Security (23)

It's Not All Linux

In the comments section of my 2020 embedded salary survey, quite a few respondents felt that much of the embedded world is being subsumed by canned solutions. Will OSes like Linux and cheap, powerful boards like the Raspberry Pi and Arduino replace traditional engineering? Has that already happened?

A number of people complained their colleagues no longer understand low-level embedded things like DMA, chip selects, diddling I/O registers, and the like. They feel these platforms isolate the engineer from those details.

Part of me says yeah! That's sort of what we want. Reuse and abstraction means the developer can focus on the application rather than bringing up a proprietary board. Customers want solutions and don't care about implementation details. We see these abstractions working brilliantly when we buy a TCP/IP stack, often the better part of 100K lines of complex code. Who wants to craft those drivers?

Another part of me says "save me from these sorts of products." It is fun to design a board. To write the BSP and toss bits at peripheral registers. Many of us got a rush the first time we made an LED blink or a motor spin. I still find that fulfilling.

So what's the truth? Is the future all Linux and Pis?

The answer is a resounding "no." A search for "MCU" on Digi-Key gets 89,149 part numbers. Sure, many of these are dups with varying packages and the like, but that's still a ton of controllers.

Limiting that search to 8 bitters nets 30,574 parts. I've yet to see Linux run on a PIC or other tiny device.

Or filter to Cortex-M devices only. You still get 16,265 chips. None of those run Linux, Windows, BSD, or any other general-purpose OS. These are all designed into proprietary boards. Those engineers are working on the bare metal... and having a ton of fun.

The bigger the embedded world gets the more applications are found. Consider machine learning. That's for big iron, for Amazon Web Services, right? Well, partly. Eta Compute and other companies are moving ML to the edge with smallish MCUs running at low clock rates with limited memory. Power consumption rules, and 2 GB of RAM at 1 GHz just doesn't cut it when harvesting tiny amounts of energy.

Then there's cost. If you can reduce the cost of a product made in the millions by just a buck the business prospers. Who wants a ten dollar CPU when a $0.50 microcontroller will do?

Though I relish low-level engineering our job is to get products to market as efficiently as possible. Writing drivers for a timer is sort of silly when you realize that thousands of engineers using the same part are doing the same thing. Sure, semi vendors often deliver code to handle all of this, but in my experience most of that is either crap or uses the peripherals in the most limited ways. A few exceptions exist, such as Renesas's Synergy. They go so far as to guarantee that code. My fiddling with it leaves me impressed, though the learning curve is steep. But that sort of abstraction surely must be a part of this industry going forward. Just as we don't write protocol stacks and RTOSes any more, canned code will become more common.

Linux and canned boards have important roles in this business. But an awful lot of us will still work on proprietary systems.

View original post here

For novel ideas about building embedded systems (both hardware and firmware), join the 35,000 engineers who subscribe to The Embedded Muse, a free biweekly newsletter. The Muse has no hype and no vendor PR. Click here to subscribe

Read more…

Given my Telco background, it was logical that back in 2014, I published some of my first articles in my  IoT Blog about the topic “IoT Connectivity . I described how the optimist predictions of analysts and companies like Cisco or Ericsson, made the Machine to Machine (M2M) an attractive market to invest.

The fact that “Tata Communications have acquired mobility and Internet of Things specialist Teleena is a clear indication of the phenomenal growth rate in the global IoT connectivity market. “By 2021, enterprises’ spending on mobility alone is set to surpass USD 1.7 trillion,” said Anthony Bartolo, Chief Product Officer, Tata Communications.  I hope to see Tata Communications/Teleena in the next Gartner´s Magic Quadrant for M2M Managed Services Worldwide.

There are still people who doubt that connectivity is a key component in the M2M/IoT Value Chain. Please remember without connectivity simply there is not IoT.

Obviously during these years many of my projects have been associated with IoT connectivity. From the analysis of M2M/IoT Service Providers to the conceptual design of end-to-end solutions where connectivity selection was a key component. One of the most interesting projects was the analysis that I made for the Telefonica project "IoT in a box". Without forget projects to compare LPWAN technologies, End to End Security, Identification of Uses cases for 5G. Sometimes also I had to sell IoT connectivity.

In the last years in the IoT connectivity market I have seen:

  • Consolidation of the market like “KORE buys Wyless” or “Sierra Wireless, Inc. Completes Acquisition of Numerex Corp.
  • The appearance of companies like 1NCE, the first dedicated Tier 1, Narrowband IoT MVNO providing fast, secure and reliable network connectivity for low data B2B applications offering a set of optimized product features – such as an IoT flat rate and the first of its kind 'BUY ONCE'​ lifetime fee
  • The still not bloody battle between LPWAN operators (SigFox, LoRA network operators, NB-IOT, LTE-M)
  • Telco Vendors, Operators and Analysts talking about the promise of 5G
  • New Wifi and Lifi IoT use cases
  • IoT Security breaches
  • Operators focus on key industries and use cases
  • The partnership M2M/IOT Service Providers ecosystem evolution
  • Agreements among M2M, MNO and Satellite operators.
  • The lack of standards in the Smart Home connectivity
  • The expectation for solve the real time connectivity challenges in Industry 4.0 and Edge Computing –
  • Time Sensitive Networking Industry 4.0 use cases and test bed by IIC members
  • ….

But in my opinion, enterprises still are confused and delaying their decisions to adopt IoT / IIOT because they need good advice about the right IoT connectivity not just the cheapest prices but easy integration or better customer support.

I want to remember again that I can help you in the selection of the right M2M /IoT Service Provider for your enterprise business requirements as a strategic decision.

IoT Connectivity - the ugly Duckling of IoT Network Operators

Telecoms operators’ more focused approach to bolstering their IoT businesses appears rooted in refining the technology inherent in their connectivity networks. And no wonder, The powerful GSMA has been helping Mobile Operators to define their role in IoT. At first sight, the best way for large telecoms operators generate value from the IoT might appear to be by providing connectivity via their networks. Additionally, they could leverage their vast experience in customer engagement, customer premise equipment (CPE) support and their robust, proven back-office systems by offering their OSS and BSS platforms externally to IoT users, using their OSS to provide users with a turnkey platform to manage their equipment proactively in real time, and their BSS to support the related billing requirements. In fact Global telcos set sights on IoT for growth in 2018.

Nevertheless, Analysys Mason, highlighted “Telcos have been working with the broader ecosystem, including developers, cloud players and hardware vendors this past year – all of which “should set the market up for an active 2018”.

Although many people think that IoT connectivity  is or will become a commodity with little value for customers and along with the hardware will form the ugly ducklings of the value chain, IoT Network Operators should strive to demonstrate that IoT connectivity is vital for the global adoption of the IoT and seek to increase the income derived from its connectivity services with aspect like security and the contextual data value that their networks transport.

IoT Data is the new Oil also for IoT Network Operators

If connectivity seems doomed to play the role of ugly duckling, the data on the other hand see how its value increases and increases with each new technology.

How many times have we seen a presentation with the title "Data is the new Oil”? Even taught by me

Many Telcos are in process of Digital Transformation. The want to compete with the Google, Apple, Facebook, and Amazon (GAFA) and avoid same situation lived with these Over the Top (OTT) vendors.  IoT is giving them an opportunity to monetize the IoT data and convert their networks in pipelines of value.

IoT data is a new source of revenue without forget that will also produce incremental profit through operational productivity and efficiency.

The new stream of data coming from the physical world and the billions connected things are mostly transported by the IoT Network Operator´s networks and once these data is captured, the IoT Network Operators can monitor everything and feed their AI systems. Is then, when finally, IoT Network Operators can make a lot of money of IoT contextual data and aggregated data.

Can you imagine the opportunities leveraged by the connection of millions of devices and intelligent things over your IoT network? A vast amount of useful data generated by smart containers, smart home appliances, smart cities, connected cars, smart healthcare devices, or wearables, which for many businesses is an extremely valuable commercial tool. IoT Network Operators possess the capability of performing real-time data analytics on readily available data to determine product performance, improve customer experience and forecast network capacity, all of all which IoT-ready businesses could benefit from.

Key Takeaway

IoT connectivity is still at the core of all IoT Network Operators / M2M Service Providers. But some of them are implementing different strategies to capture more business of the IoT value chain. The idea of IoT connectivity will become a commodity with not added value is influencing the decision to invest in new IoT enabled networks (5G, LTE-M, NB-IoT).

It’s clear that there are some strong opportunities for IoT Network Operators / M2M Service Providers looking to capture the full potential of IoT, and it’s time that they open up their services to support companies from all sectors who are looking to employ IoT connectivity but also machine data intelligence as part of their business models in this IoT driven digital transformation.

Telcos offering IoT connectivity should look to monetise data and offer businesses unique insights that could potentially open doors to new revenue streams or even improve operational efficiencies. 

If IoT business is about data and assets, Telcos need to shift from technology and connectivity to business value and creation of valued services.

 

Thanks in advance for your Likes and your Shares.

Read more…

 

Guest post by Peter A. Liss.

Connectivity is wrongly thought of as a commodity, including in the IoT context. This article will give an overview of current developments in IoT Connectivity, and look at their effect on Network Operators, Platform vendors, IoT Solution Providers, and Enterprise & Consumer customers. 

I also cover the likely impact of 5G, Narrowband IoT and programmable SIM cards, and SDN (Software Defined Networks). These new connectivity technologies will bring differentiation, innovation and new revenue from IoT.

OVERVIEW – CONNECTIVITY AND DIFFERENTIATION IN IOT

These new IoT developments include:

1.   Newer networks such Sigfox, LoRA, Narrowband IoT, and soon 5G.

2.   IoT platforms that can manage all types of connectivity.

3.   The growth of eUICC (e-SIMs) or programmable SIMs.

4.   IoT connectivity platforms using SDN (Software Defined Networks).

There are two opposing views about connectivity. On the one extreme, some Vendors pitch that “IoT Connectivity is the foundation of differentiation” (recent Ericsson Webinar). At the other extreme, some Enterprise customers buying these services assume “all IoT connectivity is the same”. 

In my view, the truth is in the middle. On the one hand, IoT hardware such as sensors and IoT applications could drive even bigger differentiation and innovation than the type of IoT connectivity. On the other hand, IoT connectivity should never be viewed as just a commodity that is plug and play.

