The Need for Security in the Internet of Things | Part 2 Securing the IoT
In this two-part blog I first explored the phenomenon that is the Internet of Things (IoT) and how safe it is from a security perspective. In Part Two of this blog I will investigate how IoT security can be improved in terms of the role and use of security best practices, tools and testing.
Part One highlighted that IoT would seem to have a very bright future, it has been estimated that the total value of IoT over the next few years could be as high as $19 Trillion!
On the other hand, IoT security has become a high profile issue, with 46% of responders in a recent survey citing security concerns as a major barrier to IoT adoption (451 Research).
If nearly half the people in the survey were not happy about acquiring, using and adopting IoT solutions, this will be a major blocker to the growth of the IoT industry. Clearly some means of reaffirming public confidence in IoT security must be found.
One lesson of history we learnt decades ago in software development was that quality has to be built into a solution from the beginning and that we must test this early and often throughout the development life-cycle. This is as true for IoT security as it is for software quality.
Security must be an integral and continuous aspect of the IoT solution development lifecycle. Leaving it to the end of development to identify and fix a security risk or vulnerability (or even allowing it to be found by a user, or god forbid – a hacker) will be much more expensive than catching that issue early and fixing it in a timely manner.
If we leave it to the individuals involved in developing IoT solutions to ensure that proper IoT security best practices are used from the earliest stages of development, and that proper security testing is employed throughout the process, then we will end up with IoT solutions that contain the lowest common denominator levels of security, analogous to IT users with administration accounts whose name is “admin” and whose password is “password”!
When developing IoT solutions, we must ensure that the tools we use embody and enforce IoT security best practices – security must be built into the solutions from the start and verified throughout the development process.
Are there examples of this sort of approach to developing IoT solutions?
There are; the IBM Watson IoT Platform is one example that embraces this principle and provides comprehensive facilities for designing, implementing and delivering IoT solutions.
In effect, the Watson IoT Platform has security by design engineered into the platform and the infrastructure on which the platform is based. In a final smart enhancement the platform also delivers cognitive support for intelligent IoT solution design and implementation.
Specific areas of IoT security addressed in the Watson IoT Platform include:
- Device and Data Protection: with secure device-to-cloud interactions, encryption, rigorous validation and authentication of device identity. Plus access controls for user, application and gateways.
- Proactive Threat Intelligence: with comprehensive expert risk assessment, flagging vulnerabilities for remediation and smart real-time analysis of device behavior.
- Smart Risk Management: with identification of threats through event correlation analysis, the ability to learn about the changing threat landscape, incident response based on analytic reasoning and prioritised by confidence measures, threat forensics and continuous performance improvements through machine learning.
And what of the role of best practices in developing secure IoT solutions? Security by design, that is, being aware of the need for security and building it in from the beginning, is the key best practice that all others flow from.
As part of this philosophy, IoT solution developers should:
- Be aware and knowledgeable about current and emerging security risks and vulnerabilities and understand how to address them in the IoT solutions that are being built.
- Not work in isolation. Take advice from the wider IoT and security community – join special interest groups, attend IoT and security MeetUps 1, consult with IoT security experts 2, keep abreast of the online and other IoT security literature.
- Ensure that all stakeholders involved in developing an IoT solution take ownership of the need for security – encourage a culture in which security is everyone’s responsibility.
- Ensure you and your team don’t forget the lessons of history; document and reuse IoT security techniques, approaches and practices that were successful. Conversely, document and challenge the use of those techniques, approaches and practices that were not successful, or that could be improved.
- Thoroughly test the security aspects of your IoT solution early in its development and frequently throughout the project. Identify risks and vulnerabilities early and fix them early – late discovery of a security issue is likely to be much more expensive to remediate towards the end of a project and highly likely to delay delivery.
IBM’S AppScan is an excellent example of a security testing tool that embraces this principle – it comes in “source” and “enterprise” flavors to enable frequent testing to be conducted by the developers, with testing of the final version of the software and on into delivery and beyond.
Although there is plenty of scope for testing to be done during IoT development, another best practice is to ensure thorough security testing once development is complete. In effect, IoT security penetration testing.
While this level of IoT security testing can be conducted “in-house”, there are compelling reasons for considering the use of an independent or even external testing team 3.
In addition to providing a fresh perspective on security testing your IoT solution, they will also employ their knowledge of testing similar solutions, up to date knowledge of IoT security risks and vulnerabilities and can employ proven testing best practice, process and automation to identify potential security issues in IoT solutions.
These high profile industry figures have a wealth of IoT security testing knowledge and expertise. You may be interested to know that both Ray and Ken are speaking at Duncan Purves October Thames Valley IoT MeetUp. Both Ray and Ken are excellent speakers and I recommend you take the opportunity to attend and hear what they have to say on the subject of IoT security.
We began Part One of this blog with a quote from philosopher George Sanyana on not forgetting the lessons of history. We will close with some more wisdom, this time from 12th century scholar Bernard of Chartres who said:
“Nanos gigantum humeris insidentes.”
“We are like dwarves perched on the shoulders of giants.”
The quote highlights that our present amazing inventions and developments only exist because they are built on top of the work done by the giants of the past.
So, with the developments in the field of IoT, we might legitimately ask the question – are our security issues because of giants with poor memories, or dwarves who just don’t want to learn the lessons of history?
1. Such as Duncan Purves Thames Valley IoT MeetUp in October where IoT security guru’s Ray Evans and Ken Monro are due to speak.
3. There is often a very subtle issue with the developers performing this final IoT solution security testing. Typically the developers will be testing to show that the security built into the solution works, whereas an external team of testers will be looking to demonstrate the security built into the solution doesn’t work. It is possible that this subtle unconscious bias may allow risks and vulnerabilities to slip through, which most likely would have been picked up by experienced “external” testers.
The Need for Security in the Internet of Things | Part 1: The IoT Phenomenon
In this two-part series, John Watkins looks at the security side of IOT. In Part One he gives us an overview of the phenomenon that is the Internet of Things and its security risks
Arrow Bandwidth S3, Episode 11 | WannaCry - Interview with Malware Tech at InfoSec Europe 2017
We have a very special interview on Bandwidth this week - David Fearne interviews Malware Tech, the man who stopped the WannaCry worm in it's tracks.
IoT – The Internet of Treachery
It seems like IOT is the most talked about topic in IT. But when you look beyond the fantastic opportunities, how are we ensuring these devices and solutions are secure?