IoT obscurity is IoT insecurity

Profile picture for user usarid By Uri Sarid June 17, 2019
Summary:
Obscuring the IoT exposes it to hackers, says Mulesoft CTO Uri Sarid.

security

The global number of internet-connected devices is growing at an astounding rate. Internet of Things (IoT) devices currently outnumber the world’s population, with Gartner predicting the number to hit 14.2 billion later this year. This explosion of IoT devices is connecting our physical world with the online world, making our physical environment programmable and opening up our homes, our vehicles and our cities to cybersecurity threats.

The problem is large enough that even the government has needed to act. In an effort to protect the federal government from IoT security breaches and increase awareness of IoT security in the private sector, the United States Congress recently introduced the Internet of Things Cybersecurity Improvement Act. The bill sets minimum security standards for government-sanctioned connected devices and validates the widespread need for security measures at all organizations using IoT devices.

For many organizations, the biggest challenge will actually not be technological, but rather a mindset shift: People tend to assume that security is about hiding the access points to systems and the data they exchange. In reality, reducing visibility is a dangerous game. When you hide access points, you’re usually not hiding them from hackers. More likely, you’re hiding them from those who are trying to secure them. Without internal visibility and governance for the connections between systems and the data they exchange, a company is playing Russian roulette. It’s not whether they’ll get breached, but when.

Security in a programmable world

We are living in an era where the physical world is programmable: Self-driving cars and robotic vacuum cleaners process sensory information to navigate the world, and smart light bulbs can be switched on and off from the comfort of your cell phone. But on the flip side, the same autonomous vehicles’ GPS systems can be overridden by remote hackers, robot vacuum cleaners can be exploited as surveillance machines and smart light bulbs can be used to compromise private information. As physical and digital realms collide through IoT devices, physical security and cybersecurity become mutually dependent.

One major obstacle to securing the IoT is a general lack of understanding of how to secure a system that encompasses both hardware and software. Most developers have at least some training on how to secure software systems, but the physical realm poses new challenges. Hardware manufacturers may have very limited software security competence, or they may have outsourced security to someone else. In addition, the operating systems on which IoT devices run are usually unconventional and, by design, quite minimal. The ways in which they communicate, their protocols and their networks are typically different than those of software systems.

Another obstacle to securing the IoT is the fact that these devices bypass the need for a human middleman to press a button or issue a command. While humans taking manual actions will often recognize the potential negative outcomes of their actions, software lacks that nuanced thinking. Without a mindful actor in place to perform a sanity check, mass automation across a multitude of IoT devices can have disastrous results. A whole cohort of devices can end up acting “mindlessly” in response to one event, multiplying the effects on the physical world.

Take the example of smart meters, which are IoT devices that record the consumption of electric energy and communicate that information to electricity suppliers for monitoring and billing. Because smart meters can also regulate electricity consumption, an erroneous signal to update their software can cause millions of meters to reset in the same short timeframe. This signal can actually bring down broad swaths of the power grid, leaving communities without electricity, severely hurting the economy and creating a surge in demand at hospitals. A hacker could take advantage of this limitation and introduce a bug into an update that causes such an erroneous signal to intentionally cause damage.

When a large volume of connected devices act in concert, the consequences of their actions are magnified. Smart meters are just one example. A hacker targeting internet-connected traffic lights could bring a whole city to a halt by redirecting traffic. Security cameras could be infected with malware and then controlled as a group to profile entire neighborhoods, exposing when homes are likely to be unoccupied and vulnerable. These kinds of phenomena are a result of the mass automation that is only possible once the physical world is connected to the software world.

Knowing where your data lives

To effectively secure IoT devices, they first need to be made securable. That entails baking in securability into the design of the system, rather than trying to anticipate all security threats in advance, or leaving security as a concern to be retrofitted later.

Instead of attempting to secure the IoT by obscuring capabilities beneath the necessary layers and layers of diverse software and hoping nobody will figure it out, businesses must establish standardized, well-documented interfaces at each of these layers. Many people assume that security is about hiding sensitive data, but it actually works best when the intentions of each system are made clear. Each interface should declare what data and capability it exposes, so appropriate controls can be applied. Vulnerabilities that are revealed in these interfaces can be addressed whenever they come up, allowing rapid remediation before hackers can exploit them.

When an organization creates composable software building blocks with well-defined APIs in front of each, an architectural pattern called an application network emerges naturally. The building blocks — applications or even individual capabilities with APIs in front — are the nodes in this network. When IoT devices are managed as nodes in an application network, security best practices can be systematically applied to them. For example, one can then ask: Who has access down the chain to the data initially provided by a set of IoT devices? What kind of policies should be put in front of these devices? How can you turn them off when necessary? Depending on those answers, different practices can be applied. And since you now know where your data lives and how it is being shared, you can go back and apply further protections if necessary.

Visibility also paves the road for the future of complex event processing. For example, it is now straightforward to create alerts for any kind of anomalous behavior, such as thousands of smart meters attempting to reset within one minute. With such alerts in place, humans can then be called on to intervene only when necessary to apply good judgment. In the future, machine learning systems will learn from human responses to these kinds of complex events, allowing further automation and faster response to security issues without waiting for human intervention. Machine learning will not only identify anomalies but also rewire the application networks around them to automatically mitigate the issues, say, by staggering smart meter updates at a rate that the grid can handle.

Indeed, these kinds of automations and responses are already understood, if not yet broadly practiced, in purely software ecosystems. In an increasingly distributed world, visibility is the key to protecting the IoT too, and the solutions are already at our fingertips. Now it’s time to execute.