HOW TO DIFFERENTIATE WITH IOT CONNECTIVITY:

Let’s take a closer look:

1)   There are many different types of Connectivity to choose from (cellular, WiFi, Zigbee, Satellite, and different types of LPWAN (Low Power Wide Area Networks). The criteria for selection include data cost, device cost, data rate/speed, battery life, outdoor and in-building coverage, and latency. Some of the much talked about networks like 5G are not yet available, and Narrowband IoT is in its infancy.

2)   The variety of connectivity offerings are increasing. Even taking a single technology like 4G, the offerings in terms of coverage, cost, roaming, integration effort, and customer service do differ widely.

3)   Costs are declining– the cost per MB has decreased, however, this is not the same as connectivity being a commodity (i.e. indistinct service). On the contrary, with more offerings and price competition, there is a greater need to choose the connectivity provider carefully. Pricing models may differentiate not only on cost per MB, but also with additional charges for VAS, the period charged for (monthly, per annum etc.) or number of connections included, or amount of data included in a packaged price. In the case of LPWA, charging can be per message, and not just per MB.

4)   The IoT Connectivity platform is where some of the disruption is happening. This platform manages the cost of connection, quality of service, SIM and device status. Along with the type of connectivity chosen, hardware (gateways & sensors), and IoT Applications built, the connectivity platform will be a key differentiator to your business case or service launch. 

My scheme below shows the place of the IoT Connectivity Management platform as the foundation of the IoT technology stack. Some differentiation could be achieved at any level in the Stack, but the effort required to offer a total solution will depend greatly on the Connectivity chosen at the bottom of the stack.

0?e=2119644000&v=alpha&t=zIRICyRP4vgTyqeq_nHh69LnmGHT-ahawOYS3Mp_uDQ

WHAT USER CASES WILL NARROWBAND IOT SUPPORT?

Narrowband IoT (NB-IoT) greatly improves network efficiency and spectrum efficiency and can thus support a massive number of new connections. The same is true of the sister technology Cat-M1 in US, which may also play a role in Europe in future. The majority of these new IoT connections will be industrial IoT (IIoT) solutions that require long battery life, and ubiquitous coverage (including remote areas or indoors). These user cases also require competitive pricing models for low bandwidth solutions, since many industrial IoT cases are not data hungry. 

Some examples of Industrial use cases are monitoring of oil and gas pipelines for flow rates and leaks, noting that often there is no external power in inaccessible areas. Warehouses are another industrial user case for tracking goods with pallets equipped with an NB-IoT module. NB-IoT modules have a long service life, require no maintenance and have a link budget gain of 20 decibel compared with a conventional LTE deployment, giving approximately 10x more coverage than a normal base station, thus penetrating deep underground, and into enclosed spaces indoors. 

Consumer examples of NB-IoT are luggage tracking (click for link to Sierra Wireless Case study), air quality monitoring, and children’s communication devices, and parking solutions.

NB-IoT, is a software upgrade to existing cellular Base Stations (or if the Base Station is old, a new circuit board must be inserted). The Core network also needs some upgrading. NB-IoT is reliant on a SIM card in the IoT device/gateway and partly because of the SIM it offers the same security & privacy features expected of cellular networks. LPWA technologies, such as NB-IoT and category M1 (LTE-M), also offer increased network coverage over a wide area, at a low cost, and with very limited energy consumption. In the case of Narrowband IoT, a battery life of over 10 years or more, is promised by Vendors (it remains to be seen - in the field, it might need a larger battery at an extra cost of approximately 20 Euro).

NB-IoT networks are already becoming available, for example, Deutsche Telekom has rolled out its NB-IoT network to approximately 600 towns and cities across Germany since launch in June 2017. According to Telekom, more than 200 companies now trialling the technology already via commercially available test packages. Nationwide rollout in the Netherlands was completed in May 2017 and Deutsche Telekom brought the technology to six further European markets by the end of 2017. Other major operators have similar roll outs for NB-IoT.

As expected, many IoT platforms are now being designed or upgraded to offer Narrowband IoT connectivity management. Cisco already announced in 2018 the availability of NB-IoT on its Jasper Control Center platform.

WHAT WILL 5G BRING TO IOT?

5G is not yet available commercially, and we can expect the first roll-outs in selected countries in 2019, and even then, just city coverage, or home-based 5G. High speed, high reliability and low latency are the main benefits of 5G.  Whilst NB-IoT is targeted specifically at the IoT Market, 5G is targeted at business & consumer users too. Also, worth noting is that the NB-IoT roll-out is ahead of 5G.

Regarding the high bandwidth of 5G, example uses include security cameras and monitoring, computer vision used in Industrial production, connected car user cases (infotainment, autonomous vehicles, and safety), and traffic control in Smart Cities. The increase in speed between 4G and 5G can be as much as 100 times. This makes a big difference to user cases that require uploading and downloading of video-based content faster and in larger volume.  It remains to be seen whether IoT applications will need to use such high data speeds. Perhaps it will be the Augmented or Virtual Reality cases (AR and VR) that utilise this bandwidth.

With 5G there is very high reliability, which is important to support mission critical services in IoT (e.g. medicine, industry, traffic control). However, the real benefit for IoT is likely to be with the low latency of 5G. Low latency allows more of the computer processing or data analysis required by a device (IoT Gateway or Smartphone) to happen in the cloud. With latency of under a millisecond, there is almost no difference that the data is processed in the cloud rather than the device. This has perhaps more implications for the IOT Solution architect, rather than the user.

Indeed, the user cases that depend on 5G’s low latency are still to be proven in practice. For non-IoT user cases (i.e. human interaction), the latency (such as changing of a pixel on a TV, or response time for instant messaging and online Presence) might not be noticed. However, for an M2M or IoT application in theory there is a great need for low latency and a machine might notice the difference in latency when a human does not. For this reason, the low latency is being pushed by the 5G industry as compelling for IoT (but yet to be proved). IoT user cases that are expected to benefit are remote industrial control, and autonomous vehicles, where milliseconds could be critical.

As explained in the discussion of latency, one change with 5G could be more processing in the Cloud, especially with Edge computing being a focal point in the architecture, and this might help reduce 5G IoT device prices. Other Emerging developments that might affect IOT include virtualised RAN (Radio Access Network) and network slicing. Virtualised RAN is intended to offer bandwidth with lower network costs, since by “slicing” the RAN, it is not necessary to utilise the whole core network, but rather allocate a part of it and the associated costs, thus allowing for profitable use cases with 5G.

WHAT ADVANTAGES DOES A PROGRAMMABLE SIM OFFER IN IOT?

Programmable SIM cards (also called eSIMS or eUICC ) are not new. What has changed is the number of service providers that offer them for IoT. Some prominent examples are Stream, EMnify, Cubic Telecom, KORE, Nokia WING and Teleena. Furthermore, the new generation of Smart SIM and associated management platforms are challenging the MNOs in terms of quality of service and signal coverage. They might also challenge MNOs in terms of cost - see the section below on SDN.  

The “e” in eSIM can mean both electronic (it can switch network and be programmed over the air) and embedded (i.e. deep inside machinery, a car or a remote location). In other words, you do not need physical access to the embedded SIM to update it or to change network, service or security settings.

The advantages of an eSIM are that it can be programmed over the air to find the strongest signal, or according to customer network & service preferences. When a data-service failure is detected, the eSIM can switch dynamically to the best network service. Consider a user case such as Smart Metering. The meter is always connected by being programmed not only to select the strongest signal, but also to select the signal that is best for your Meter technology and customer requirements.

In sum, the IoT Service Provider does not own a network, but can still offer the following to its customers:

•Issue own SIM cards, that can be embedded and switch operator over the air.

•Attach to the best or cheapest radio signal (RAN) – automatically

•Billing capabilities, often in real time, for the pricing of new IoT services.

WHAT IS THE IMPACT OF SDN ON IOT?

As explained above, the e-SIM is the first disruptive step to being able to offer an IoT service, without being tied to one specific radio network (RAN). The second step is to bypass the Operator’s core network. This is now possible with some Service Providers using Software Defined Networks (SDN) and NFV (Network Feature Virtualisation). They have built their own virtualised core network that is cloud hosted. EMnify is one example that can offer the following advantages:

•Low cost, because designed for IoT, and using proprietary technology (therefore no licencing costs)

•Auto-configuration and scaling. Because it is Cloud Based the service is truly elastic (i.e. can be quickly and simply expanded to meet customer demand for increased data volume, or larger number of SIM cards)

•Pay-as-you-grow pricing

•Flexible and Real time billing that is accessible online

•Have own numbering resources (IMSI, IPv6, MSISDN)

•Manage your own virtual mobile IoT network including Elastic Packet Core, Subscriber Management, OSS/BSS, Management Portals and open APIs. 

•A private and secure device cloud and implement own security policies (such as own VPN – virtual private network - in the core network in the cloud).

The “Gorilla” MNO (e.g. Telekom, Verizon, Vodafone etc) is reduced to providing only the radio network, and with the eSIM you can actually switch networks. To be clear, you are not reliant on the operator for the core network at all, and you have a choice of radio network. In sum, the advantage is that such a virtual network in the Cloud allows IoT user cases that have lower revenues, because the IoT platform is designed for lower connectivity costs.

 

CONCLUSION – DISRUPTION IN THE IOT CONNECTIVITY MARKET

I have built the case that “boring” connectivity is going to be disruptive for IoT, and it will generate growth. In sum, this is because many IoT business models require lower costs for the lower “micro” or “mini” ARPU/revenue that they generate. Secondly, these new network technologies bring improved speed, latency, battery life, and coverage. Thirdly, new technologies like eSIM and SDN, give the customer choice and independence from the MNO.

Enterprise customers will need to get more knowledgeable about the types of connectivity on offer, and the pros and cons, and costs of each technology. Disruption in the market is starting, due to many new offerings from MNO, and MVNOs that are IOT focussed. 

Price declines for NB-IoT and 5G enabled devices will also be business drivers. Many connectivity platforms will struggle to distinguish themselves, but can do so, for example by focussing on particular Verticals, or a specific geographical focus, or own Cloud-based packet core. Enterprise customers need to get the balance between a price that enables the business case, but also choosing connectivity that provides the best service level. 

