In the not-distant future, home appliances will be hacked, entire homes will be haunted: Front doors remotely unlocked, thermostats on the fridges secretly reset to cause spoilage; lights turned on and off; spam ads sent to your glasses, watches and elliptical machines.
"This is nothing. This is small social stuff. The big stuff is coming," Andy Thurai, chief architect and group CTO of application security and identity products with Intel Corp., said during the recent Massachusetts Technology Leadership Council's
Indeed, in the world of the Internet of Things -- where people and things connected to the Internet can potentially be hacked remotely -- the term terrorist attack takes on a whole new character. Hospital equipment is susceptible to being hacked, endangering people's lives; a city's traffic controls could suffer a denial-of-service attack. A hack of the energy grid could leave populations without power for days -- Red Tiger Security, a security consultancy, has identified "38,000 vulnerabilities in U.S. energy sector alone," Thurai said.
"The attack surface that we need to protect is massive in the Internet of Things," said Michael Curry, vice president of WebSphere product management at IBM, who teamed up with Thurai for the conference's closing session, "How security shifts in the world of IoT."
Protecting this connected world will not be easy. The same Internet attacks seen today will be applied to an infrastructure that is less protected and less tech-savvy. Many of these potential IoT targets will not be in places that are physically secured, Curry said. And at least for now, the processing power on many devices isn't powerful enough to do the encryption or authentication required to protect against hackers, meaning it be will up to the cloud or whatever server architecture the device is connected to, Curry said, to provide security. Another, perhaps more fundamental, problem is the lack of a security standards for the IoT.
There are so many different vendors, devices and protocols that "to be able to create a security policy across this world without standards is very, very difficult," Curry said. Security standards will emerge, but "it's going to take some time for that to happen."
Even with those standards, it will be impossible to secure the IoT. "We can do our best. We can cut the risk down," Curry said. "There is no way to prevent attack. Security is about assessing risk and how to contain the risk as much as possible." Here are Curry's four elements of IoT security, which may help CIOs plan for the inevitable attacks and breaches to come.
Four elements of IoT security
1. Physical device security
There's some "really nice" tamper-proofing technology available, Curry said. One example is a technology that will immediately destroy a device's Internet connection and any data on it if the device is broken into. "It'll just be a big piece of plastic at that point," he said.
Another example is secure boot, a tamper-proofing technology from chip vendors that looks at a signature and determines whether anything on the device has been modified since the last time it was on. "If anything has been changed or added, it won't boot," Curry said.
Other options include authorization controls, which allow the device to work only within a specific location or area, or to only make specific kinds of calls back to the servers. It also will be necessary to set up remote service software to manage devices.
"These things can get very complicated, even in a mobile setting," Curry said. "When you're dealing with thousands and millions of devices, it becomes very difficult."
2. Data security
"The most important thing around data security is to know what the data is," Curry said. Is there personally identifiable information (PII) on the device? Is it data that could identify a hidden control on a server? With some data, of course, it doesn't matter if anyone sees it, Curry said, so policies should be set according to data type and the business' risk profile.
"Again, it goes back to that business equation of how much risk am I able to take on?" he said.
In cases where CIOs are dealing with sensitive information, Curry strongly advises using end-to-end encryption.
Application layer policies are extremely important. "You need to check the content; you need to check the structure to know, in fact, that this is the data you're expecting back," Curry said. Injection attacks can be used to attach code to a data message with the purpose of exploiting security vulnerabilities and effecting different outcomes on the server.
Curry suggests using data masking -- the act of creating a structurally similar but inauthentic version of the data -- for PII or other types of sensitive data. Sometimes, data slips through when you don't expect it to, so mask from the start, he said. "That way, you don't have to worry about that data getting in the wrong place and [into] the wrong hands."
3. Network security
Breathe a sigh of relief. "This is the [area] that's most understood and probably most like normal Internet and mobile technologies," Curry said. For example, authorization policies on "both sides of the equation" will help protect against breaches, Thurai said.
"I need to authorize what a device is able to do on a server, and I also need to authorize what a server can do back to the device," he said. So, bi-directional authorization is a given, coupled with policies that are as granular as possible.
Tools that protect against Internet attacks, such as denial of service, will generally also work on the IoT. "The problem is that the devices themselves -- sensors, meters and so on -- are susceptible to denial of service as well, so you also have to think about defending them," Curry said.
4. Incident monitoring and response
Companies often make the mistake of not assuming the worst. In the IoT, Curry said, you need to "go in knowing you're going to be breached." Once that mindset takes hold, it becomes apparent that a sound IoT security strategy will focus on incident monitoring and response.
Companies need to be able to constantly monitor -- in real time -- what is happening in the network. As soon as a problem is detected, it must be sealed off and quarantined by turning that particular sensor off, for example, or taking the affected server offline. "What you want to do is isolate the problem before it has a bigger impact," Curry said.
To perform real-time monitoring, companies will need security analytics that can correlate what is happening across various attack points, as well as describe what is happening and show whether the activity is different from the normal pattern, Curry said.
His company, IBM, can now identify and isolate a breach within 30 seconds and expects to shrink that response time as "we get better at it," he said.
Addendum: A privacy plea
Companies must design for opt-in. Even though at present there is no legislation requiring companies to do this, Curry said it makes good business sense to give customers the option to opt out of having their data collected. Entice them to opt in by offering perks, such as discounts and reduced service fees, or other advanced services.
Plus, legislation is coming, and companies don't need all the PII now being collected. "Strip it out," he recommended. "We can do all kinds of analytics without carrying around personally identifying information." For the search engines of the world looking to sell that PII, let them have opt-in policies, he said. For everybody else just interested in building models? "Get rid of PII as fast you can."