Just about everything you can imagine is connected to the Internet. Hair brushes, egg trays, toilet paper dispensers, and even things that matter such as remote medical devices, industrial control systems, and vehicles. When it comes to Internet of things (IoT), it seems like there’s no stopping its potential… Except IoT security.
Security has long been a thorn in the side of IoT, the increase in risk due to the sheer number of connected devices, the management of firmware updates, the network complexities it introduces, and the nomadic nature of the endpoints themselves, that’s all obvious. It’s the stuff you don’t consider that’s really scary.
Oceans Eleven… Degrees?
Last week, Nicole Eagan, the CEO of cybersecurity company Darktrace, told a London audience the strange and twisted tale of a North American casino that was hacked through an Internet-connected thermometer in an aquarium in its lobby.
“The attackers used that to get a foothold in the network,” she explained. “They then found the high-roller database and then pulled that back across the network, out the thermostat, and up to the cloud.”
Aquariums aren’t the only connected things at the center of security breaches, who could forget the massive Target intrusion that was implemented by exploiting security holes in the HVAC system?
Is There An IoT Security Fix?
The good news is, the future isn’t bleak. Top minds are at work redefining the way we approach the network perimeter, device security, and state.
The key is identity-driven. In an identity-driven IoT security model, the device securely communicates its identity and metadata to the network. This identity is a derived cryptographic thumbprint, a function of built-in, device-specific operations including hardware root of trust. In other words, it is very secure, an immutable identity. And it gets better than that.
The identity controls and secures the network. If the device is reporting a location which is different than expected for that identity, data may be routed to a honeypot network. Or, we might throw an instant kill-switch on the network, and record the metadata to a shared ledger such as a blockchain. In that way, if our device was attacked by a botnet or similar, and other attacked devices also populate the blockchain, then perhaps we can thwart a botnet attack before it can do major damage.
More generally, the secure identity is used to provide end-to-end authentication, provisioning, policy, and networking. The device, identity, application and network collaborate for identity-secured IoT networking across any set of networks and clouds.
While there’s still work to do in IoT security, you can see progress in the NetFoundry/Micron secure connected car, our work with EdgeX Foundry, and the architecture of our IoT connectivity capabilities. If you happen to be in Germany next week, we’ll be camped out in the Amazon Web Services booth (Hall 6, Stand D46) and talking industrial IoT with EdgeX Foundry at booth Hall 6: B17 at Hannover Messe. Be sure to stop by!