LPWA technologies such as Narrow-Band promise to open-up new business models due to lower device and connectivity costs better coverage and longer battery life. NB-IoT is still in its infancy and these benefits like lower device costs are still to be proven.  Importantly, the connectivity costs of NB-IoT (as well as module/device costs) will need to be low enough to support the proposed new business cases like parking meters, water meters, luggage tracking, pipe monitoring, and tracking goods in warehouses. 

5G for IoT will enable data hungry business models, insure against capacity constraints, and provide wider coverage and almost no latency. Since 5G roll-out is still in the future, it remains to be seen if (or when) the required network density (using such small cells) is enough to provide the wider coverage and higher data rates promised. Almost zero latency is likely to be the most interesting feature of 5G for the IoT World, especially for critical applications like autonomous driving and industrial control.

Big data, Analytics and Application Enablement Platforms/AEP might sound more exciting and promising for innovation and differentiation in IoT. They sound more compelling than a connectivity management platform and new types of connectivity. However, Connectivity is still the foundation of the IoT business case. It is not a commodity. In particular, Narrow-Band IoT, eSIM and SDN will drive new growth in IoT, together with the imminent roll-out of 5G.

Copyright: Peter A. Liss, an independent and commercially focussed IoT expert, based in Germany, who is also available for freelance consulting work.

This post originally appeared here.

Cover photo by Federico Beccari on Unsplash

Read more…

A Fresh Approach to Remote IoT Connectivity

The IoT market has changed in many ways throughout the years, and since it’s a growing industry, there’s an estimated 32.6% CAGR increase in the next five years.

 

As an industry predicted to spend trillions in solutions, IoT’s trends need to be carefully observed and examined in order for implications and applications to be future-proofed.

 

How do you go about doing this? By simply analyzing how IoT is being used, as well as identifying which sectors are showing potential growth. Right now, a lot of focus is given to consumer applications such as Amazon’s dash buttons and smart home appliances. However, there are many opportunities in remote IoT. This covers industries like industrial, transportation, healthcare, etc.

 

One challenge that needs to be dealt with is how connectivity is approached right now. As more IoT and M2M devices would be deployed in rural areas and places with limited connectivity, applications and machines would need an improved infrastructure in order to carry out their purpose in areas with little connectivity.

 

Additionally, the increase of transportation and emergency-related applications would require not only ways to deals with low connectivity but also call for a system that can access multiple networks depending on availability and location.

 

Another challenge is how current devices will handle the developments in IoT and M2M technologies in the next five years. The 2G sunset is just one-way communication companies are affecting the industry.

 

Don’t fret, though, as there are several ways to resolve this and many opportunities left to explore to get ready for IoT’s evolution in the coming years.

 

Want to learn more about the possibilities remote IoT connectivity presents and how you can prepare for them? Check out the following infographic from Communications Solutions Company, Podsystem, and start future-proofing your IoT and M2M applications.

vDJvxA5.jpg

 

 

Read more…

Using Blockchain to Secure IoT

By Ahmed Banafa

IoT is creating new opportunities and providing a competitive advantage for businesses in current and new markets. It touches everything—not just the data, but how, when, where and why you collect it. The technologies that have created the Internet of Things aren’t changing the internet only, but rather change the things connected to the internet—the devices and gateways on the edge of the network that are now able to request a service or start an action without human intervention at many levels.

Because the generation and analysis of data are so essential to the IoT, consideration must be given to protecting data throughout its life cycle. Managing information at all levels is complex because data will flow across many administrative boundaries with different policies and intents.

Given the various technological and physical components that truly make up an IoT ecosystem, it is good to consider the IoT as a system-of-systems. The architecting of these systems that provide business value to organizations will often be a complex undertaking, as enterprise architects work to design integrated solutions that include edge devices, applications, transports, protocols, and analytics capabilities that make up a fully functioning IoT system. This complexity introduces challenges to keeping the IoT secure, and ensuring that a particular instance of the IoT cannot be used as a jumping off point to attack other enterprise information technology (IT) systems.

International Data Corporation (IDC) estimates that 90% of organizations that implement the IoT will suffer an IoT-based breach of back-end IT systems by the year 2017.

Challenges to Secure IoT Deployments

Regardless of the role, your business has within the Internet of Things ecosystem— device manufacturer, solution provider, cloud provider, systems integrator, or service provider—you need to know how to get the greatest benefit from this new technology that offers such highly diverse and rapidly changing opportunities.

Handling the enormous volume of existing and projected data is daunting. Managing the inevitable complexities of connecting to a seemingly unlimited list of devices is complicated. And the goal of turning the deluge of data into valuable actions seems impossible because of the many challenges. The existing security technologies will play a role in mitigating IoT risks but they are not enough. The goal is to get data securely to the right place, at the right time, in the right format; it’s easier said than done for many reasons.

Dealing with the challenges and threats

Gartner predicted that more than 20% of businesses will deploy security solutions for protecting their IoT devices and services by 2017, IoT devices and services will expand the surface area for cyber-attacks on businesses, by turning physical objects that used to be offline into online assets communicating with enterprise networks. Businesses will have to respond by broadening the scope of their security strategy to include these new online devices.

Businesses will have to tailor security to each IoT deployment according to the unique capabilities of the devices involved and the risks associated with the networks connected to those devices. BI Intelligence expects spending on solutions to secure IoT devices and systems to increase five fold over the next four years.

The optimum platform

Developing solutions for the Internet of Things requires unprecedented collaboration, coordination, and connectivity for each piece in the system, and throughout the system as a whole. All devices must work together and be integrated with all other devices, and all devices must communicate and interact seamlessly with connected systems and infrastructures in a secure way. It’s possible, but it can be expensive, time-consuming, and difficult unless the new line of thinking and a new approach to IoT security emerged away from the current centralized model.

AAEAAQAAAAAAAAifAAAAJDFjMDJkZDlhLTY1ZTEtNDJjNC1iYTUwLTNkZTQwZDUzNTFlZA.jpgThe problem with the current centralized model

The current IoT ecosystems rely on centralized, brokered communication models, otherwise known as the server/client paradigm. All devices are identified, authenticated and connected through cloud servers that sport huge processing and storage capacities. The connection between devices will have to exclusively go through the internet, even if they happen to be a few feet apart.

While this model has connected generic computing devices for decades and will continue to support small-scale IoT networks as we see them today, it will not be able to respond to the growing needs of the huge IoT ecosystems of tomorrow.

Existing IoT solutions are expensive because of the high infrastructure and maintenance cost associated with centralized clouds, large server farms, and networking equipment. The sheer amount of communications that will have to be handled when IoT devices grow to the tens of billions will increase those costs substantially.

Even if the unprecedented economical and engineering challenges are overcome, cloud servers will remain a bottleneck and point of failure that can disrupt the entire network. This is especially important as more critical tasks

Moreover, the diversity of ownership of devices and their supporting cloud infrastructure makes machine-to-machine (M2M) communications difficult. There’s no single platform that connects all devices and no guarantee that cloud services offered by different manufacturers are interoperable and compatible.

Decentralizing IoT networks

A decentralized approach to IoT networking would solve many of the questions above. Adopting a standardized peer-to-peer communication model to process the hundreds of billions of transactions between devices will significantly reduce the costs associated with installing and maintaining large centralized data centers and will distribute computation and storage needs across the billions of devices that form IoT networks. This will prevent failure in any single node in a network from bringing the entire network to a halting collapse.

However, establishing peer-to-peer communications will present its own set of challenges, chief among them the issue of security. And as we all know, IoT security is much more than just about protecting sensitive data. The proposed solution will have to maintain privacy and security in huge IoT networks and offer some form of validation and consensus for transactions to prevent spoofing and theft.

To perform the functions of traditional IoT solutions without a centralized control, any decentralized approach must support three fundamental functions:

  • Peer-to-peer messaging
  • Distributed file sharing
  • Autonomous device coordination

 AAEAAQAAAAAAAAj0AAAAJDE2OTYyNzFmLWQ3ZTEtNGEzMC1hMzY3LWJhZmQ1NDY2ODJhNw.png

The Blockchain approach

Blockchain, the “distributed ledger” technology that underpins bitcoin, has emerged as an object of intense interest in the tech industry and beyond. #Blockchain technology offers a way of recording transactions or any digital interaction in a way that is designed to be secure, transparent, highly resistant to outages, audit-able, and efficient; as such, it carries the possibility of disrupting industries and enabling new business models. The technology is young and changing very rapidly; widespread commercialization is still a few years off. Nonetheless, to avoid disruptive surprises or missed opportunities, strategists, planners, and decision makers across industries and business functions should pay heed now and begin to investigate applications of the technology.

What is Blockchain?

Blockchain is a database that maintains a continuously growing set of data records. It is distributed in nature, meaning that there is no master computer holding the entire chain. Rather, the participating nodes have a copy of the chain. It’s also ever-growing — data records are only added to the chain.

A blockchain consists of two types of elements:

  • Transactions are the actions created by the participants in the system.
  • Blocks record these transactions and make sure they are in the correct sequence and have not been tampered with. Blocks also record a time stamp when the transactions were added.

What are some advantages of Blockchain?

The big advantage of blockchain is that it’s public. Everyone participating can see the blocks and the transactions stored in them. This doesn’t mean everyone can see the actual content of your transaction, however; that’s protected by your private key.

A blockchain is decentralized, so there is no single authority that can approve the transactions or set specific rules to have transactions accepted. That means there’s a huge amount of trust involved since all the participants in the network have to reach a consensus to accept transactions.

Most importantly, it’s secure. The database can only be extended and previous records cannot be changed (at least, there’s a very high cost if someone wants to alter previous records).

 How does it work?

AAEAAQAAAAAAAAd-AAAAJGU4YjlmMDY4LWZjZmYtNGJmYi1hMTA0LTVmNGU2Yzk0NmZiMA.pngWhen someone wants to add a transaction to the chain, all the participants in the network will validate it. They do this by applying an algorithm to the transaction to verify its validity. What exactly is understood by “valid” is defined by the blockchain system and can differ between systems. Then it is up to a majority of the participants to agree that the transaction is valid.

A set of approved transactions is then bundled in a block, which gets sent to all the nodes in the network. They, in turn, validate the new block. Each successive block contains a hash, which is a unique fingerprint, of the previous block.

There are two main types of Blockchain:

  • In a public blockchain, everyone can read or write data. Some public blockchains limit the access to just reading or writing. Bitcoin, for example, uses an approach where anyone can write.
  • In a private blockchain, all the participants are known and trusted. This is useful when the blockchain is used between companies that belong to the same legal mother entity.

The Blockchain and IoT

AAEAAQAAAAAAAAjBAAAAJDczMTQwY2Y3LWRkYjUtNDlmZi1hZjIwLWZiYWE1NWJkYTcyOA.pngBlockchain technology is the missing link to settle scalability, privacy, and reliability concerns in the Internet of Things. Blockchain technologies could perhaps be the silver bullet needed by the IoT industry. Blockchain technology can be used in tracking billions of connected devices, enable the processing of transactions and coordination between devices; allow for significant savings to IoT industry manufacturers. This decentralized approach would eliminate single points of failure, creating a more resilient ecosystem for devices to run on. The cryptographic algorithms used by blockchains would make consumer data more private.

The ledger is tamper-proof and cannot be manipulated by malicious actors because it doesn’t exist in any single location, and man-in-the-middle attacks cannot be staged because there is no single thread of communication that can be intercepted. Blockchain makes trustless, peer-to-peer messaging possible and has already proven its worth in the world of financial services through cryptocurrencies such as Bitcoin, providing guaranteed peer-to-peer payment services without the need for third-party brokers.

The decentralized, autonomous, and trustless capabilities of the blockchain make it an ideal component to become a fundamental element of IoT solutions. It is not a surprise that enterprise IoT technologies have quickly become one of the early adopters of blockchain technologies.

In an IoT network, the blockchain can keep an immutable record of the history of smart devices. This feature enables the autonomous functioning of smart devices without the need for centralized authority. As a result, the blockchain opens the door to a series of IoT scenarios that were remarkably difficult, or even impossible to implement without it.

By leveraging the blockchain, IoT solutions can enable secure, trustless messaging between devices in an IoT network. In this model, the blockchain will treat message exchanges between devices similar to financial transactions in a bitcoin network. To enable message exchanges, devices will leverage smart contracts which then model the agreement between the two parties.

In this scenario, we can sensor from afar, communicating directly with the irrigation system in order to control the flow of water based on conditions detected on the crops. Similarly, smart devices in an oil platform can exchange data to adjust functioning based on weather conditions.

Using the blockchain will enable true autonomous smart devices that can exchange data, or even execute financial transactions, without the need of a centralized broker. This type of autonomy is possible because the nodes in the blockchain network will verify the validity of the transaction without relying on a centralized authority.

In this scenario, we can envision smart devices in a manufacturing plant that can place orders for repairing some of its parts without the need of human or centralized intervention. Similarly, smart vehicles in a truck fleet will be able to provide a complete report of the most important parts needing replacement after arriving at a workshop.

One of the most exciting capabilities of the blockchain is the ability to maintain a duly decentralized, trusted ledger of all transactions occurring in a network. This capability is essential to enable the many compliances and regulatory requirements of industrial IoT applications without the need to rely on a centralized model.

 This article originally appeared here. Header photo has been modified, credit here.

References

http://www.cio.com/article/3027522/internet-of-things/beyond-bitcoin-can-the-blockchain-power-industrial-iot.html

http://dupress.com/articles/trends-blockchain-bitcoin-security-transparency/

https://techcrunch.com/2016/06/28/decentralizing-iot-networks-through-blockchain/

http://www.blockchaintechnologies.com/blockchain-internet-of-things-iot

https://postscapes.com/blockchains-and-the-internet-of-things/

http://www-935.ibm.com/services/multimedia/GBE03662USEN.pdf

Read more…

 

 

What is Going on with Residential IoT

Cyber Security?

 

2023835?profile=RESIZE_1024x1024

For sure you have heard about the recent DDoS attacks that occurred last October 21st on Dyn’s DNS service. The news broke out reporting that many well-known Internet services were not available. According to Hacker News Twitter, Etsy, Spotify and other sites were affected. Up to this point, there’s nothing new, just another DDoS attack. Large company outage means big news, but there is still a point that is key in this equation and that has not been addressed. 

  • Was Residential or Consumer IoT affected?

According to Dyn’s report, “the attack come from 100,000 malicious endpoints”. 

On the second last paragraph they quote: “Not only has it highlighted vulnerabilities in the security of “Internet of Things” (IOT) devices that need to be addressed, but it has also sparked further dialogue in the internet infrastructure community about the future of the internet.

Put both quotes together: 100,000 IoT devices have been Hacked. This is astonishing and outstanding!

There has been no news about how the 100,000 IoT device customers have been affected or supported:

  • Do they still have the Bot inside their device? 
  • Do the devices work correctly? 
  • Do they know they have been hacked? 
  • Do they know they are at risk? 
  • Will the Bots change and do other things? 
  • Will the Bots leave backdoors in their home networks?
  • How long will it take for another Bot to hack their IoT device?
  • What are Consumer Protection Agencies doing about this?
  • What are Governments doing?

This is no joke, we are talking about 100,000 devices (IoT Customers), and therefore, has to be addressed very seriously.

Dyn and the Internet community will address the issue. That’s fine! But how and when will they solve the Residential IoT vulnerability problem. Residential IoT needs to be Secured, Monitored and its software Updated. Enterprise IoT already contemplates this, but Residential IoT does not. Individual devices are sold with no security, and in the best case, if they are well developed and secured they still need to be monitored because software always has vulnerabilities, no matter how well and secure it has been developed.

All the questions, above cannot be solved using secure policies inside IoT or in the Internet itself. More has to be done! This is a Game Changer; Home Networks have to be monitored and secured to prevent Malware and Attacks. If not, the Internet will soon be like Hell.

The Residential IoT Avalanche

Gartner estimates that by 2020 there will be 25 billion IoT devices, of these, 13 billion will be Residential Home Devices, more than 50% of the total. Imagine if only 1% of these devices are vulnerable, there will be 13 million devices to hack.

  • Are the Internet Home Users aware of the risk they are taking?
  • Are their Home Networks and GateWays (GW/Router) secure?
  • Will the Internet itself be reliable and secure?

How to Secure Home Networks

Twenty years ago, Home Networks only had PCs, with well-developed software, for examples Windows, but many vulnerabilities were used to Hack Residential and Enterprise PCs. This problem brought up many Anti Malware (AM) Software Companies to safeguard Windows PCs. The same is happening right now with Residential IoT.

IoT devices don’t have the possibility or suppliers are not interested in incorporating AM software to their IoT. They are generally too small and only have specific dedicated software, i.e.: they cannot be easily protected with AM Software embedded in their devices:

  • This is a big problem. How can it be solved?
  • Where and how can AM software safeguard Home Networks, GWs and IoT?

Every Home Network connects to the Internet through the GW, which is the main door into our Home. As with Houses, shouldn’t an armored door be used to prevent thieves from coming in? The GW is the door to the Internet and it is also another device with CPU and Memory, a processing unit that can do the job. Why not use it to block hackers before they even get in? Thanks to FTTH and IoT itself, Gateways have become more powerful. If a GW does not have the power to cope with AM Security, then a security appliance should be connected to it. Using a secure GW, the entire Home Network will be protected from Malware and Attacks.

Many Security Providers and new startups have already foreseen the Secure GW solution.

Current Residential IoT/GW Security Innovation Trends

As described before, the most effective scenario to protect your Home IoT is to Safeguard the Home Network using the GW, this is currently being done with two innovative solutions:

Solution #1.              Attach a physical AM Security Appliance to the Home GW.

Solution #2.              Embedding AM Security software directly into the Home GW.

Solution #1 Is an interesting and effective approach, another device with more CPU and Memory means more processing power, but it adds another gadget to the end-user and it has to be physically connect to the Home GW’s 1Gbit Port.

The Pros: The Appliance adds an extra device to manage security, leaving the GW as it is. The customers will manage alerts and/or security configurations through a simple app on their smartphones. 

The Cons: All the traffic will bypass the appliance through a 1Gbit port, which needs a cable connected to the GW. Customers want to reduce physical gadgets, they already have many, such as the GW itself, IPTV DVB Decoder, the ONT, Game Station, Printers, cables, etc. Another device is not a bad solution but the current trend is to reduce home devices and cables, this solution will work but in a few years Solution #2 will make Solution #1 obsolete.

Solution #2. The Security Software will come within the GW device or it will remotely be installed.

The Pros: The customer will only manage alerts and/or security configurations, with a simple mobile app, that’s all. Simple, no physical appliance, no wires. 

The Cons: Many of the current GW hardware devices don’t have sufficient physical CPU and/or Memory capacity to manage security software, but with the FTTH and the IoT boom, Gateways are becoming more and more powerful and in a few years, most of them, if not all, will have the power to manage AM software.

Make it Simple, Intelligent and Economically Viable for Retail

Both solutions have their pros and cons, and both should, at least, address basic security surveillance. There are many threats that can be addressed using Cloud Intelligent Processing, analyzing Home Network Metadata (GW CPU will be liberated from many security tasks). But, most important of all is the combined Residential Cloud Intelligence, for example; if a new threat is detected and blocked on a provider’s vulnerable IoT device, the solution will automatically be propagated to all of the security providers’ customers, avoiding mass propagation and hacking damage. 

Residential Device “Internet Use Patterns” will be supervised and any mismatch will be reported to the customer or automatically be blocked if a malicious attacker is detected.

Customers don’t or cannot give proper maintenance to their Home IoT. The solution should or will control possible problems like vulnerable firmware, recommend changing easy or default passwords, block dangerous port access, grant or deny access, etc. Most of these simple actions will be prompted on the users’ smartphone, and the problem will easily be solved using a simple one click menu.

And finally, and probably most important, customers don’t want and can’t pay for a highly sophisticated solution. A next generation firewall type solution is way out of scope and expensive, the solution has to be smart and economically viable or sales will draw back.

There is no need to drill down into what can be done and what cannot, both solutions are effective. Solution #1 is good but #2 is in the core of the Home Network, the GW, and simpler for the end user, but it may take some time before all the GWs have sufficient power and capacity. 

