iconimage - Fotolia

IoT security window closing

The window of opportunity for addressing security risks in internet of things devices is closing rapidly, according to Intel's IoT security manager

Industry players need to address the security of internet of things (IoT) devices urgently before it is too late, according to Lorie Wigle, general manager, IoT security at Intel.

“The recent [IoT botnet] attack on DNS services provider Dyn should be a wake-up call,” she said at Intel Security’s Focus 2016 customer and partner event in Las Vegas.

It is good that the attack has happened now, said Wigle, because it shows that the current state of IoT security is far from where it should be.

The technology industry has a window of opportunity to ensure IoT is adopted with maximum security and minimum risk, but that window is small and closing rapidly, she warned.

This window is important, said Wigle, because the number of IoT devices is only going to grow and a lot of IoT devices will be in use for decades.

“[Internet connected] cars will be on the road for at least 10 to 15 years, so we need to get the security built into these devices,” she said.

Equally important, said Wigle, is the need to ensure that security can be “operationalised” in the sense that these devices must be capable of being updated and upgraded when necessary.

“This is important because, just five years from now, the threats will probably be of a kind we cannot even imagine today,” she said.

Default usernames

Returning to the distributed denial of service (DDoS) attack on Dyn, Wigle said one of the most significant aspects of that incident is that the attackers were able to find devices that had default usernames and passwords.

“The manufacturer had not shipped them with the requirement that the password be changed, which was a problem because many users had not done so,” she said.

For this reason, Intel with its security group is working on technologies to ensure that devices can be “on-boarded” in a way that does not require the user to enter a password using pre-programmed credentials, for example.

“In the meantime, we have this tremendous set of vulnerable devices out there that the Dyn attackers were able to take advantage of,” said Wigle.

The other significant aspect of the Dyn attack, she said, is that the owners of the IoT devices used to carry out the attack were unaffected and unaware.

“There may have been a slight dip in performance, but the real victims were not the owners of the IoT devices,” said Wigle.

Threat of ransomware

The next phase of attacks taking advantage of vulnerable IoT devices could include weapons such as ransomware, she warned. “If we don’t get ahead of this, we are going to see another wave of attacks that will be a lot more harmful to the consumer,” said Wigle.

“What we are working on, which is consistent with other work at Intel Security, is protecting against the threat defence lifecycle, looking at what we need to do to detect, protect and correct, and then adapt.

“There are several ways we are doing this, such as making sure there is a good hardware foundation by taking full advantage of what can be built into Intel processors and SOCs and then putting the right software on top of it.”

Unique aspects of IoT

Intel is also looking at taking advantage of the unique aspects of the IoT. In the automotive sector, for example, the supply chain is hugely important, with up to 80% of component integration done by third-party suppliers.

“For this reason, it is very important that we have very good security development lifecycle practices, including managing the supply chain, which is a big part of our approach to protection,” said Wigle.

“We also believe that device identity is a fundamental capability that will be really important for IoT, and that it plays a role in both protection and detection, and then, of course, we need to correct.”

Read more about IoT security

The other unique aspect of the IoT that needs to be thoroughly understood by system makers is the fact that, in many cases, IoT devices interact with the physical world, said Wigle.

“This is one of the things that make IoT devices unique, so we need to be thoughtful in system design about what happens if a compromise is detected, so that devices fail in a safe way,” she said.

Intel believes the key to enabling secure IoT starts with a secure hardware foundation, which includes, for example, secure boot, having a place to store secrets, having hardware identity, having software identify – or a way to attest that it has not been modified – and a trusted execution environment.

“Then we have a lot of capabilities that we can put on top of that,” said Wigle. “Things like our whitelisting technology – McAfee embedded control – which is a wonderful capability for IoT devices because most of them have a limited set of functions that they need to perform, so it is much easier to lock down what can run rather than trying to keep a set of hashes up to date to blacklist what can’t run.”

Other key elements include encryption of the data, policy management for the security activities associated with the devices, and mechanisms for provisioning and revocation.

Wigle emphasised that no single company can solve the IoT security problem. “We need to work together as an industry,” she said, and highlighted three key cross-industry initiatives:

1. The Industrial Internet Consortium

2. Open Connectivity Foundation

3. GSM Association

In collaboration with the Industrial Internet Consortium of about 250 companies, Intel Security has recently published a security framework document, said Wigle.

“This is a 75-page prescription for how to secure an industrial internet system, which has been extremely well received by the industry and the analyst community,” she said.

The Open Connectivity Foundation effort is more consumer-focused, but significantly has united two previously competing initiatives by Qualcomm and Samsung and Intel.

“It also includes open source implementation, so the group does specifications but also does open source implementations that makes it easier to adopt,” said Wigle.

The GSM Association effort, she said, is being driven more from Europe, but is working with Intel Security, which contributed to the publication of guidance for IoT security.

“This contains strong recommendations for device makers, network makers and cloud services providers, as well as a self-certification checklist,” said Wigle.

The checklist is aimed at helping device makers to evaluate their organisational capacity to do things like risk assessments and follow a secure development lifecycle, and to evaluate specific devices and implementations.

“This is a really promising effort, and we are excited about it because a lot of governments want to do something around IoT security, and this is a thoughtful industry approach that hopefully regulators can build on,” said Wigle.

Read more on Privacy and data protection