Securing Everything in the Internet of Things

Securing everything everywhere forevermore is the ultimate pipe dream, and it may not even be feasible. The world is too big, complex, and dynamic to hold out that hope for long.

Nevertheless, securing every "thing" is becoming a critical issue as we move into the era of the Internet of Things (IoT).  Some refer to this vision as the “industrial Internet,” the “machine-to-machine Internet” the “sensor Internet,” the “ambient Internet,” and even the “RFID Internet.” However broadly you scope it, solution providers and their business partners need to learn more about how to secure IoT from end to end.

More broadly, IoT refers to the vision of a world where sensors, intelligence, and connectivity are embedded into every human artifact, every element of the natural world, and even every physical person.

All-Encompassing IoT Security

Security is critical to IoT's adoption because we want to make sure we can "trust" the sensors, actuators, rules engines, and other connected componentry we embed in every element of our existence. Bringing this down to earth is as easy as pointing out that people's smartphones, tablets, wearable devices, appliances, entertainment centers, and home security systems are all becoming "IoT " connected endpoints. How vulnerable will you be to security vulnerabilities and privacy violations from any and all of these?

Privacy issues are where most people focus in the IoT security debate. In the post-Snowden age, many people are not reassured by statements such as this from former CIA director David Petraeus, who was discussing the privacy vulnerabilities of IoT-equipped "smart homes":

"Items of interest will be located, identified, monitored, and remotely controlled through technologies such as radio-frequency identification, sensor networks, tiny embedded servers, and energy harvesters — all connected to the next-generation internet using abundant, low-cost, and high-power computing, the latter now going to cloud computing, in many areas greater and greater supercomputing, and, ultimately, heading to quantum computing.

Multi-Layered Security

So far, nobody has a comprehensive vision for how--or even if--the human race will be able to manage end-to-end security in the coming IoT world. But many people have dissected this topic recently, and many others are sure to follow. For starters, here's the list of IoT security requirements that I discussed in this post in which I defined the role of big data in IoT security:

• Incorporate robust security protections in the development of IoT products
• Leverage widely vetted open security standards in IoT products
• Embed modular, security-aware hardware and software designs in IoT products
• Conduct independent review, auditing, and penetration testing of security in IoT products

Architected Security

It's no surprise that the venerable Vint Cert has thoughts on this issue as well. At a workshop of the US Federal Trade Commission (FTC) a few years ago, Cerf approached IoT privacy protection within a larger architectural perspective. He discussed several key IoT challenges:

• Standardized IoT interfaces
• Bulk IoT device provisioning and configuration
• IoT access control and authentication
• IoT privacy and safety
• IoT instrumentation and feedback
• IoT device security patching.
• On its end, the FTC raised several important concerns to supplement Cerf's and my discussions:
• IoT device vendor ecosystems
• IoT device data de-identification
• IoT device-level attack-prevention safeguards

Yet another (largely non-overlapping) list of IoT security issues is in this E-Commerce Times article. The piece, authored by Ed Moyle, discusses 5 security capabilities that should be incorporated into IoT infrastructures:

• IoT threat awareness/intelligence
• IoT inventory management
• IoT application security
• IoT vendor governance
• IoT business integration

Value-Chain Security

The most noteworthy aspect of Moyle's discussion is the focus on building a security-aware IoT vendor value chain. This excerpt jumped out at me:

"Though it might not seem immediately apparent, securing the supply chain can be particularly critical when it comes to securing purpose-built devices. There are a few reasons. First, the practices of manufacturers (for example, their ability to build a hardened product) play a role. Second, implementers and VARs can leave configuration or other errors in deployment. Lastly, maintenance and support may require granting access to external parties so they can troubleshoot and provide that support. Building a capability to assess these external parties in the supply chain can give you some transparency and help you assess the level of risk these situations might introduce."

If your head's not swimming from IoT security issue overload, you're not paying attention. How do we get our heads around the multi-layered security challenges in this coming era? As an organizing framework, I'd propose that we approach it as follows:

• Securing IoT endpoints: Do you trust the things themselves? Everybody recognizes that the first line of IoT security must be built into the things themselves. Considering the ever expanding diversity of IoT endpoints--in scale, features, deployments, etc.--the endpoint-security standards must be framed in functional terms that are agnostic to underlying physical implementations.
• Securing IoT engagements: Do you trust the things' engagements with the world around them? Security vulnerabilities are consequences of how IoT endpoints interact with users, with local and remote applications, with cloud and other infrastructures, and with each other. Securing the IoT depends on standards for how these engagement patterns leverage identity, authentication, access control, encryption, de-identification, privacy, intrusion detection, alerting, auditing, monitoring, and other infrastructure services.
• Securing IoT ecosystems: Do you trust the things' value chains? Security vulnerabilities may introduced anywhere in the constellation of solution providers, service businesses, certification authorities, and others who build, deploy, test, manage, and vouch for the endpoints and infrastructures. Securing the IoT depends on assembling the compliance, legal, contractual, and operational frameworks to handle the interlocking responsibilities of all these parties for ensuring end-to-end security.

Where do we start to realize this vision of security-enabled IoT? Everywhere. Fortunately, that's already going on, a fact to which the cited articles allude. Considering that the IoT itself has only just started its long road to ubiquity, ongoing development of this security framework will go on indefinitely, just to keep pace with technological innovation, if nothing else.