Conclusions

  • There are millions of Residential IoT Devices being hacked, but most users are unaware and the press doesn’t really talk about it.
  • Residential IoT is in general insecure and with the predicted IoT Avalanche, hackers will take advantage of the situation to make the Internet be like Hell.
  • Residential IoT must be Secured, Monitored and its software Updated using the Home GW Router.
  • Make it Simple, Intelligent and Economically Viable for Retail.
  • IoT Residential Customers must be 100% aware of the Security risks, this must be strongly driven by Consumer Agencies, Governments, The Press, IoT Suppliers and Security Vendors.

If the security actions described in this publication are not addressed correctly, the Internet and all of us will have to learn the hard way. 

 

Juan Mora Zamorano

Independent Security Contractor

2023865?profile=original

https://es.linkedin.com/in/morajuan

 

Read more…

Securing IoT Consumer Devices

As consumer electronics manufacturers release new gadgets for the holidays, security is likely to be the last thing on people's minds. Devices like Apple’s HomeKit turn your iPhone or iPad into a remote control for lights, locks, the thermostat, window shades and even your doorbell, making typical iOS functions like Siri voice-based extensions of controlling a smart home.

Yet even if most electronics on a home network employ top security standards, all it takes is a faulty webcam for an attack to happen.

We just saw this with internet infrastructure company Dyn in late October. Mirai malware took advantage of default, easy-to-guess passwords on the webcams of unsuspecting consumers, leading to a massive Distributed Denial of Service (DDoS) attack temporarily shutting down popular sites like Twitter and PayPal.

Along with Apple’s Authentication Coprocessor, HomeKit’s end-to-end encryption helps mitigate the risk of hacking. The coprocessor only sends a certificate that allows an iOS device to unlock an accessory (like your home’s light dimmers, thermostat and power meter) after the accessory completes a challenge sent by the iOS device. Any Internet of Things device that connects to this network, however, may not have the same robustness rules in place.

According to the IoT graphic from Arxan below, the number of devices connected to the internet reached 6.4 billion in 2016. Thus, in-home communication network security is only half the battle for consumers, as the cars they drive are increasingly becoming connected as well. Car manufacturers have different OEMs when it comes to displays and in-vehicle digital storage, meaning that all devices in a connected car may not use end-to-end encryption. Code scanners can interrupt critical functions and if you look further into automotive IoT security you’ll find that many parts of a vehicle that have been around for years--like the OBD2 port for engine diagnostics and on-board computers--could potentially be decrypted and injected with malware.2023823?profile=RESIZE_1024x1024

 

 

Read more…

IoT and IIOT Cybersecurity Market Map

CB Insights has identified 78 private companies at the intersection of cybersecurity and connected hardware, which includes: critical infrastructure, mobile phones, connected devices, enterprise endpoints, and connected cars.

The breakdown of categories is as follows:

Critical Infrastructure: Startups in this category include Indegy which provides real-time situational awareness, visibility, and security for industrial control systems used across critical infrastructure, including energy, water utilities, petrochemical plants, manufacturing facilities, etc. Similar companies such as CyberX can detect network anomalies by analyzing the operational behavior of industrial internet networks using Big Data and Machine Learning. The company Bastille Networks is among the more unique startups in this category, with a product that scans air space to provide visibility into RF-emitting devices. Bastille has broad implications across the connected hardware cybersecurity market.

Mobile Phones: Companies in this category include three unicorns valued at $1B+. They are: Okta which offers cloud-based identity management and mobility management services, Lookout which is a smartphone security company for the Android and iOS platforms, and Avast Software which offers security and privacy solutions also for iOS and Android.

Connected Devices: Included are companies like Mocana which secures IP addressable devices as well as the information, applications, and services that run on them. Companies in this category also include MedCrypt which offers the ability to manage all of the digital keys needed for users to securely access medical devices.

Enterprise Endpoints: Startups like the unicorn Tanium offer a systems management solution that allows enterprises to collect data and update endpoints across networks. Another unicorn in this category is Cylance, which operates in defense of enterprises’ endpoints by applying artificial intelligence algorithms to predict, identify, and stop malware and advanced threats.

Connected Cars: Argus Cyber Security enables car manufacturers to protect technologically advanced connected vehicles from malicious cyber attacks.

The full company list is here

2023692?profile=RESIZE_1024x1024

Read more…

Bruce Schneier, cybersecurity expert, cryptologist

By Ben Dickson. This article originally appeared here. 

As if I haven’t said it a million times, IoT security is critical.

But just when I thought I had it all figured out, somebody comes along and sheds new light on this very important topic in a different way.

At a November 16 hearing held by the Congress Committee on Energy and Commerce in light of the devastating October 21 Dyn DDoS attack, famous cryptologist and computer security expert Bruce Schneier offered a new perspective on IoT security, which makes it easier for everyone to understand the criticality of the issue.

After watching it at least three times, I decided to share the main concepts with the readers of TechTalks. Here are the key takeaways, which I’ve taken the pain to elaborate on.

Everything is now a computer

“Everything is now a computer,” Schneier said at the beginning of his remarks, after which he gave examples about how our phones, refrigerators, ATM machines and cars have in essence become computers that perform functions in the physical world.

“And this is the Internet of Things, and this is what caused the DDoS attack we’re talking about,” he continued.

IoT devices are much more different from objects with a little silicon and electronics baked in. We’re talking about devices that are sometimes running fully functional operating systems and are enjoying broadband internet connections.

And as we all know, computers are smart—but they’re also hackable.

So what it comes down to is that soon, everything around you, from your toaster to your lawn mowing machine, fridge, light bulb and door lock can be hacked and used directly (against you) or indirectly (against others) for evil purposes.

And then Schneier went on to “give four truths” from the world of computer security—which he extended to “everything security”—that apply to everything.

Attack is easier than defense

This was Schneier’s first premise. As the saying goes in cybersecurity jargon “cybersecurity experts have to win every battle. Hackers only have to win once.”

But it was his next phrase that said it all.

“Complexity is the worse enemy of security,” he said. “And this is especially true for computers and the internet.”

Attackers find methods to use software and operating systems in malicious ways that were never imagined by their developers. This is partly due to security flaws found in the source code or the simple fact that the basic functionalities embedded in those software can be combined in innumerable ways.

Even highly secure operating systems such as the Apple iOS tend to spit out vulnerabilities every once in a while.

So said in another way, you have to plug every security hole—hackers only have to find one.

Interconnections introduce new vulnerabilities

This is an extension of the complexity concept.

“The more we connect things to each other,” Schneier said, “the more vulnerabilities in one thing affect other things.”

And he went on to give accounts of some of the cyberattacks that made their fame in recent years, including the Target hack, and of course the Dyn attack, in which the hackers exploited vulnerabilities in several systems to stage their attack.

“Vulnerabilities like this are hard to fix because no one system might be at fault,” Schneier explained.

In many cases a flaw in one system might not be critical per se, but when that system or component is combined or connected to another one, the same vulnerability might open up new ways to cause harm.

Many IoT manufacturers embed third party components into their products that are inherently insecure, and they don’t even know about it. I know of at least one Chinese company that was offering vulnerable white label DVRs and components to other companies, whose products were involved in the Dyn DDoS attack. Good luck recovering all those tens of thousands of devices.

And we’re entering a world where abstraction is playing an increasingly important role in creating software and hardware. Blackbox systems connect over the internet and allow access to their data and functionality without having full knowledge of their vulnerabilities.

The internet empowers attackers

“The internet is a massive tool for making things efficient,” Schneier said, “and that’s also true for attacking. The internet allows attacks to scale to a degree that’s impossible otherwise”

The Internet of Things has taken that scaling power to the next level. It was true for the Dyn attack, as well as a host of other recent DDoS attacks that were based on IoT botnets.

In terms of efficiency, Schneier underlined the fact that hackers have an easier time sharing their knowledge and experience thanks to the internet. The source code for the Mirai botnet, which was used to stage the Dyn attack, has been released and is now available for all to use.

And for those who don’t have the knowledge to make use of the source code and create their own IoT botnet, they can rent one at an affordable price. “I don’t recommend it,” Schneier said.

The for-rent cybercrime business model is gaining traction. Recently, hackers put up a ransomware-as-a-service platform to allow wannabe hackers to cash-in on cyber extortion.

“This is more dangerous as our systems get more critical,” Schneier said next. “The Internet of Things affects the world in a direct and physical manner.”

This is something that I’ve been saying a lot. It’s one thing to lose access to your favorite website, lose online documents or even have your most intimate secrets doxed. But it’s another thing altogether where your very life and health are concerned and can becompromised from thousands of miles away.

And that’s what the Internet of Insecure Things is leading us.

Schneier: “There’s real risk to life and property. There’s real catastrophic risks.”

The economics don’t trickle down

“Our computers are secure for a bunch of reasons,” Schneier said—and that’s relatively speaking (my own comment). “But it doesn’t happen for these cheaper devices.”

There are many reasons that IoT devices are created with less security. Schneier named a few:

  • Low profit margins: Manufacturers are doing their best to lower the costs, and therefore pack the devices with cheaper and less secure components, and firmware and low-end operating systems that can’t run security software.
  • IoT devices are offshore: Many devices are treated in an install-and-forget manner. How many times do you check the logs for your thermostat? Also, no sane person leaves their desktop computer or smartphone in an unprotected environment. But IoT devices are made to be installed in the open and left unattended. And yet in many cases, these same devices sport storage and computation capabilities that rival those of mobile and desktop computers, to say nothing of their broadband internet connections.
  • No dedicated security teams: Many of the manufacturing companies don’t allocate resources and funds to securing their devices, because as some will honestly admit, “Consumers don’t pay for security. They pay for functionality.” And vetting code and hardware for security can be costly. Also, we’re in the “Gold Rush” phase of the IoT industry’s development, where every new kid on the block is in a hurry to ship a connected device to the market before their competitors do, so naturally, things such as security take a backstage seat.
  • Devices can’t be patched: Desktop and mobile operating systems are regularly updated and patched to fix security holes. The same can’t be said about IoT devices. In many cases, the mechanism is nonexistent, while in others, it’s so arduous that consumer will simply forego applying them. And let’s not forget that these are install-and-forget products. And as Schneir reminded in his remarks, many of these “things” such as fridges and cars will not be replaced for a long time—some, never. This means they’ll remain vulnerable for the rest of their lives, causing potential damage to their owners and others.

What needs to be done?

“The government has to get involved,” Schneier said. “What I need are some good regulations.”

