One important facet that will only grow in prominence is keeping networks safe as the Internet of Things (IoT) becomes more prevalent. That is, as more devices around us become net-connected. New security vulnerabilities and defects yet-undreamed-of will start to surface for enterprise systems. Continuous testing and other measures, such as Service Virtualization simulation and modeling techniques, will become even more critical.
Organizations need to think about some of the best practices around addressing these earlier in the software development lifecycle. The Cloud Security Alliance has been working on a set of best practices to make this possible. We caught up with Brian Russell, who leads the CSA’s Secure Internet of Things Initiative to put these new risks in perspective. Russell is also Chief Engineer focused on Cyber Security Solutions for Leidos.
ServiceVirtualization.com: What are the most significant security risks that the IoT brings to the enterprise
Brian Russell: A recent report by IDC (International Data Corporation) stated that 90 percent of IT networks will have an IoT-based security breach by 2017. The report did mention that most of these will be viewed as inconveniences, but this gives a good idea of the general magnitude of the IoT security problem. Based on my work with the Cloud Security Alliance, I can see how this number, although it seems exceedingly high, is realistic.
When you think of what the biggest risk is that IoT brings to the enterprise, it really depends on the industry that you’re operating within. For example, in the retail industry, we’ve already seen the problems faced even without the addition of IoT-based systems and capabilities. With the IoT, you’re adding a new set of complexity and also introducing automation into many decision processes. This provides a target-rich environment that malicious actors can exploit. You can draw the same comparisons to other industries, whether it’s healthcare, energy, manufacturing, or government. Introducing new paths into the enterprise, new data collection and storage points, and automating processes based on the collected data introduces additional risk.
What are the some of the specific problems organizations need to worry about?
Looking at specific risks, data compromise is going to continue to be a significant concern. Data is the life-blood of the IoT, and will be stored and transmitted in many locations.
Data also drives analytics, and we’re beginning to see how powerful it is to be able to process and analyze large quantities of data. The IoT is an enabler of data analytics, eventually feeding analytic engines with tremendous amounts of data to be used in critical decision making applications or to provide the right people with the right information. As the IoT starts to make progress in business and the public sector, we’ll soon see that a big risk is going to be related to our ability to assure the integrity of data collected by IoT sensors, along the full path of the systems that rely upon that data.
Malicious actors with a variety of motivations will likely learn quickly how to surreptitiously inject bad data into sensor streams or attempt to manipulate data while in transit or in storage. Motivations for doing this will run the gamut, from financial to being a nuisance or seeking publicity. The end result will be erosion in the confidence placed in the underlying data that drives enterprise decision-making.
What are some of the other concerns about new types of defects with IoT applications?
Maintaining privacy of course is a significant concern. This is complicated with the IoT, as privacy becomes a bigger issue than simply securing certain types of information, such as social security numbers or health records. With the IoT, additional considerations have to be taken into account.
For example, whether you can track the location of certain IoT devices and if you do track that location – there is a question of whether it is ok to even associate that data with a person or even another IoT device that the person owns. Data aggregation issues will become significant as service providers will need to assure that various data, when put together do not create privacy impacts that could lead to substantial fines and public backlash.
Something else to consider related to privacy with the IoT- is the ease with which anyone can deploy various sensors or even video cameras to meet their needs. These tools present a risk to be inappropriately used and become dangerous weapons for stalking and other crimes. Law enforcement will need to adapt to overcome these challenges in the near future.
Finally, when we consider that the IoT includes concepts such as cyber-physical systems, where physical objects are networked, it is easy to see how physical damage can be caused by malicious electronic acts. Whether it’s taking over or disrupting a Connected Vehicle or Unmanned Aerial System (UAS) flying overhead, or causing damage to the power grid or a manufacturing facility through a compromised Industrial Control System (ICS), or a malfunction in an implantable medical device, the risks of compromise to critical CPS assets resulting in physical harm must be mitigated.
How is IoT security different than traditional enterprise applications?
