UPDATED 05:26 EDT / JANUARY 24 2014

NEWS

Securing the Internet of Things: Top 10 things to consider

The following is a guest post by Mark O’Neill, VP Innovation at Axway, a leading provider for data governance and API management.

Welcome to the future, where smart meters monitor your home appliance usage, where fitness devices on your wrist track your heart-rate, and where electric vehicles can take commands from your wristwatch.

What does all of this have in common? These innovations are all part of the Internet of Things (IoT). While the Internet of Things is going through a rosy honeymoon period at the moment, security issues are slowly creeping to the surface. There’s a growing awareness that IoT devices are riddled with vulnerabilities, and securing these weaknesses will soon become one of the major priorities for both manufacturers and the people who use them.

Let’s examine the top 10 things to consider in detail:

1. Patching

 

Internet of Things devices are often difficult to update. There isn’t an equivalent of a “Patch Tuesday” for a wristband, or a Wi-Fi-enabled smart meter. Rather than patching the device itself, patches will often have to be applied upstream as “virtual patches”.

2. Not just HTTP and SSL anymore

 

The Internet of Things goes beyond HTTP and SSL to include MQTT, CoAP, XMPP, and other protocols. This means that a strategy of “just throw SSL at the problem,” if this was ever a strategy at all, will not be effective for the Internet of Things.

3. Low power

 

Security requirements such as encryption and signing require processor power, which is not in large supply in a wearable fitness tracking device, for example. Here, again, security must be layered on, upstream from the device itself.

4. The user, one step away

 

In the Internet of Things, the user is one step away from the connection itself. Often this involves a delegation model. The user delegates control to a device, such as a smart meter, to act as a sensor and interact with services on their behalf. As such, users may not be present to enter passwords or press “OK.” For delegated security models, technologies such as OAuth 2.0 are key.

5. Key management

 

Devices in the Internet of Things often require keys for security. These may take the form of cryptographic keys, or simply act as shared secrets. These keys must be managed. In many cases, it makes sense to manage these upstream from the device itself, so that they cannot be compromised.

6. Accessibility

 

Internet of Things devices are, by their very nature, in the hands of users. We have already seen examples of APIs for Internet of Things devices being reverse-engineered by curious engineers. Expect this trend to continue. It is another reason not to store confidential information on the “thing” itself.

7. Brownouts

 

How does the device act when its power is artificially lowered, or raised? These are not questions which need answering for a server in a co-located data center. But it is a factor when attackers focus on finding weaknesses on Internet of Things devices.

8. Audit trails

 

With constrained devices, is it going to be possible to write out an audit trail of usage? If not, where can an audit trail be kept? This is another reason to apply security, in the form of monitoring and management, upstream from the device itself.

9. Unexpected interactions

 

Users will link Internet of Things devices together in ways that cannot always be anticipated. For example, what if a user wants to set up a scenario in their house in which the hall lights activate central heating? How can you ensure these novel interactions do not result in security challenges? The answer lies in ensuring that interoperability is tested for security implications.

10. Certifications

 

Who will certify Internet of Things devices for security compliance? At present, this is a Wild West-type arena. However, expect testing organizations to, over time, develop security certifications for Internet of Things devices.


A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU