Securing the Internet of Things. Part 1 – Security in a world of connected devices
JonChard 270002099N Visits (10411)
Bruce Powel Douglass, Ph.D.
Chief Evangelist, IBM Analytics
It’s a Brave New World
Time was when smart embedded devices needed little or no security. They were, for the vast majority, disconnected devices that performed simple dedicated functions. Now, as we hear ever more about the Internet of Things (IoT), it seems everything is connected over the web. Washing machines are connected over the web. This allows unprecedented capabilities for both consumers to connect and manage their lives and for vendors to improve services, monitor usage patterns, deliver updates, and address emerging markets. It is not, however, without risk.
There is a device search engine called Shodan (Shodanhq.io) that continuously crawls the web looking for devices. It has found in excess of 500,000,000 connected devices and services. These include traffic lights, security cameras, control systems for a water park, hotel wine coolers, garage doors, evaporative coolers, pressurized water heaters, a few million printers, servers and other control devices to name just a few. Researchers have even found command and control systems for nuclear power plants with Shodan. The vast majority of these devices either require no credentials at all for access or use only the default password (such as “1234” or “admin”). Recently, cyber researchers have claimed that they can access flight controls via the supposedly separated networks on operating aircraft (although this is denied by the airlines at this time).
This is profoundly troubling. Most of these devices can be easily accessed and not a few of them can be accessed by ne’re-do-wells for nefarious purposes. Certainly, information can be read. This information can be used in surprisingly creative and criminal ways, such as the reading water meters to determine usage (to plan for burglary) or to change the usage amount for what amounts to a denial of (ele
Even more troubling is when system behavior can be changed. Researchers looked a different threat vectors in an automobile, such as Bluetooth, radio data system, telematics, remote keyless entry, and tire pressure sensors. What they found was that every threat vector could be easily exploited and gain them access to the internal CAN bus; and once there, they could do pretty much anything they wanted, including disabling the brakes, opening the doors, countermanding steering, and turning on or off the engine. Scary stuff.
What is this “Security” thing?
Security (“freedom from intrusion, interference, and theft”) is one of the three pillars of system dependability, along with safety (“freedom from harm”) and reliability (“the availability of services”). Cybersecurity gets the most press but physical security can also be important for physical devices. Security is best achieved with a combination of approaches. Physical isolation or limitations of connections is best for security (but also decreases the depth of collaboration possible with the device). Explicitly requiring security features is a way to get “security by design” but this usually addresses only known or common threats. Having said that, Mitre’s Common Weakness Enumeration (CWE) site is a great place to find the common software vulnerabilities and threat vectors. It’s very extensive and is a powerful resource for those wanting to secure their systems. Security can be enhanced through the application of security-relevant design patterns such as those found in Security Patterns in Practice: Designing Secure Architectures using Software Patterns, such as using cryptography, firewalls, and secure broker.
Another security approach is explicit and fuzz testing to ferret out vulnerabilities that have escaped into the design. A very common thing is source code analysis through tools such as IBM’s AppScan that parse the code looking for signs of vulnerable software.
Today I’ve introduced some of the challenges that the IoT presents and summarized some general approaches for tackling security. In my next post I’ll look at the essential elements of designing secure ‘Things’ for the Internet of Things.
The IBM Internet of Things Continuous Engineering Solution is designed to help you create smart connected devices for the Internet of Things. Find out more at: ibm.