The scale alone makes IoT security different. Organizations may deploy millions of IoT devices and these devices are highly diverse in their forms and functions. We essentially have added millions of end-points to an enterprise architecture and each of these end points must be accounted for and secured to the best of an organization’s ability. At the same time, the IoT introduces the problem of defending against things that are oftentimes too inconspicuous to detect. We’ll need new detection mechanisms that tell when unauthorized devices enter into restricted spaces, likely by analyzing the Radio Frequency (RF) spectrum on a continuous basis.
The current immaturity of the IoT also makes it different than traditional enterprise applications. We’ve seen in the past when mobile applications started gaining popularity, there are often vulnerabilities left unmitigated in new applications, in an attempt to get those applications to market fastest. We’re going to be facing similar issues with the IoT, in that IoT devices and applications that interface with those devices are frequently rushed to market without including proper security rigor in the design and development processes.
This leaves us with fundamentally insecure components that will have to have defensive layers built up around them, at least for the short-term. Longer-term challenges exist as well, as many IoT devices are disadvantaged- meaning that they don’t have the processing power, memory or sometimes even sufficient communications capabilities to take advantage of proven security technologies.
What role will standardization play in IoT security?
The IoT also suffers severely from a lack of standardization, and this is going to be a big issue when it comes to integrating IoT systems into an enterprise’s existing security capabilities. Without standardized security interfaces to Security Information Event Management (SIEM) systems, authentication and identity management systems, access control systems, and various other security functionality, each vendor is going to provide proprietary interfaces at best, and at worst there will be no exposed interface for doing basic security management of these devices. Industry needs to work on defining and adopting standardized security management Application Programming Interfaces (APIs) for the IoT in order for deployments to be secured properly.
The lack of standardization in the IoT also extends to the building blocks used to construct IoT systems. There are so many options available to create a single IoT device, let alone a system of devices and applications. There are multiple processors, device platforms, operating systems, messaging protocols and transport protocols. Designing a secure IoT device or system requires that vendors understand the security intricacies related to how each of these different layers interact together to form a proper defensive posture. Unfortunately, many vendors right now don’t have that security expertise on hand.
What are some of the APIs and tools that are emerging to address this shift?
There are not many APIs and tools emerging to address this shift right now. One of the reasons this is the case is that, while the IoT in the consumer market is becoming well recognized, there is still a lot of confusion as to what the IoT means to the business and public sectors. Some industries are more mature than others of course, but in general security vendors haven’t really figured out what exactly it is that they need to help secure.
There are some vendors that are catching on however. I’ve talked with a startup recently that is working on a product that is focused on new ways to monitor IoT devices from a Radio Frequency (RF) perspective. There’s also a well-known vendor working on secure virtualized platforms that can be used to host IoT security services for large pools of devices. And there are some key management system vendors that are extending their existing KM capabilities to support provisioning of keys to devices, although this often includes an agent-based approach.
From an API perspective, there are many IoT APIs becoming available now, but I haven’t seen any that focus on security. From a communications security standpoint we do have things like Transport Layer Security (TLS) and Datagram TLS (DTLS) which can be used to provide confidentiality and integrity to various IoT transport protocols, but we also need standardized APIs for IoT security services. We need APIs to ensure that each IoT device is managed and monitored in a consistent manner. At a minimum, we need APIs for:
- Collection of audit/logging data
- Configuration of security controls
- Authentication and Access Control
- Configuration of identities keys/certificates
On the bright side, there is a lot of movement by industry organizations that are working on solving IoT security challenges. Within CSA, we are working with a number of security experts to define IoT Security Guidance for Early Adopters, which we will be releasing prior to RSA 2015. Other organizations such as OWASP, Builditsecure.ly, I am the Cavalry, and NIST have also begun to contribute significantly to helping organizations build a secure IoT.
What do you see as the major challenges around security related integration testing of new code functionality in order to reduce new vulnerabilities in IoT applications?
IoT edge devices are combinations of hardware, operating systems , firmware and software. This means that as new devices are created vendors have to be aware of security vulnerabilities exposed at all layers of the technology stack. This includes things like hardening of the underlying operating system (when applicable), and mitigating hardware-specific vulnerabilities in the platform. IoT devices at the edge also interface with many other devices and systems, creating in effect a system-of-systems. Some edge devices have very limited code built on top of those various frameworks, operating systems and platforms. More complex IoT edge devices do exist however, and these “things” require many of the same secure software development practices as traditional enterprise or mobile applications.
