Why security in the Internet of Things is different from cybersecurity

July 12, 2016 // By EDN Europe
Dr. Paul Chen, Senior Director of Product Management, Wind River
The Internet of Things (IoT) is clearly so much more than just the ‘things’. It has become a huge collaborative effort to bring all the pieces together to deliver real value with a chain that stretches from humans to machines to the cloud.

However, widely acknowledged as the number one issue in IoT deployment is security, and it needs to be properly addressed before broad adoption can take place. There have been any number of widely publicized hacks over the past few years from the Stuxnet worm to the hack of retail-firm Target to hacks of Jeeps, infusion pumps and baby monitors, to name but a few. The threat is very real as, according to some, there are nearly one million new hacker attacks identified every day.

Many are reasonably well versed with cybersecurity, but security in the IoT is a somewhat different beast. Assuming the predictions of tens of billions of connected things become a reality, this means that the IoT has a significantly larger attack surface to defend. In addition, devices such as light bulbs, thermostats and power meters will have greater accessibility to attack. In the vast majority, devices will be low-cost end nodes with low or even no budget for security measures such as physical tamper proofing or encryption capability that requires high-processing power. These key distinctions mean that a different approach and different security measures will be necessary to deliver IoT security.

Securing an IoT device requires a defense-in-depth methodology, involving the use of multiple layers of security. There is no single, silver-bullet solution – security depends on the device’s security model, which depends on the identified threats and attackers to be protected against. The list of potential attackers is long and can include national governments, terrorists, criminals, industrial spies and a plethora of individual hacker types. Identifying potential attackers and their motives helps define the threats that need to be handled by the device’s security model, which in turn influences the types of required security measures.

There are many different methods that IoT device manufacturers should consider when integrating security into their IoT devices. These include: addressing both the physical and the application layers; making the system hardware tamper-proof; locking the software debug interface; securing the supply chain from chipmaker to device OEM manufacturer to application provider; using secure design and security protocols right from the start of development; securing device communications and using secure technologies and protocols; ensuring the use of a secure boot process; using hardware-based security where possible such as encryption engines; and finally ensuring the secure provisioning of devices when deployed. This list is certainly non exhaustive, so there is plenty of work to be done. One highly useful and comprehensive guide for manufacturers is the NIST Framework for Improving Critical Infrastructure Cybersecurity.  

What is vital to remember is that a specific end device may not be the actual target for an attack. Its manufacturer may have thought it unworthy of attack and therefore unworthy of protection. But that device might be highly attractive as a gateway to the network to which it is connected, with the real targets the valuable enterprise assets on that network.

Overall, what will help make the IoT more secure and improve the speed of its adoption is to ensure that devices can protect themselves against identified attacks, detect attacks