I agree, but I would also extend the point and say “Everyone has to get involved,” and that includes manufacturers, who should get serious about securing their devices, or suffer the consequences. It also concerns ISPs, who should do more to spot and block botnet traffic. And consumers should become more savvy on cybersecurity in general and demand more security from manufacturers.

But of course, the government has to play a regulatory role that will ensure implementation.

“For the first time, the internet affects the world in a direct, physical manner,” Schneier said. “When it didn’t matter—when it was Facebook, when it was Twitter, when it was email—it was OK to let programmers, to give them the special right to code the world as they saw fit. We were able to do that. But now that it’s the world of dangerous things… maybe we can’t do that anymore.”

I liked that phrase, and I think we ought take it seriously.

Watch the full hearing here:

Read more…

The Internet of Evil Things

The Seventh Seal (1957)http://joebarkai.com/wp-content/uploads/2016/10/Seventh-Seal-1957-300x163.jpg 300w, http://joebarkai.com/wp-content/uploads/2016/10/Seventh-Seal-1957-768x416.jpg 768w" sizes="(max-width: 775px) 100vw, 775px" />

 

Guest post by Joe Barkai. Original story appeared here

 

How Secure is the Internet of Things?

You may have heard me at a conference or read my response to questions concerning the security of the Internet of Things. When asked, I sometimes “refuse” to answer this question. This is not because I do not think that data security—and the closely-related data privacy—are not important; of course they are.  But I want to highlight the point that data security and privacy are foundational issues that are not unique to IoT devices. Every enterprise must ensure that all data—IoT generated or not—is secured and that data privacy and ownership are handled properly.

But in light of the recent highly-publicized cyberattacks, and a session with Chris Valasek (who is best known for wirelessly hacking a Jeep wrangler) and Mark Weatherford (past deputy Undersecretary for Cybersecurity at the U.S. Department of Homeland Security), I thought I should provide a brief update.

CCTV Bots Attack the Internet

On October 21, a massive, highly-distributed cyberattack, involving millions of IP addresses and a malicious software, crippled web servers across the U.S., temporarily shutting down DNS services and rendering major Internet sites inaccessible.

Distributed denial-of-service (DDoS) are not new. But according to web security firm Sucury, this was the first time it had observed an attack powered solely by hacked CCTV devices. The company discovered attackers have compromised more than 25,000 digital video recorders and CCTV cameras, and are using them to launch DDoS attacks against websites.

Taxonomy of IoT Devices

Internet-connected devices, such as the CCTV devices involved in the DDoS cyberattack, are getting cheaper and more powerful. This trend inspires conceptual architectures that place smart, connected devices at the edge of the IoT network.

There are some perfectly good arguments as to why sophisticated devices with autonomous decision authority should reside at the edge of the network. For instance, moving decision-making devices closer to the industrial processes they control improves real-time control and reduces network traffic and information latency.

On the other hand, there are also equally convincing rationales to consider the use of less sophisticated and less autonomous edge devices.

First, devices that do not need to perform complex computational tasks are simpler and cheaper, consume less power, and are less prone to failures. And because of their low computation bandwidth and limited command and control reach, these devices are far less prone to hacking.

Much more importantly, however, many business decisions should not and cannot be performed at the edge device level. While command and control of a single machine can be done locally and autonomously, the type of deep insight that drives predictive analytics and long-term decisions is based on multiple inputs from the broader IoT and business network: multiple machines, multiple production lines, and in multiple locales. These types of analyses and decisions can only be carried out centrally.

There is no single “ideal” architectural. The power of the Internet of Things is in the ability to form a flexible decision-making architecture, and to move analytics and decision making as needed between edge devices (for example, for real-time control), and centralized cloud applications such as fleet optimization.

In my book The Outcome Economy: How the Industrial Internet of Things is Transforming Every Business, I propose a taxonomy of IoT devices, which can serve to determine the level of decision-authority that should be given to different edge devices.  The following is a shorter version of this taxonomy description.

Activity-Aware Devices

The basic building blocks of the Industrial IoT are single-task devices such as sensors, pumps, valves, and motors. These devices can measure and send discrete pieces of information (a sensor) or respond to a simple on/off command (a pump, a valve, or a motor).

An activity-aware object “understands” the physical world in terms of event and activity streams, where each event or activity is directly related to the task the object is to perform: turn on, measure, etc.

The operating model of activity-aware devices is typically a simple linear sequence of data collection and processing functions, such as a time or state series. These devices primarily measure and log data, but do not provide interactive, analytic, or self-governance capabilities.

Policy-Aware Devices

A policy-aware device is an activity-aware object with an embedded policy model. A policy-aware device can sense and interpret events and activities and respond to them based on predefined operational and organizational policies.

The governance model of policy-aware devices consists of application-specific policies expressed as a set of rules that operate on event and activity streams to create actions. The model provides context-sensitive information about event handling and work-activity performance. In particular, it can issue warnings and alerts if it’s unable to comply with the policy or the operating model.

Many industrial devices, even simple ones, are policy-aware devices. For example, a thermostat in a cold-chain application is commanded to maintain a certain ambient temperature range. In other words, the thermostat has an autonomous decision-making capability to enable it to comply with the policy. An air-conditioning unit and an alarm system are other examples of policy-aware devices.

Process-Aware Devices

A process is a collection of related activities that are sequenced in time and space to accomplish a task or a combination of tasks. Process execution rules can be included for dynamic recombination of activities to support a broader range of interrelated activities, tasks, and sub-tasks, and have greater event-handling agility and decision capacity.

A process-aware device is aware of and “understands” the organizational processes that it is a part of. Moreover, it is also aware of other devices in its subnetwork operating in tandem to implement the process and can relate the occurrence of real-world activities and events of these processes to the user.

Cold-chain logistics, process automation and control, robots, and manufacturing execution systems (MES) are examples of process-aware applications.

The application model of process-aware objects is built around a dynamic context-aware workflow model that defines timing and ordering of work activities. Work processes (that is, sequence and timing of activities and events) communicate with others to accomplish predefined, high-level tasks.

Not Everything Than Can Be Connected, Should Be

Every industry survey stresses security concerns as one of the top hurdles in the way of broad adoption, and the publicity of IoT-generated DDoS attacks, which impacted both businesses and individuals, will further erode the confidence of consumers and corporations alike. There’s probably very little damage in curbing the enthusiasm of those that marvel the vision of connected refrigerators and toasters, but the participants in the Industrial IoT and the connected infrastructure overall, should intensify the conversation about standardization, certification and registration, and the delicate balance between enforcement and enticement.

These conversations are critical, but, as stated before, are not limited in scope to the Internet of Things.

While we work to encourage the use of standards, best practices, and better technology, let’s remember that not everything than can be connected, should be.  Let’s focus on valuable scenarios rather than the digital chatting between coffee pots and toasters.

(Portions of this articles are from The Outcome Economy: How the Industrial Internet of Things is Transforming Every Business)

Read more…

internet of things

Guest post by Ben Dickson. This story originally appeared here

The Internet of Things (IoT) is often hyped as the next industrial revolution—and it’s not an overstatement. Its use cases are still being discovered and it has the potential to change life and business as we know it today. But as much as IoT is disruptive, it can also be destructive, and never has this reality been felt as we’re feeling it today.

 

On Friday, a huge DDoS attack against Dyn DNS servers led to the majority of internet users in the U.S. east coast being shut off from major websites such as Twitter, Amazon, Spotify, Netflix and PayPal.

The culprit behind the attack was a huge botnet. Botnets are armies of zombie computers, vulnerable devices secretly compromised by hackers, which are silently doing the bidding of their masters, the botlords, without their true owners knowing about it.

While botnets and DDoS attacks are nothing new and have been around for a while, the advent and propagation of IoT devices has led to their chaotic growth. There are now millions of vulnerable IoT devices that are easier to access and even easier to hack than, say, computers and tablets that are packed with anti-virus software. That’s why IoT botnets are fast becoming a favorite for bot herders and a real threat for the cybersecurity industry. Put in another way, they are democratizing censorship by enabling any hacker with minimal resources to launch government-level DDoS attacks and bring down sites they don’t like.

This is sad news for the IoT industry. It is now evident more than ever that the IoT industry is in a mess, and it’s going to take more than individual efforts to fix it.

The problem, as I see it, is that all the parties that are directly—or indirectly—involved are either ignorant about security issues or have other priorities.

For their part, manufacturers are too focused on shipping feature-complete devices rather than creating secure and reliable products. After all, the IoT industry is in its gold rush era, and everyone is in a hurry to climb the bandwagon and grab a larger piece of the pie.

And that’s how security concerns take a backseat row in IoT development while timing and costs become prominent.

But why are the manufacturers getting away with their incompetence at securing IoT devices? Because others—namely consumers—couldn’t care less. As the manufacturers will tell you, customers don’t buy security, they buy functionality. They want something that works in an install-and-forget model and don’t want to be pestered with security procedures and practices such as password resets and software updates—and costs for things they can’t directly see with their eyes.

As for governments, they’re concerned about the security of IoT, but they’re not doing enough to regulate it and compel companies to vet their products for security and resilience against attack. The only novel and honest efforts we’ve seen so far include initiatives such as the IoT Security Foundation, but there’s only so much a single organization can do when it’s dealing with billions of potentially vulnerable devices and deaf ears that won’t listen to the voice of reason.

And here we are, almost on the brink of IoT devices outnumbering humans, and already devices of our own making are being used to deny us access to our most vital services and needs.

Friday’s spate of IoT-powered DDoS attacks should serve as a wake-up call, not only for IoT manufacturers, adopters and consumers, but for everyone. Many of the people who were affected by the attacks didn’t even know what IoT is.

So whether you care about IoT or not, it’s in your interest to see it secured.

And as much as I love IoT, I’m sad to see the industry destroying itself.

So what’s the solution? I like the thoughts shared by Bruce Schneier in this Vice Motherboard article, and I’d like to build on those to raise the following points, very concisely:

  • Manufacturers should make security an inherent part of their development cycle. Security shouldn’t come as an afterthought but as an integral part of building any IoT or other connected device. And I’ve said this a million times.
  • Consumers should take their own security more seriously. Our lives are becoming more connected than before. Internet services and resources are more vital to our daily tasks than any other time in history. So we should be more vigilant about the integrity of the devices that are being connected to the internet and hold their manufacturers to account for the security shortcomings. (Security developer Edward Robles has shared some interesting thoughts on how we should change our mindsets toward security in this guest post.)
  • Governments must play a more active role in regulating and controlling IoT security. Standards must be set to make sure every single device that is shipped to the market and connected to the internet complies with a set of security standards and punish organizations that do not abide by the rules.

