At PTC's Liveworx 2016 event, I found enough substantial content on IoT to publish pieces like The dos and don’ts of IoT – a customer panel shares Internet of Things progress.
However, one issue was undernourished: Internet of Things security. It was touched on in keynotes, but overall, security felt like an afterthought to the drumbeat of market opportunity. Unfortunately for the "greenfield opportunity" types, tackling IoT data privacy and security is a precondition for market growth.
I tried to rectify that in my own coverage by taping a live podcast on the problem of IoT security with Volker Gerstenberger and Tomi Ronkainen of Giesecke & Devrient, or, as I referred to them in the podcast, so as not to sound the fool, "G & D" (the podcast is embedded below.)
Giesecke & Devrient are not exactly newcomers to the security space. The original company was launched in 1852, with a specialty in banknote printing and the supply of security paper and machines for banknote processing. In the modern era, G&D's security scope includes smart cards, electronic payments, personal identification, Internet security, and mobile device security.
Six IoT security issues customers should be thinking about
Reviewing the podcast with fresh ears, I pulled out six IoT security issues, including the tension between creating a great user experience and securing data and devices.
1. Address IoT security explicitly from the earliest days of the project - or pay in dollars or breaches later on. Gerstenberger started our podcast with this caution:
IoT security needs to be addressed explicitly, and it needs to be taken seriously from the very beginning of your IoT project. It's really harmful and really expensive to retrofit the security back into a live running system.
Ronkainen added that too often, companies think they can adapt their existing security for IoT, and, he says, "from our perspective, it's falling short." Ronkainen advocates a "security by design" approach instead. He still runs into companies that insist they are building a "minimum viable product" and will add in security later. But that can get very expensive - especially when it comes to retro-fitting hardware security.
2. Start with a minimum level of security in the design and work up from there. Whether they are talking to customers in healthcare or automotive or oil and gas, Gerstenberger acknowledged that all of them are grappling with the many layers of IoT security: the hardware layer, the software layer, as well as securing network connections, data in transit, and application data. Total security is a pipe dream anyhow - "there is no such thing as 100 percent security" - so where should IoT use case designers begin? The answer is probably not to build high-security boxes used for central banking or the defense industry. Gerstenberger advises to begin with a security baseline instead:
It's a very good idea to think from the very beginning, "Okay, which is my minimum threshold that I can live with?"
3. Consumer and industrial IoT security design have different considerations. Ronkainen built on that advice by contrasting IoT security in the home versus the workplace:
I try to educate customers to find the right level of security you need for your application. If you are building some kind of irrigation system for the home environment, measuring the moisture in the soil and triggering the irrigation system to sprinkle your yard, you might not need hardware security for that. But depending on how that system is then connected to something else, there might be some security needs to take into account.
Then of course we go to health applications and things like that, where you do need a higher level of security, privacy... We have this saying here: "You have to have good enough security."... I would like to change the term to: "You have to have right security for your application and needs."
4. IoT security is only as strong as its weakest link, particularly on mobile devices. Gerstenberger seized upon Ronkainen's sprinkler example to show how mobile security can be compromised:
I really liked your example of the sprinkler system that per se is not an application that really calls for hardware security. Nevertheless, for any type of IoT service, or IoT interaction, we now demand an app for that. "Can I control that with my mobile phone, can I control it on my iPad?"
All of that ultimately ends up being on this universal remote control that we are so happy using. But if we also have the digital car key on our mobile phone, if this sprinkler application is malicious or can be attacked, then it quite easily can spur into all the other domains that you are controlling with your mobile phone. You need also to think about the domains that you're in [on mobile], and you need to think about where does the chain of security actually end.
5. Complex machines like connected cars are the hardest to secure. G&T is heavily involved in connected car security, an issue that's been grabbing plenty of headlines. I asked the guys for how we should be thinking about security in those settings, where the prospect of someone hacking into your vehicle remotely is terrifying. Ronkainen:
Now we are talking super complex environments. If you know Bruce Schneier who is one of the fathers of cryptology, and an evangelist of security things, he always said that complex systems are the most vulnerable because there is so many things in there, and things can go wrong. The connectivity is one case where we have started [with secure chips], but now we are working on more advanced security solutions including firewalls, intrusion detections, certificate management and key management systems for connected cars.
For cars, we have to have really bullet proof type of security... I feel the same thing about all kinds of equipment that goes inside your home... You don't want to have someone else logging into your security cameras and see what you're doing, or somehow intruding on your privacy.
6. Don't compromise on security, but don't compromise on user experience either. The big danger with security design is that if you do it badly, you will either reduce user adoption, which leads to project failure/underperformance. Or: users will simply bypass or ignore security measures. There is an art to security design aligned with user experience. I talked with Gerstenberger and Ronkainen about why security design can be so darn clunky. Part of the issue is that more sophisticated/"easier" tools like biometrics aren't mainstream enough yet. Ronkainen:
The technology is actually available to make your password secure, but maybe there is a convenience factor, and people are not doing that. There are plenty of examples like that, where the convenience [trumps] the security. If you're building your device, you should put the security in, and make sure you have the convenience, because if it's not convenient, people will not use those security features.
Gerstenberger thinks in the consumer IoT, more convenient security is right around the corner:
I also see a differentiation between the consumer IoT and the industrial IoT. In the consumer IoT, we strongly believe you will see different combinations of established technologies like hardware tokens to carry credentials, supplemented for exactly the sake of convenience by behavioral security. You can add quite easily biometrics if you have a variable; you can easily detect the heartbeat; you can easily match profiles.
Final (quick) thoughts
With the possible exception of emerging biometric solutions, the tools for proper IoT security exist; the issue is in how they are designed and incorporated. The guys pointed to U.S. progress in chip-based payment systems and the embrace of fraud management systems as signs we are on the right track. Still, like any good security experts, they warned we can never quite keep up with those of diabolical intent, we can only minimize their chances. Gerstenberger:
I really would love to say that in five years, we will have figured it all out and everything will be safe. But as it happened in the past, the bad guys will continue to try to attack whatever wall you build, whatever fence you put up. The race is still on and will be still on in five years.
If we still needed a wake-up call, that should suffice.