With more reports of successful cyberattacks on the Internet of Things (IoT), from connected cars, hospitals to nuclear facilities, the security vulnerabilities of IoT have been thrown into the spotlight. At the Cybertech Singapore 2016 conference, a panel discussion was held on the cybersecurity landscape of IoT today.
Larger attack surface
Zori Kor, Vice President, ASERO Worldwide, pointed out that IoT presents a much larger attack surface for hackers, making it difficult to secure. “If everything is open and everything is connected, it means that the attack surface is much bigger. Instead of two or three doors where the bad guys might sneak into, in an Internet of Things environment, everything is connected and the attack surface is much bigger, so hackers have more options to operate in.”
Risky adoption of IoT
Panellists expressed concern at the speed and scale of market-driven IoT adoption, without having sufficient security measures, practices and standards in place.
“The time it took for the land line telephone to spread across the USA spanned decades, whereas the smartphone took just a few years. It is mindboggling, the speed at which people are adopting new technologies, and often they are not putting enough thought behind the security aspect of these technologies,” said Prof. Anupam Chattopadhyay, Assistant Professor at School of Computer Science, Nanyang Technological University.
“The IoT revolution is driven by innovation, and that innovation enjoys a very fast adoption rate by consumers and businesses. Maybe that speed and scale is too hard for us to prepare to, and maybe it is also unpredictable. The social impact introduced by interconnectivity is unpredictable. We will have to address new social questions in the area of privacy, with device tracking, with machine automation, these are questions we have to answer pretty soon,” said Eynav Haim Sayag, Head of Technologies R&D at the Israel National Cyber Bureau.
“Security always plays second fiddle to market ability, to commercialization, to speed to market, to adoption, to convenience. Convenience is the arch enemy of security. The challenge is, how do we embrace all of this technology, and allow it to create and distribute this data in a way that is secure, in a way that is controlled?” said Nick Klein, Director of Klein & Co. Computer Forensics.
Lack of IoT patching
Sayag described the current lack of patching cycles as “a major flaw” in IoT security, while Chattopadhyay pointed out that manufacturers are reluctant to implement hardware patching support.
“There are a lot of security issues which cannot be patched [through software]. You have to recall the devices, you have to modify the whole hardware. For that, it becomes expensive for the manufacturer, the consumer and the developers to recall these. That makes them reluctant to invest and popularize this kind of thing,” said Chattopadhyay.
Information security risks
Klein said that over the last 10-15 years, we have gradually extended the boundaries of our personal information both as individuals and organizations, and this information can be used in malicious ways.
“We have our smartphones, we are connected to the Internet, and we are constantly transmitting information about ourselves. Imagine when we take the next step, when we have constant interactive connectivity with the Internet. All of this is going to create huge amounts of information. That information can be beneficial, but in the wrong hands that information can be used against us in different ways,” said Klein.
On a state level, Klein suggests that we have entered a new era of cyberwarfare where cyberweapons have the ability to cause physical kinetic damage to a system, such as in the case of Stuxnet. He also pointed out that cyberweapons can be reverse engineered to cause more harm.
“As we have seen in Stuxnet and other situations, cyberweapons are unique. If you deliver a cyberweapon on someone, it can be captured, reverse engineered and used back against us. It creates a whole new era on the use of this kind of technology for malicious purposes, not only by governments but by organised crime groups, by anyone who cares to pick it up and understand how it works.”
Multiple layers of security
Sayag said that there is probably no one tailored solution for IoT security. The industry will need to adapt existing cybersecurity techniques and practices to new IoT device constraints and networking models, and adopt a holistic approach comprising of multiple layers of security.
“The solution is most probably not comprised of a single layer of security to add on top of the new devices. What we need is a holistic approach that addresses security on all the different layers of the new technologies – the hardware itself, the software, the networking layer, the devices etc. That is the challenge we are currently facing,” said Sayag.
What needs to be done?
What needs to be done to address the new security challenges presented by IoT? Panellists called for regulatory boards to enforce IoT security standards and put a curb on risky adoption of new technology.
“With IoT, it’s only a question of time that with regards to privacy and physical security issues, governments will have to enforce regulations and standards,” said Sayag.
“It’s a two way process. One is from the regulatory authorities, to come up with really strong steps, to encourage development of security of IoT nodes and devices; and on the side of users, they should be more aware of the kind of things that can be hacked,” said Chattopadhyay.
“I think we are too passive about these new challenges, we think that they will be sorted out by themselves, maybe by market forces. We should work faster, and we should encourage more innovative technologies and products with built-in security in mind. That is something the security community, researchers and the industry, should consider right now. I think this is a problem we should solve altogether,” emphasized Sayag.
Sayag also gave a number of recommendations on addressing the challenges of IoT security:
1) Rely on evolved cloud security techniques and keep logic devices thin. Cloud security has evolved and matured in the recent decade, and should be used for data accumulation and smart decision making aspects of IoT. This way, IoT sensors can remain thin, reducing security risks resulting from these devices.
2) Develop dynamic capabilities that support changes in network and environment, such as behavioural detection algorithms and asset mapping for IoT.
3) Establish standard protocols and libraries. This will pave the way for IoT patching cycles, and allow greater community contribution for security and continuous vulnerability management.
4) Improve human and device authentication
5) Develop capabilities to auto-manage networks, to automatically detect IoT devices, configuration errors and security vulnerabilities.