we'd really like to do when it comes to security that we think nothing about doing on the desktop et.al.

In the future hopefully We either have Mr Fusion as a power source or strong encryption algorithms that consume little in the way of energy...

Do you have any plans or suggestions?

 
Cybersecurity's 'Broken' Hiring Process
Kelly Jackson Higgins, Executive Editor at Dark Reading,  10/11/2017
Ransomware Grabs Headlines but BEC May Be a Bigger Threat
Marc Wilczek, Digital Strategist & CIO Advisor,  10/12/2017
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: What did you expect from this SOC? A unicorn....
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.