Professor Jon Howes, Technology Director at Beecham Research, believes that the only reason we have not seen serious IoT breaches already is because the IoT has not yet been deployed in large-scale consumer or enterprise applications that make them attractive to attackers.
“Traditional M2M (Machine to Machine) applications are typically very focused, using specific edge devices, a single network and custom platform, making it relatively easy for security professionals to secure to the acceptable level,” said Professor Howes. “But the IoT cuts across different sectors and embraces multiple devices and networks - from satellite to cellular – along with a growing number of IoT platforms and Big Data systems, which present threats on many different levels and fronts. Wherever there is a new interface between devices, networks, platforms and users, there is the potential for a new weak link.”
Beecham points to a number of specific internal and external threats inherent in the IoT ecosystem. When it comes to sensors and devices, the challenge is largely around identification, authentication and authorisation, to ensure a level of trust and avoid risks such as application hijacking. There is also the threat of physical intrusion. “Using Differential Power Analysis (DPA), it is well known that by ‘listening to’ very small changes in power consumption when different calculations are performed in a chip, it is possible to work out an encryption key,” explains Howes.
The main threat at the network level comes at the interface between different types of network. “With a mix of fixed, satellite, cellular and low power wireless networks as well as personal and body area networks (PAN & BAN), the challenge is to secure the transfer of multiple streams of data between selected networks without exposure of key secrets or equipment control,” says Howes.
With over 100 players now offering IoT platform solutions combined with the growth of Big Data and cloud based technologies across multiple market sectors, Beecham believes that this is where most attacks will be focused. “The benefits of IoT by definition rely on lots of data with high levels of searchability and analysis,” says Howes; “but this also means that the data must exist in plain text, which presents multiple threats – not least from insider attacks from sysadmins and authorised users.”
Beecham Research believes that while work is going on to secure different parts of the Internet of Things, there is no joined up approach. “We talk about the need for a deep Root of Trust in security and this is even more critical in a complex, connected IoT ecosystem,” says Howes. “This starts at device level with sensors and microcontrollers and continues through the networks, platforms and into the cloud. It’s a massive jigsaw and every piece has to deliver a level of trust to ensure end-to-end security and integrity.”
“Security in the Internet of Things is significantly more complex than existing M2M applications or traditional enterprise networks,” says Robin Duke-Woolley, CEO at Beecham Research. “Data must be protected within the system, in transit or at rest and significant evolution is required in the identification, authentication and authorisation of devices and people. We must also recognise that some devices in the field will certainly be compromised or simply fail; so there needs to be an efficient method of secure remote remediation – yet another challenge if the IoT is to live up to expectations.”