The Internet of Things (IoT) is going to have a transformative impact on business and society. It is and will continue to serve as a bridge between the virtual and the physical world.
This is a direct bridge, according to Uri Sarid – CTO, MuleSoft. Not one where there are humans in the middle, who take the information from the devices and impact the physical world. “This is the physical world taking the action directly,” he said.
“I think this is the big ground-changing moment. That kind of connection between the physical and the virtual world, or the computer world, where there is no human in the way is very significant.”
>Read more on How can IoT devices be protected within businesses?
“In a lot of ways it’s more secure, but there are also a lot of ways in which it’s less secure and that’s what makes IoT security so interesting.”
But protecting the IoT is a challenge.
The IoT security risks
As this explosion of connected devices comes into the market, the inevitable security risks also increase. But, what exactly are these security risks?
One of the main weaknesses with the IoT is a lack of understanding in how to secure a system that is based in both hardware and software. In general, how to secure software systems – alone – is understood, explained Sarid.
“You patch operating systems, you patch the code, you put certain layers in front of the code; it’s relatively well understood. I’m not saying that everybody is doing it, by any means, but at least one understands it.”
>Read more on The present and future being equally important – according to Uri Sarid, MuleSoft CTO
“When you get into the physical realm, there are many other layers underneath that that you may not understand. The devices themselves may well be outside of any kind of protected perimeter. The operating system that it runs on is usually unconventional. The ways in which it communicates, the protocols and the networks and so on are typically quite different. The people who manufactured it are usually not your general software manufacturers, and so they may or may not have any particular security competence, they may have outsourced that to someone else. etc, etc.”
Integrating the physical into a world of software brings up interesting challenges.
“It’s a little bit similar to when software-defined networking became popular or became a significant trend, and you needed to bridge between the world of people who know how to create networking devices and the people who know how to create software. A lot has been written about ‘how do you bridge these two worlds’.”
‘Unintended side effects’
“What you get with IoT can be similar to what you get with software systems where, if you can make a bunch of physical devices act in concert, together, you can get unintended side effects,” said Sarid.
“An example from the software world many years ago, relates to Amazon when it had an interesting failure of its storage devices. And when its storage devices fail, they’re programmed to automatically fail back to another backup storage device. When you have millions of them failing at once, and all of them try to failback, failover to the backup devices, the network that allows them to do that gets congested and it leads to a cascade effect that brought the entire system down.”
>Read more on The Internet of Things: The security crisis of 2018?
“A similar kind of thing can happen in the IoT world. A good example is smart meters. If you can for some reason cause lots and lots of them to reset, you can trigger mass outages. The electric grid, for example, is not designed to handle very large scale outages. So, even though each individual event may be completely correct, when you have millions of them happening within a short time window, you can actually bring major parts of the grid down and that’s one of the known attack vectors against the grid.”
“The same kind of thing can happen across lots of IoT devices and then it gets into the question of well, when lots of them fail, what are the consequences? Are they, for example, letting a lot of water drain and flooding an area? Are they the kinds of things that we had where devices might fail open and now they are susceptible to attack? Can you implant malicious software in devices that run consumer homes? We’ve seen that happen before. All these kinds of phenomena are related to the mass attack or mass automation that you can do, once that physical world is bridged to the software world. In the physical world, it’s very hard to make lots of things happen together; in the software world, it’s very easy to automate that.”
Protecting the IoT
The impact of taking advantage of IoT devices is wide-ranging and dramatic. Think the Mirai botnet. So, how can organisations protect the IoT – so they and their customers can move forward with the technology (and its potential for driving innovation) in the safest way?
It starts at the design phase. Security has to be built in from the very beginning of production. These connected devices should also be built so that they can be updated after the initial design phase.
>Read more on Innovation Spotlight: Securing the Internet of Things
“If I know that all of these devices and all of these capabilities are just another set of capabilities in my application network, I can then start to tie security best practices to them. I can design these systems in such a way that you anticipate in advance what kind of data will they be providing. What’s the sensitivity of that data? Who has access? What kind of policies do you put in front of them? How can you later discover that they exist and go back and review them? How can you turn them off when necessary? All of these mechanisms that we’re used to doing for software systems, you need to be able to build that for IoT systems as well.”
“Once you’ve done that, then you’ve future-proofed a lot of the security concerns because if something happens in the future, you know how to get back to them. They’re not buried underground. You know what kind of data they may expose, you can go back and turn them off if necessary. You can apply complex event processing. What that means is that you could, for example, set monitors to say if I get more than say 100 events in one minute of a particular type, go trigger some alert. That isn’t the kind of thing that you necessarily would have anticipated in advance, but because they’re registered just like other APIs, you can build that in later as the need arises.”
