Open standards were supposed to drive interoperability of Internet of Things devices, allowing cybersecurity software to interrogate devices across the network. Many vendors even hoped to install apps or agents inside IoT nodes; after all mobile devices allow this. Yet none of these approaches, APIs, or standards that products are built upon achieved wide adoption. With so little control and visibility into IoT, the coming wave of 5G devices should make security professionals nervous.
In response to 5G's potential to exacerbate an already complex problem of IoT security, researchers in defense and academic circles have launched programs to jumpstart R&D. This summer, the Defense Advanced Research Projects Agency (DARPA) released IoT research grants. And in a separate but parallel development, academic researchers at the Association of Computing Machinery (ACM) simultaneously launched a program allowing industry IoT experts to collaborate with academic researchers.
5G Will Soon Redefine Cybersecurity
Gartner notes that the number of 5G IoT devices will expand from today’s 3.5 million units to 49 million in 2023. Gartner's past IoT predictions have been solid, though 5G has encountered curveballs, such as the impact of US sanctions on China's 5G mega-provider, Huawei, not to mention the uneven rollout of 5G service in North America.
Unsolved security issues can also hinder adoption. Analyst firm Omdia recently asked enterprise organizations about their biggest challenge in deploying IoT. The top answer: ensuring data, network and device security. This new world of 5G IoT devices will represent exceptional challenges for vulnerability management, threat hunting, and incident response.
SecDevOps and code analysis tools have made strides in improving application security. Yet it's not practical to expect IoT firmware developers to save us. Funding for device firmware is significantly less than that of traditional software, due to the per-unit costs to manufacture and ship hardware. Firmware development is also complex and hyper-specialized, often leaving security as an afterthought.
However secure they are, IoT devices end up under the purview of the CISO. While the security operations center (SOC) has historically had options to monitor data egress, this won't always be the case with IoT. Cybersecurity analysts should expect as little visibility into 5G as they have into cellular phone transmissions.
The new Cellular Vehicle-to-Everything (C-V2X) networks will boast a one-mile range. C-V2X will enable connectivity between vehicles, infrastructure, and surrounding devices. While great for consumers, it provides rogue IoT nodes and compromised automobiles a plethora of networks to access. The share of 5G-connected cars will grow from 15% in 2020 to 94% in 2028, when 5G will be heavily used for C-V2X, Gartner projects.
Securing local data networks won't be the only problem. "Cameras deployed by city operators, or used to ensure building security, and provide intruder detection, offer the largest addressable market" of IoT devices, notes Gartner's Stephanie Baghdassarian. While many will be consumer devices, a significant cross-section of IoT cameras are expected to become the problem of infosec analysts.
Imagine a world of AI-powered devices ingesting information through electronic eyes and ears, like humans do. Then consider, if compromised, how many surrounding 5G networks these devices may leak data through. 5G is shaping up to be a blackhole of data exfiltration.
DARPA Is Getting Involved
Analysts from the National Institute of Standards and Technology (NIST) believe quantum computing will render current encryption methods useless within 15 years, so it's not surprising DARPA put its focus here. Being single-use hardware, IoT devices may be deployed long after vendors cease patching vulnerabilities. IoT encryption needs to hold up for decades.
This past summer, DARPA solicited "innovative research" around IoT cryptography. Its program, the Cryptography for Hyper-scale Architectures in a Robust Internet Of Things (CHARIOT), is offering millions in awards.
In its fiscal 2021 budget, DARPA requested $1.1 billion in unclassified funding for projects related to cybersecurity. DARPA initiatives include boosting the human ability to recognize and hunt threats at scale, and more exotic AI advances. DARPA is also investing in AI tech for machines to reason in context.
Aligning Academia with Real-World IoT Problems
CERT's Leigh Metcalf is on a mission to align these disparate worlds. At the ACM, Metcalf has been instrumental in the open access academic journal, Digital Threats Research and Practice (DTRAP).
DTRAP is unique in that it invites practitioners and vendor experts to publish alongside and help to direct academics. DTRAP's upcoming issue, the Lifecycle of IoT (In)security, is recruiting folks with cyber street smarts, hoping they submit papers highlighting new threat vectors, unsolved problems, or underdeveloped approaches to IoT security.
Graduate degrees are not terribly common in infosec. Perhaps the time and money to study academic theory doesn't provide a certain enough return. Yet the inclusiveness of DTRAP is notable. Industry pros can now leverage their existing expertise to direct academic research toward practical problems, and gain the prestige of publishing in a peer reviewed academic journal. The Lifecycle of IoT (In)security is accepting submissions until January 2021.
Along with academics, the ACM is expecting collaboration from IoT device vendors, hardware manufacturers, and those cybersecurity practitioners dealing with deployed devices.
Innovation Sits Upon a Technical Foundation
These programs couldn't have come at a better time. IoT device manufacturers have difficult challenges ahead. They must secure the hardware supply chain, solve encryption, and drive innovative code analysis for firmware environments.
It's often difficult to sell one's peers on yet another standard or framework. Publishing a proposal in a peer reviewed academic journal might provide the credibility to launch the next great idea. The industry needs it, because the explosion of 5G IoT devices is coming.