Call it a physical and cybersecurity challenge. Innovators and industry experts in Boston Tuesday for the IoT Security 2015 conference brainstormed about some of the Internet of Thing’s most daunting security challenges -- authentication, patching, smart grids, and smart homes – and how to address them.
- Who is responsible for patching your smart home – from the cars you drive, the entertainment you watch, the food you store and prepare?
- Is it possible to have seamless mutual authentication between users and devices and devices and devices?
- What happens if the connections between your smart home and your smart grid stop working and turn against you?
- What if the seller of your dream house refuses to give up the keys to the built-in smart devices inside?
These were the hypothetical problems that attendees from a broad range of IoT interests -–manufacturers, the public sector, and security professionals -- chewed on during four lunchtime breakout sessions. Participants were given a specific problem to analyze, after which they presented their solution to the full conference.
LG Mobile Research IoT Security Engineer Harsh Kupwade Patil’s team tackled the question of whether it’s possible to have mutual authentication between users and devices and devices and devices. “Is there a solution? Yes. But it won’t be a simple solution,” Patil said. Context-aware security, new gateways, and middleware were three measures the group said could help facilitate the “chain of trust” necessary to support IoT. But Patil said “identity was the weakest link in the chain” hampered by a fragmented market and a “protocol soup” that prevents devices and users from working seamlessly together.
Smart Home For Sale
So you just bought your dream home – a smart house with all the bells and whistles you would want and expect. After you sign on the dotted line, drive up and unlock the front door, you find out that the seller is unwilling (or unable) to give you the “keys” to the smart devices inside. What’s the remedy? One possibility, said group leader Chris Rezendes, founder of INEX Advisors, requires that all smart devices are manufactured with factory wipe options and the development of “good processes” to transition smart products like cars and homes to new owners.
How does a power company deal with an attacker who seizes control of a customer’s smart meter or demand-response thermometer and directs the device to consume more electricity in the home or stops the utility from sending any power at all? How would the power company even know that the power supply was being diverted? That was the issue posed to the group led by John Miri, chief administrative officer at the Lower Colorado River Authority in Austin, Texas. One solution: Creation of a new class of performance metrics that focus on resiliency, for example, Mean Time Between Recovery versus Mean Time Between Failure.
A device has been shipped from the factory and is deployed in a home, workplace, or car. What are the options for updating security remotely? Johan Sys, IoT security manager at Verizon, framed the discussion, and the group bandied about solutions including manufacturer-provided security subscription services to the creation of a new class of small business. “If I can hire a termite service to protect my house, why couldn’t there be a cybersecurity service provider to maintain the smart devices I use in my home,” Sys said.