Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Partner Perspectives  Connecting marketers to our tech communities.
10:15 AM
Lorie Wigle
Lorie Wigle
Partner Perspectives

Securing the Internet of Things

Factors specific to IoT devices make them a unique security risk.

What makes securing the Internet of Things (IoT) so different from securing other computing platforms? Three things that are top of mind are the long lifecycle, the volume of production, and the machine versus human mode of operation.

Unlike traditional computing devices, which have an expected lifetime of three to five years, an IoT device may be in use for decades. During its life, it might be connected to different backend systems, change ownership, be reconfigured, or remain in its original role and configuration. It may or may not be upgradable, and similarly may or may not accept additional software functionality such as virus scanning or malware detection and removal. As a result, security solutions for these devices particularly benefit from robust hardware-based security, and legacy devices need to be protected behind purpose-built gateways. No one company can deliver all this for the IoT. Developer kits and platforms will enable innovation into vertical and horizontal markets, delivering specific solutions that are purpose-built and that represent new business opportunities.

Due to the volume of production, IoT devices come off the manufacturing line with a common configuration and specific, limited functionality. They all have the same default user ID and password, if appropriate, and the same vulnerabilities. The limited functionality makes it easier to protect them with narrow whitelists that confine actions and communications to a trusted set. But when they are deployed, it is easy to leave the defaults in place, thinking they are inaccessible or too small to care about. However, we have already seen these devices used as points of entry, so strong, unique passwords are just as important as they are on your laptop or bank account.

Finally, many of these devices operate in machine-to-machine mode, rarely seen by a human operator. Others may be in human contact all day, but are considered nothing more than a tool. Some have no display at all, or maybe just a few lights to communicate basic information. In virtually all cases, they do not have sufficient display and input capabilities to be configured, patched, or upgraded directly. Robust remote monitoring and management, supported by secure communications, keeps the operations center informed of anomalous behavior and enables it to remediate security breaches when necessary.

There is no simple solution or silver bullet that will secure such a diverse collection of devices. Multiple vendors and integrators will likely be involved over a device's lifetime, requiring a collaborative mix of proprietary, standards-based, and open-sourced components. There is also no single, perfect security level. Different devices at different points in the system and at different companies have different risk profiles. Building just the right level of security is achievable, by evaluating the risk, usage, and capability of each device.

The focus of IoT security is more on the data than the device. Protecting the data, when stored, in process, or in transit, enables you to provide security and privacy simultaneously.

Lorie Wigle is building a new business focused on securing critical infrastructure and IOT more broadly at Intel subsidiary McAfee. Lorie has been with Intel for nearly 30 years in a wide variety of marketing and technical roles. She has an MBA from Portland State University ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Strategist
1/30/2015 | 1:33:18 PM
Re: Not enough power to do what is needed

Thank you for the thoughtful comment.  We very much agree with you on the importance of power consumption as a system constraint and potential inhibitor to strong security. Our researchers in Intel Labs are looking at very low power implementations of standard algorithms. As an example, we have implemented AES in about 2K gates using near threshold voltage (NVT) technology. This will result in lower bandwidth but will also consume much less power than more typical implementations.

Second we are experimenting with non-standard crypto primitives. As an example of this we are advocating the use of the Simon block cipher family, which can be implemented in as few as 700 gates. We have evaluated this design and believe there is enough public cryptanalysis that we can consider it secure for most IoT usages. We have also evaluated schemes for other primitives that show promise.  Lastly, it is our intention to work on low-power primitives in selected standards, for example, ISO/IEC JTC1 SC27.

User Rank: Strategist
12/11/2014 | 12:36:15 PM
Not enough power to do what is needed

Frequently what gets over looked when discussing the Internet of Things or Medical Devices especially implantable ones is the power it takes to run them.

Batteries have limited energy as we all know.  If you want to place an IoT device et.al. someplace that will be inaccessible you want it to run as long as possible.

Energy Harvesting is making fast in roads to charging batteries.  Still their energy is usually measured in Micro-watts.  Take a sensor under, or embedded in a bridge as an example.

To extend battery life IoT devices frequently run at low clock frequencies 4 MHz down to a few kHz for as long as operation takes, or the highest possible frequency for the shortest amount of time.
[ See CDC/NIOS document "A Technology Review of Smart Sensors with Wireless Networks for Applications in Hazardous Work Environments" by John J. Sammarco, Ph.D., P.E., Robert Paddock, CSQE, Edward F. Fries, and Vijia K. Karra, Ph.D. page 33.  www.wearablesmartsensors.com ]
Either way everything in these systems has to be viewed in terms of energy expended.

Most of the world is now accustomed to the desktop/phone/tablet etc where in comparison to an IoT device energy resources to run strong encryption algorithms, deal with strong authentication et.al. is infinite.  The IoT device doesn't have the energy available, with current technologies, to do what we'd really like to do when it comes to security that we think nothing about doing on the desktop et.al.

In the future hopefully We either have Mr Fusion as a power source or strong encryption algorithms that consume little in the way of energy...

Do you have any plans or suggestions?

COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/2/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-07-02
Apache Guacamole 1.1.0 and older may mishandle pointers involved inprocessing data received via RDP static virtual channels. If a userconnects to a malicious or compromised RDP server, a series ofspecially-crafted PDUs could result in memory corruption, possiblyallowing arbitrary code to be executed...
PUBLISHED: 2020-07-02
A vulnerability in the web-based management interface of Cisco Unified Communications Manager, Cisco Unified Communications Manager Session Management Edition, Cisco Unified Communications Manager IM & Presence Service, and Cisco Unity Connection could allow an unauthenticated, remote attack...
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, when users run the command displayed in NGINX Controller user interface (UI) to fetch the agent installer, the server TLS certificate is not verified.
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the Neural Autonomic Transport System (NATS) messaging services in use by the NGINX Controller do not require any form of authentication, so any successful connection would be authorized.
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the NGINX Controller installer starts the download of Kubernetes packages from an HTTP URL On Debian/Ubuntu system.