Sergey Nivens - Fotolia
In the emerging market for internet-connected things, the key driver for manufacturers is to get the product out.
Often, there is no time to conduct a deep security analysis, leading to a lack of attention being paid to security. The implication of this was among the topics of discussion at September’s CW500 Club meeting, IAM and the internet of things: are you human or machine?
Internet-connected things are not strictly IT products. And as such, the principles of information security may not apply.
What works in IT security is not necessarily the correct approach to security in the world of the internet of things (IoT). For instance, some industrial devices were designed 30 years ago and were never designed to be internet-enabled. As smart watches become more prevalent, the idea of ordinary consumers trying to keep them fully patched and secure is somewhat at odds with the idea of a device that the user wears as a fashion accessory.
Nevertheless, there is more to IoT security than merely the device, warns CW500 panellist Douwe Mik, director of cyber security at EY. "IoT is not just the thing; there is also the network," he says. Given that a hacker only has to steal credentials to gain access to a corporate network, Mik warns: "It is hard now to imagine secure borders when you have millions of things."
The risk is exacerbated by the nature of manufacturing, where the final product – such as a car – comprises parts from many suppliers. An internet-connected thing may include several third-party components, each of which could pose a potential security risk.
Even a seemingly unrelated internet-connected thing can be exploited as a vector of attack to gain unauthorised access to other systems. For instance, the theft of 40 million customer credit card numbers from US retailer Target occurred via a vulnerability in Target’s heating, ventilation and air-conditioning system, says Mik. Once it was compromised, the hacker was able to exploit a security weakness in the retailer’s Windows-based point-of-sale system. "An attack on one is an attack on all," Mik adds.
IoT security is more complex than information security. "IoT represents multiple networks of individuals and things," says Mik. "We shouldn’t forget that a lot of the information flowing across networks from smart meter or internet-connected cars will be tied back to an individual."
In July this year, Wired magazine published an article describing how two hackers, Charlie Miller and Chris Valasek, demonstrated a live hack on a Jeep while it was being driven by the article’s author.
Read more CW500 articles
- At some point businesses will need to invoke a disaster recovery plan, but does it cover everything the modern digital company needs?
- CIOs discuss IT complexity and whether it hinders performance or is simply a consequence of complexity in business.
- IT outsourcing is emotive, but it is hard to find a company today that doesn’t do it in some way.
CW500 panellist Simon Gratton, chief data officer at Zurich Insurance Company, feels identity is a concept the security industry still finds difficult to tackle. He warns that perimeter IT security professionals have become accustomed to moving outside the control of the organisation into ecosystems, networks and partnerships over which the organisation has no control.
"Identifying people is a challenge. It takes a gargantuan effort just to identify someone," says Gratton. While Microsoft’s Active Directory is widely used in business for identity and access management on the corporate network, "it is more an inactive directory", says Gratton.
He believes there is now an inflexion point in the way people's identities are being managed and the need to manage machine assets. "It is no longer just about an individual with a logon ID on a Windows network," he says.
For Gratton, harnessing data is key to identity and access management. The average business integrates only about 25% of its own data, yet the IoT data challenge will be immense, he says. "The average GE jet engine has 20 blades. Each blade generates the same data in a day as the global Twitter feed. So, in the future, we will require very smart data filtering."
From an IT security perspective, all this data needs to be contextualised. "Just identifying an individual in the context of the interaction taking place is incredibly difficult," says Gratton. "So we will need to develop mechanisms to develop identity containers for people and machines."
According to Gratton, identity and access management is evolving to identity relationship management. "Identity access management is about identifying an individual," he says. "We are moving to the era of identity relationship management, which is about identifying the relationships with something."
He warns that identity relationship management requires a very different skillset. "You need to be able to understand the relationship between the interaction of people and things, which requires an understanding of ontologies, semantics and learning algorithms. It is no longer about joining two [data] fields together and linking a few systems together. Now we have to teach devices to understand these relationships."
On the home front
Connecting more things to the home network creates greater risk of intruders breaking in. Jackson Shaw, senior director of product management for IAM at Dell, who also spoke at the CW500 event, recalled how he once installed one of the company’s enterprise firewalls at home and was surprised to see internet traffic from China on his home network.
Enterprises are also at risk, given that many people use a VPN to bridge their home network to the corporate network, he says.
Shaw says that while security is evolving, the market in IoT security is still immature, and there is a distinct lack of standards. Discussing Quirky, a company that recently went bankrupt due to a huge product recall arising from an expired security certificate, he adds: "Quirky’s Wink hub seemed like a pretty good product and was sold at Home Depot and Best Buy. It was really surprising they sent out devices with an expiring security certificate but, as a software person, I know exactly how this happened. Someone needed a certificate for secure updates. They got a temporary certificate, and no one realised it was an expiring certificate."
Shaw hopes the government will get involved in mandating standards, such as in driverless cars, where people’s lives could be put at risk from remote hacking, as in the Jeep hack. But he says: "We are dealing with a brave new world and there are no [established] standards around."
He thinks certain evolving standards, such as Open ID Connect and User Managed Access, could be applied to IoT. Open ID Connect is an interoperable authentication protocol based on the OAuth 2.0, which aims to simplify password management; UMA (user managed access) is an initiative to enable an end-user to make decisions about privacy.
Why take the risk?
Given the inherent risk, CW500 panellist Andy Jones, CIO of shipping firm Maersk, believes the security stakes of IoT are different from information security. "We don't want machines connecting into our corporate network," he says. Moving a ship is safety-critical, so the idea of a hacker remotely controlling it in a similar way to how the Jeep was hacked is too risky, he adds.
And it is the same story with cars as they become ever smarter and more connected. "The automatic tyre sensor check, which will be mandatory on all new cars, contains 12,000 lines of code," says Jones. "It will go wrong and you are doing 70 mph."
But if the risk is this great, why connect things to the internet at all? Jones sees huge potential for the IoT at Maersk. "We would really like to know what is going on in a container, such as monitoring containers in transit," he says. Such monitoring would enable Maersk’s customers to ensure containers containing cold goods remain at the correct temperature – or help fruit ripen more quickly by allowing the temperature of the container to rise.
There are potential benefits for such remote monitoring across many industries. Jones, who used to work at consumer packaged goods company Unilever, says: "Unilever would pay good money to look into your fridge, toaster or washing machine."
But among the issues facing security experts is the fact that IoT devices have the potential to generate so much information that there is too much data to process. It is not feasible to store a week’s worth of turbine data, then expect to run an analysis on it. The world of IoT needs real-time analytics. Using predictive analysis on streams of data may be the only option to identify anomalous activity.
But, as Zurich Insurance’s Gratton points out, IoT is not the same as information security – it requires a different set of skills.