If you look at the OWASP IoT Top 10, you’ll notice that many of the security problems they note have to deal with rather fundamental security concepts. This includes things like insecure cloud and mobile APIs, lack of transport encryption, and insufficient authentication and authorization. Even so, a big challenge is that many of the companies that are creating new IoT devices and applications haven’t really had to build up any expertise around security engineering in the past. Also, many new IoT products will come from startup companies, whose real motivation is to get functionality to the consumer quickly, and not necessarily to ensure that the product is secure. Companies that develop software for e-commerce or mission critical uses have learned over time how to properly implement security controls such as encryption, authentication and authorization -– and have also spent resources on secure software tools that support code analysis, fuzz testing and even penetration testing for the identification of vulnerabilities early on and throughout the product development lifecycle. Many companies in the IoT space today have traditionally built non-connected devices and systems, and as they open up their products to the Internet they are going to have to rapidly build up expertise around security engineering, hardware security and even secure software design and development.
Building up this expertise internally is another challenge in and of itself. The cost to train and keep staff that understand the intricacies of the security discipline and can identify vulnerabilities is very high. I think you’ll see that companies that offer these types of security consulting services will be in high demand over the next few years, as the companies that don’t have the internal capability to build security expertise will begin acquiring those services to keep their products secure. There is another interesting avenue for IoT developers to look towards though- and that is the use of independent, crowd-sourced bug hunters. Sites such as BugCrowd allow developers to have independent security analysts perform code reviews and even in some cases review hardware implementations, then submit vulnerability findings. These types of consortiums will play a significant role in securing the IoT ecosystem moving forward.
Another interesting aspect of IoT is the relation of the cyber and physical domains in some IoT devices. It’s going to be important for developers of cyber-physical systems (CPS) that there is collaboration across distinct engineering disciplines across the development lifecycle. As an example, finding the right balance between safety and security for connected vehicles, airplanes, unmanned aerial systems, industrial control systems and health devices will require a blending of security engineering and safety engineering to ensure that attacks targeted directly at safety-critical controls are mitigated against. It will be important to consider these types of attacks, that specifically target safety systems while performing security integration testing of a cps.
Lastly, as different layers of the IoT technology stack often represent different aspects of the supply chain – hardware, firmware, operating systems, protocols – the interaction of all of these layers can oftentimes result in unique vulnerabilities only present in the single integrators product. If vendors in the supply chain provided positive and negative tests for their contributions in the product, then each higher layer developer could use those tests to validate that the underlying foundation that is being used for their IoT device is secure, and is secure in the context of the final application being developed. These tests could be containerized for easy download and running through autonomous testing tools during iterative integration testing. As an example, if you are an IoT developer that is relying on an external TLS implementation, that TLS library should come with a full suite of conformance tests for that library, which would allow you to run them autonomously.
What is the current state of tools for modeling and simulating the security defects around the Internet of Things?
Well the tools that most people would be familiar with for validating embedded systems against their design specifications are still around, however I don’t know that many IoT vendors are actually using them to find security defects. There has been some really interesting research being conducted in the area of formal methods lately though, including work to develop formal methods for cyber-physical systems. Early work has been applied to unmanned aerial systems so far, but I expect that as the work matures it will be applied to other cps domains such as connected vehicles and industrial control systems.
Looking at the question a bit differently, at my company we recently completed a modeling and simulation effort to understand system-level security issues related to connected vehicles and the protocols that allow for communication between those vehicles, the infrastructure and mobile applications. We had to piece together a suite of modeling and simulation tools that would allow us to do this. If we wanted to change domains and analyze health care specific IoT devices for example, we would need to change out the underlying stack of tools we used since we’d be modeling significantly different types of uses and completely different protocols stacks.
Modeling and simulation of security defects at the system-level would provide interesting and useful capabilities for organizations that are going to begin deploying thousands to millions of IoT devices across their infrastructure. These devices interact with each other, cloud services, or even directly with people and devices outside of the organization’s boundaries. Modeling and simulating these rich interactions would allow for companies to tune their security architectures after running numerous attack simulations against the planned deployment model. Reference implementations /gold standards of APIs and IoT protocols would form the building blocks of this capability.