Hardware: A Building Block for IoT Security
For all its promise, the Internet of Things packs a lot of fears.
Most recently, of course, two hackers completely immobilized a Jeep Cherokee as a driver headed down a highway at 70 miles per hour. Other headline-generating incidents include a hacked refrigerator that was among many household devices to send more than 750 malicious emails when a botnet infected its router, and a demonstration of how Nest home thermostats could be hacked to spy on householders. A security researcher allegedly took control of a commercial airplane via the entertainment system, the same methodology hackers used to control the Jeep. (The Federal Bureau of Investigation denied the attack occurred and was investigating.)
"Aircraft technology is among the most sophisticated and expansive designs delivered within a confined space. The potential for mistakes having drastic implications is obvious," Steve Hultquist, chief evangelist at RedSeal told Enterprise Technology at the time of the airplane hack. "While it seems unimaginable that an inflight entertainment system would connect directly to flight control systems, the complexity of these systems makes the implications of design or implementation errors dramatic and significant. Automated analysis of the interconnections between all systems, including all possible paths through them and between them, is a critical requirement for all networked systems, not the least of which being aircraft technology."
Considering where and how individuals and enterprises plan to use IoT devices, security should be top-of-mind among both the general public and the c-suite. A typical IoT implementation at a warehouse or hospital could involve tens of thousands of sensors, for example. So-called smart appliances or devices connect to the Internet and could share information they collect, whether it's on families, patients, or sensitive corporate sales data.
To combat insecurities and protect everyone involved in the IoT ecosystem, developers are rolling out a plethora of solutions – add-on and built-in – to address everything from sensors to networks to controllers. But given the complexity, size, scope, and typical simplicity of the user interface, it's challenging – albeit feasible – to deliver cost-effective, unobtrusive, speedy security across the scope of an IoT solution.
"Security's got to be enabling, not disabling, and the whole idea is to increase the friction for attackers," Colin McKinty, vice president of cyber security strategy Americas at BAE Systems, told Enterprise Technology.
Yet this front-facing simplicity is misleading. IoT devices often are complex and feed into sophisticated analytics solutions that power organizations' future decision-making, Shane Dyer, founder of IoT platform company Arrayent, told Enterprise Technology. Whereas the sensors themselves may be simple ruggedized devices, other pieces of an IoT solution are complicated, no matter how easy they may be to operate.
"There's a big debate on how to secure or how to understand the complexity of the security of the devices that are going to be deployed out in field. We've put a lot of complexity out on a device level. That makes the devices themselves very complex and, in many cases, makes them more vulnerable because we've put big computers in each of the systems," he said. "Think about how difficult it is to keep your computer and cellphone up to date. The only way consumers and CIOs are going to survive is by keeping that environment very simple, harkening back to the embedded systems that have been around us through our lives."
To address security, several developers, such as AMD and Arrayent, advocate implementing IoT security in the hardware itself, rather than relying exclusively on software updates. This approach bakes in hardware from Day One, making it more difficult for hackers to attack and easier for organizations to protect, executives said. Intel melded several acquired technologies, such as McAfee security software and WindRiver gateways, to create the Intel IoT Platform.
"Every extra line of code you put into that product makes it more likely it's going to crash and makes it more likely you'll introduce a vulnerability," Dyer said.
IoT faces four major challenges, said Diane Stapley, director of IHV alliances at AMD, in an interview. These include the consumerization of IT; mobility; data in the cloud, and "this concept of advanced, persistent threat," she said. "Security can't really rely on just software anymore. There needs to be cooperation between hardware and software. It's very difficult for me to believe, as a technologist, that any system could declare itself to be 100% secure because hackers will hack."
AMD uses ARM TrustZone – a system-wide approach to security for devices ranging from servers to wearables – on top of its AMD Secure Processors. This open, scalable approach is a key part of AMD's roadmap that involves implementing security in the devices-builds on products it rolled out last year, Stapley said.
"The goal is to take it across the entire product portfolio across this next short period," she said. "It's almost a reuse factor because of the open standards nature of it. As we roll out more and more AMD-based product and you see more AMD product from our customers, more of our AMD Secure processors, you'll see not only a good reception of hardware-based security but you'll see us pushing this into organizations that can benefit from this the most, enterprises come to mind."
Hardware-based security is necessary because of the sheer volume of data within IoT, said Arrayent's Dyer.
"Machines are relentless. The amount of data all these devices can and should send to create a better product, they don't go to sleep. You start to look at messages per second rate from a company that sells hundreds of thousands or millions of products and it’s a very different load from a web company that sends messages," he said. "It really changes the way you think about the fundamental architectures. It's about understanding very high volume streams of data."