#IoT beyond fun, is Security Risk If not address
Ziaullah Mirza
Economic Monitoring & Countermeasures || Ecosystem Builder - Global Change Maker || Innovation Commandment || Digital Transformation || Digital Strategist || Global Business Services||
“Tiny IoT devices don’t have power to do really powerful security.”
Even early 1980s grade 8-bit, 8MHz chips with only 2k of RAM can do elliptic curve cryptography with a 256-bit key-length and are effectively as strong as RSA crypto with 2,048-bit key length, which is strong enough for U.S. “Secret” level national security information. That crypto is done using such little battery power that signing or verifying data on the hour every hour for twenty years would only use a slice of an AA battery.
“Security is too complicated, especially in IoT. You can never win.”
It’s true that effective security never stems from any single silver bullet. Instead, just as most good houses need a few walls, a roof and a floor, effective IoT security can be composed from a short list of crucial ingredients:
Good crypto to protect the authentication and potentially protect the confidentiality of data
Cryptographic verification of any and all code and configuration before permitting the code to run with any configuration.
Third-party runtime security by security professionals to mitigate any vulnerabilities in the code
Over-the-air management capabilities, including update and software inventory management, telemetry and policy management for security agility
Security analytics to find and fight sophisticated adversaries who don’t trip any alarms
These ingredients are simple and strong enough to protect top brands against the best attackers.
“Can’t update these devices.”
Many devices are difficult to update, but almost none are impossible. Industrial systems are deployed for 19 years on average. Cars and medical equipment are similarly designed to last decades. Now, we see industrial equipment vendors issuing updates for multi-decade old equipment as businesses bank on the integrity of those devices. We see the same for medical equipment, ATMs, point-of-sale devices, retail kiosks and now even cars.
“Security is too expensive for the billions of devices we deploy.”
At scale, security often costs only dimes per connected device. For any connected device north of $20, that seems entirely affordable, and reckless to jeopardize your brand by skipping or skimping on security. Some consequences are too expensive to risk when prevention is pocket change.
“We have air gaps, gateways & network segregation protecting us.”
Nearly all systems are connected in ways that their creators might not know, but attackers quite creatively find. This has been demonstrated repeatedly on military, intelligence and critical infrastructure systems, including, but not limited to, Stuxnet. Last year, an attack damaging a steel mill blast furnace in Germany went straight through a gateway designed to protect the operational network from such attacks. Gateways help reduce risk, but are not enough to provide adequate protection alone. Just as air gaps are not effective, VLAN’s and other logical separation are even less effective. For high-value systems, harden them from the inside and don’t gamble on the reliance of gateways, air gaps and network segregation.
“Blockchain vs. PKI”
Blockchain is a great ledger system for recording transactions and for digital (and physical) objects to carry such ledgers as they go. Unfortunately, most people forget that the ledger level core of blockchains rest on lower level foundations of traditional cryptographic operations for signing each transaction with traditional crypto ops, libraries, keys and credentials. Bitcoin, for instance, uses elliptic curve crypto with a 256-bit key strength, the same as often advocated for IoT systems with or without blockchain-style ledger needs. Key management is often an Achilles heel of most crypto-systems. That’s why more than a billion IoT devices already use the world’s most proven key management system, a Certificate Authority offering managed Public Key Infrastructure (PKI). Good PKI in the lower level foundation makes the ledger level core of blockchain stronger. In other words, blockchain is best leveraging good PKI.
“We just need vendors and standards groups to solve this faster.”
Vendors and standards groups are making progress, but that process takes time. Unless customers start asking for the types of security they need, such as the “ingredients” mentioned above, equipment vendors will continue selling equipment both without security and, more dangerously, with security as an adjective that doesn’t really measure up to adversaries.
“Ops teams running operational tech just need to learn from IT.”
IT vendors and staff have historically not been welcome in operational discussions and for good reason. Operational constraints are far different than IT environments and consequences far higher, often with radically different timescales. For better or worse, many technologies needed on the OT side have been used for years on the IT side. However, until IT vendors and staff learn to speak and appreciate OT language and culture, OT teams won’t have any confidence that the technologies have been selected and adapted appropriately for their environments. IT security has far too many tools in the tool chest for OT ops teams to manage. Picking the right tools and adapting them appropriately requires collaboration between IT and OT.
“Our systems are so obscure nobody can figure them out enough to do damage.”
Steel mills, water treatment plants, power grids, factories, power generation plants and countless other systems have been hacked as a result of that na?ve belief.
If Risk is not address properly, it will have bad impact in future..
#Iot #Ai #Bi #Ci #BigData #GreenHats
Read more: New Competitive in LiFi
Good article Zia.