Of course, no single government can control the security of all the devices being connected to the internet. I’m thinking about a solution based on blockchain technology that will create a global answer to vetting IoT devices for security. I’ll write about it in the future.

What’s urgent is to have a concerted and unified effort to fix the messy state of IoT security. Today, we’re dealing with DDoS attack. Tomorrow, it could be something worse.

There’s no putting the genie back in the bottle. For better or for worse, IoT will transform our future. Let’s work together to make sure it’s going to be the former and not the latter.

How do you think we should deal with IoT security problems? Share in the comments section.

Read more…

2023585?profile=RESIZE_1024x1024The IoT has a big security problem. We've discussed it here, here and here. Adding to these woes is a new report on the Top 10 Internet of Radios Vulnerabilities. Yes, radios...because IoT so much more than data, networking, software, analytics devices, platforms, etc. When you're not hardwired, radio is the only thing keeping you connected. The findings come from Bastille who, like many vendors, has a clear commercial, self-serving interest in the findings, but nonetheless, the study is interesting given the fact that the largest DDoS attack ever was executed using "dumb" connected devices. Bastille defines the Internet of Radios as the combination of mobile, wireless, bring your own device (BYOD), and Internet of Things (IoT) devices operating within the radio frequency (RF) spectrum.

The vulnerabilities are:  

  1. Rogue Cell Towers (‘Stingrays’, ‘IMSI Catchers’)
  2. Rogue Wi-Fi HotSpots
  3. Bluetooth Data Exfiltration (tethering)
  4. Eavesdropping/Surveillance Devices (e.g. conference room bugs)
  5. Vulnerable Wireless Peripherals (mice/keyboard)
  6. Unapproved Cellular Device Presence
  7. Unapproved Wireless Cameras
  8. Vulnerable Wireless Building Controls
  9. Unapproved IoT Emitters
  10. Vulnerable Building Alarm Systems

In addition to the Top 10 list, Bastille has released results of the “Bastille Internet of Radios Security Poll.” Nearly 300 global professionals took part in the poll, offering a snapshot into enterprise awareness and preparedness of Internet of Radios threats in the workplace. The poll was conducted July 26–August 3, 2016 and was comprised of visitors to the Bastille, KeySniffer and MouseJack websites. The majority of respondents (69%) reported they were employed in the IT and cybersecurity industries. Key takeaways:

  • 78% of respondents believe the threat from the Internet of Radios will increase in the next 12 months.
  • 50% of respondents believe IoT devices are already impacting security.
  • 51% of respondents say their companies have adopted a BYOD policy, but only 24% say the policy is strictly enforced.
  • 42% of respondents say their organization has not implemented a BYOD policy at all.
  • 47% of respondents say their organization is not currently using a Mobile Device Management (MDM) system, compared to 41% that already have one in place.

 Photo Credit: Sergio Sena 

Read more…

For IoT and M2M device security assurance, it's critical to introduce automated software development tools into the development lifecycle. Although software tools' roles in quality assurance is important, it becomes even more so when security becomes part of a new or existing product's requirements.

Automated Software Development Tools

There are three broad categories of automated software development tools that are important for improving quality and security in embedded IoT products:

  • Application lifecycle management (ALM): Although not specific to security, these tools cover requirements analysis, design, coding, testing and integration, configuration management, and many other aspects of software development. However, with a security-first embedded development approach, these tools can help automate security engineering as well. For example, requirements analysis tools (in conjunction with vulnerability management tools) can ensure that security requirements and known vulnerabilities are tracked throughout the lifecycle.  Design automation tools can incorporate secure design patterns and then generate code that avoids known security flaws (e.g. avoiding buffer overflows or checking input data for errors). Configuration management tools can insist on code inspection or static analysis reports before checking in code. Test automation tools can be used to test for "abuse" cases against the system. In general, there is a role for ALM tools in the secure development just as there is for the entire project.
  • Dynamic Application Security Testing (DAST): Dynamic testing tools all require program execution in order to generate useful results. Examples include unit testing tools, test coverage, memory analyzers, and penetration test tools. Test automation tools are important for reducing the testing load on the development team and, more importantly, detecting vulnerabilities that manual testing may miss.
  • Static Application Security Testing (SAST): Static analysis tools work by analyzing source code, bytecode (e,g, compiled Java), and binary executable code. No code is executed in static analysis, but rather the analysis is done by reasoning about the potential behavior of the code. Static analysis is relatively efficient at analyzing a codebase compared to dynamic tools. Static analysis tools also analyze code paths that are untested by other methods and can trace execution and data paths through the code. Static analysis can be incorporated early during the development phase for analyzing existing, legacy, and third-party source and binaries before incorporating them into your product. As new source is added, incremental analysis can be used in conjunction with configuration management to ensure quality and security throughout. 

2023315?profile=RESIZE_1024x1024

Figure 1: The application of various tool classes in the context of the software development lifecycle.

Although adopting any class of tools helps productivity, security, and quality, using a combination of these is recommended. No single class of tools is the silver bullet[1]. The best approach is one that automates the use of a combination of tools from all categories, and that is based on a risk-based rationale for achieving high security within budget.

The role of static analysis tools in a security-first approach

Static analysis tools provide critical support in the coding and integration phases of development. Ensuring continuous code quality, both in the development and maintenance phases, greatly reduces the costs and risks of security and quality issues in software. In particular, it provides some of the following benefits:

  • Continuous source code quality and security assurance: Static analysis is often applied initially to a large codebase as part of its initial integration as discussed below. However, where it really shines is after an initial code quality and security baseline is established. As each new code block is written (file or function), it can be scanned by the static analysis tools, and developers can deal with the errors and warnings quickly and efficiently before checking code into the build system. Detecting errors and vulnerabilities (and maintaining secure coding standards, discussed below) in the source at the source (developers themselves) yields the biggest impact from the tools.
  • Tainted data detection and analysis: Analysis of the data flows from sources (i.e. interfaces) to sinks (where data gets used in a program) is critical in detecting potential vulnerabilities from tainted data. Any input, whether from a user interface or network connection, if used unchecked, is a potential security vulnerability.  Many attacks are mounted by feeding specially-crafted data into inputs, designed to subvert the behavior of the target system. Unless data is verified to be acceptable both in length and content, it can be used to trigger error conditions or worse. Code injection and data leakage are possible outcomes of these attacks, which can have serious consequences.
  • Third-party code assessment: Most projects are not greenfield development and require the use of existing code within a company or from a third party. Performing testing and dynamic analysis on a large existing codebase is hugely time consuming and may exceed the limits on the budget and schedule. Static analysis is particularly suited to analyzing large code bases and providing meaningful errors and warnings that indicate both security and quality issues. GrammaTech CodeSonar binary analysis can analyze binary-only libraries and provide similar reports as source analysis when source is not available. In addition, CodeSonar binary analysis can work in a mixed source and binary mode to detect errors in the usage of external binary libraries from the source code. 
  • Secure coding standard enforcement: Static analysis tools analyze source syntax and can be used to enforce coding standards. Various code security guidelines are available such as SEI CERT C [2] and Microsoft's Secure Coding Guidelines [3]. Coding standards are good practice because they prevent risky code from becoming future vulnerabilities. As mentioned above, integrating these checks into the build and configuration management system improves the quality and security of code in the product.

As part of a complete tools suite, static analysis provides key capabilities that other tools cannot. The payback for adopting static analysis is the early detection of errors and vulnerabilities that traditional testing tools may miss. This helps ensure a high level of quality and security on an on-going basis.

Conclusion

Machine to machine and IoT device manufacturers incorporating a security-first design philosophy with formal threat assessments, leveraging automated tools, produce devices better secured against the accelerating threats on the Internet. Modifying an existing successful software development process that includes security at the early stages of product development is key. Smart use of automated tools to develop new code and analyze existing and third party code allows development teams to meet strict budget and schedule constraints. Static analysis of both source and binaries plays a key role in a security-first development toolset. 

References

  1. No Silver Bullet – Essence and Accident in Software Engineering, Fred Brooks, 1986
  2. SEI CERT C Coding Standard,
  3. Outsource Code Development Driving Automated Test Tool Market, VDC Research, IoT & Embedded Blog, October 22, 2013

 

Read more…

Originally Posted by: Shawn Wasserman

Shodan search results show that over half a million devices use the 10-year-old OpenSSH 4.3 software. This puts all these devices at risk.

Shodan search results show that over half a million devices use the 10-year-old OpenSSH 4.3 software. This puts all these devices at risk.

One doesn’t have to look too far to realize how vulnerable the Internet of Things (IoT) can be. It just takes a quick search on IoT search engines like BullGuard and Shodan.io.

During a presentation at PTC LiveWorx 2016, Rob Black, senior director of product management at PTC, outlined how black hat hackers could get into over half a million connected devices using an old software known as OpenSSH 4.3.

OpenSSH is a secure shell (SSH) protocol used to allow users access to networks from a remote location. It’s harmless, even useful, if used by the right user in a controlled way.

Unfortunately, a popular version of the software, OpenSSH 4.3, has been out for about a decade. As a result, it has developed a laundry list of vulnerabilities that hackers can use to gain access to systems.

According to the Shodan IoT device search engine, over half a million devices on the ‘net still use this outdated software.

“Half a million devices are on the open Internet with 10-year-old software that allows you to tunnel inside to their network. Who thinks that’s good?” Black rhetorically questioned. “This is one example. One search. One software. One version of a software. There are millions of exposed resources on the Internet.”

The scary thing is that Black explained that some search results will bring up IoT devices associated with power plants and wind tunnels. According to AdaptiveMobile, a mobile network security company, up to 80 percent of connected devices on the IoT do not have the security measures they need to protect us. Once you find a device on Shodan, you can see many characteristics on that device which will help hackers get into it.

These attacks can even prove deadly depending on the IoT application. Take an integrated clinical environment (ICE) like an IoT-enabled hospital. Without proper security, many types of attacks have the potential to risk lives. According to a report published by the Industrial Internet Consortium, these attacks fall into five categories.

 

Five IoT hacking attacks that can risk lives. Examples from an integrated clinical environment (ICE). (Table from the Industrial Internet Consortium.)
Five IoT hacking attacks that can risk lives. Examples from an integrated clinical environment (ICE). (Table from the Industrial Internet Consortium.)

Engineers are designing these IoT devices, sensors and edge points. To ensure that hackers are kept at bay, these engineers need to understand and learn from their software engineer and IT cousins.

“From a design point of view, engineers need to learn about hacking security. You need security at the edge point to make an intelligent analytic device,” said Michael Wendenburg, CEO at Michael Wendendenburg Online Redaktion. “If you hack into that point, you hack into all this data. Engineers are not prepared for that.”

Black agreed, saying, “It’s our role as practitioners of IoT is to really manage those devices that we have in a smart way.”

How Do IoT and Cloud Security Differ?

Black explained that unlike in cloud security, humans may not be in the loop when it comes to IoT security. It’s not feasible for millions of users to be there to hit “Okay” to update software in billions of devices.

Black explained that unlike in cloud security, humans may not be in the loop when it comes to IoT security. It’s not feasible for millions of users to be there to hit “Okay” to update software in billions of devices.

An engineer might think that as long as the cloud system utilized by the IoT device is secure, then all is well. However, there are differences between an IoT system and a cloud system.

Black explained that on the cloud, users and applications are both managed. There are security tools and permissions put into place. On the operations side, servers will be secured and ports will be closed and audited. This takes a lot of testing, but it’s been done before. IoT security, on the other hand, adds complexity.

“Cloud security has been around for a long time and there are lots of good strong practices and management around cloud applications. For IoT, the key difference is we connect things,” clarified Black. “A lot of the challenge is the number of devices to manage and the differences between these devices.”

“There are a bunch of new issues out there like rogue sensors and rogue data sources,” said Andy Rhodes, division head of IoT at Dell. “If you’re orchestrating a turbine or a damn and someone hacks into that and changes the settings, then there are catastrophic issues.”  

Here are some other key differences between cloud and IoT applications:

  • IoT has a stronger potential for damage as water mains can be shut off, power plants can become critical and cars made unresponsive on the road.
  • IoT has a diverse number of devices, operating systems and protocols making it hard to consolidate and standardize as companies grow and products change.
  • Human interactions with all the devices is not scalable. For instance, humans many not be there to hit “Okay” for an update.

The key is to work together. Engineers and IT professionals need to demolish their silos and learn from one another to make the IoT ecosystem secure. However, just because the IT crew has the ecosystem covered on the cloud doesn’t mean the devices and sensors are secure.

“IT [Information Technology] knows how to do security and a lot of this is still traditional IT security working alongside the OT [Operations Technology] people to understand how to secure the sensors as well,” described Rhodes. “You need [security on the device] and network security on the IT side because data flows two ways so you have to secure both ends of that spectrum.”

How to Manage Your Connected Device

Black demonstrating an IoT security architecture.

Black demonstrating an IoT security architecture.

With current IoT trends, if your device isn’t connected to the Internet, it soon will be. Otherwise, it will not keep up with the 30 billion other connected devices Gartner expects to see in the market by 2020.

So the question may not be whether to get into the IoT market given all the security risks. It should be a question of how to manage connected devices with all these security risks.

Black demonstrated what a simple IoT architecture might look like. It includes devices within a firewall, wireless devices outside the firewall and having those devices connecting into the IoT platform. Then, all of this will be used in an application that will use the data from the devices to perform a function. All of these systems, applications and development tools used to make the system must be made secure.

The issue is that because all of these different systems are under the control of various organizations on the vendor, customer and public levels, it can be confusing to establish who is really responsible for all of this IoT security.

“I argue that for IoT we have a shared security responsibility,” noted Black. “This is not a one-entity responsibility. It is shared between the providers of the infrastructure, service, platform, application and the end customers.”

Importance of User Roles on IoT Security

Given all of the organizations and users that might be associated with one IoT system, defining roles for these organizations and users is of high importance.

Each user and organization will have different roles, which will define levels of control over the IoT system. For instance, you don’t want to give your customers visibility into and control over all of the IoT devices on your ecosystem. This could make the data of your other customers insecure, as competitors might gain insights due to the information on your system and the lack of roles governing the system.

However, a maintenance team that services all the devices sent to customers will need to see which devices from each customer will be up for servicing.

The key takeaway is that as your system grows on the IoT, much of this role management should be automated. Otherwise, the role management will not scale with the IoT system if a human remains in the role assignment loop.

“From a visibility and permission standpoint, what you really want are mechanisms to drive that behavior,” instructed Black. “When new devices are added, if you have a manual process, that is not going to scale when you [have] tens of thousands of devices. You are going to need a system that drives this behavior automatically. You just need to set the rules beforehand to ensure the users are put in the right groups.”

Division of Systems is Key to a Secure IoT Ecosystem

The division of permissions shouldn’t just be between roles. It should also be between systems within the IoT device itself. Engineers must design some systems and subsystems to be independent and separate from all other systems. This will ensure that if a hacker compromises your device, they will not be able to take control of key systems.

After all, there is no reason for an entertainment system in a car to be linked to the steering, brakes and accelerator of a car. As the WIRED video below shows, though, this was the case with the Jeep Cherokee. As a result, hackers were able to mess with one reporter’s drive on the highway with hilarious outcomes—but the joke isn’t funny anymore if people actually get hurt.

“The way some of these systems are designed, if you have access to this you have access to multiple design elements in the car,” said Frank Antonysamy, head of engineering and manufacturing solutions at Cognizant. “The way we are dealing with this is to isolate as much as possible and then get the data.”

“When you look at it from a system design [perspective], in an automobile for example, there is still a fair amount of isolation written into the design,” said Antonysamy. “Because I have access to my control panel doesn’t mean I have access to the accelerator. That kind of design-based isolation is critical at least until we get a zero-vulnerability scenario.”

Eric van Gemeren, vice president of R&D at Flowserve, explained that the automobile industry and other IoT device creators can learn a lot from the process industry on the separation of systems within a design.

“In the process industry, it’s different from having a car that’s IoT-enabled and someone can hack into it,” said van Gemeren. “In the process industry, there are well-established IEC [International Electrotechnical Commission] and ISO [International Organization for Standardization] standards for safety and compliance. The control communication network is always separate and independent from the diagnostics and asset management network. It’s very clear that when you design that solution, there are certain features and functions that will never be available through wireless, in a discrete controlled domain, with an entirely different protocols and with robust security on top of it.”

“A lot of the stuff we are talking about in the IoT space is all about gathering outbound asset information,” added van Gemeren. “You can’t send back control information or directions that can hijack the device.”

In other words, van Gemeren explained that if a safety system like fire suspension sprinklers were installed in a process plant, they will need to be on an isolated system.

Do Your Devices Need to Talk to Other Devices?

Black explained the scenarios in which you need to use device-to-device

Black explained the scenarios in which you need to use device-to-device

When people think about the IoT, many of them think of connected devices communicating with each other over the Internet.

Though there are situations when the data should be sent to the cloud, there are also situations where it is faster and more efficient for devices to talk to each other directly.

“You could go up to the cloud and negotiate up there and bring it back down but that is not using bandwidth efficiently and what happens if you lose network connectivity? Will your devices fail? Do you want them to be dependent on the network?” asked Black.

When connected device need to talk directly, you will need a way to authenticate the devices mutually as well as a method of authorizing the devices to an appropriate level of interactions.

“It doesn’t make sense for one car to have the authorization to turn on the windshield wipers for another car,” joked Black.

The Importance of Provisioning and Approval of an IoT Device

This brings us to another key step in setting up a secure IoT system: ensuring your processes can set up provisioning and approval for device-to-device communication, data ownership, de-provisioning and more.

“Any process that runs off of administration approval will fail on an IoT scale,” remarked Black. This is similar to the creation of roles the human needs to be out of the loop. Black added, “You can’t design a process based on admin approval—it might work for a hundred devices but it won’t work on a large-scale system.”

Unfortunately, you can’t just let all devices interconnect without a provisioning and approval process either. Take the Superfish scandal, for example. The program was intended to provide advertisers with a way to show ads based on a user’s Internet searches.

This sounds innocuous enough until you realize that, at the time, all Lenovo laptops had the same self-signed certification key for all the laptops that shipped out with the program. This allowed for man-in-the-middle hacking attacks that could intercept the Internet communications of any Lenovo laptop with the Superfish program still installed.

“Ensuring trust when you’re bootstrapping a device is challenging even big laptop manufacturers can make mistakes,” said Black. “We need to think through some of those processes to see how do we get secrets onto a device. You need a well-defined mechanism for establishing trust on your device.”

One method Black suggested to get your devices onto your IoT system with secure provisioning and approval is to use your enterprise resource planning (ERP) system. If your ERP system were connected to the IoT system, then the provisioning and approval process will expect to see the device. Not only would this system be secure, it can also be made scalable as there will be no need to have a human in the loop.

The Importance of De-Provisioning When You Re-Sell a Connected Device

Black explained the importance of factory resets and de-provisioning when selling used devices.

Black explained the importance of factory resets and de-provisioning when selling used devices.

There is a lot of confidential information that can be stored on a connected device. Therefore, if users aren’t careful, they could be giving a hacker everything they need to get into the system when re-selling these devices.

The average user would know enough to delete their personal and business data from the device, but there still might be information on the re-sold device that can open doors to hackers.

For instance, the device might store digital keys that were used to encrypt the data you were sending and receiving from the Internet. If you were to sell that equipment without changing those keys, then whomever you sold that equipment to could now be able to decrypt all of the data you sent and received while operating the device. Assuming the hacker intercepted that data in full knowledge that you were to sell the equipment, they now have gathered a lot of information on your personal or business operations.

As a result, engineers should design easy to use de-provisioning procedures for the users of their devices.

Whose Data Is It Anyway? Where the Contract’s Made Up and Protection Should Matter.

Black asked the question: Whose data is it anyway?

Black asked the question: Whose data is it anyway?

One point of contention for the development of IoT security is the question of who owns the data.

Is it the device manufacturer, systems operator, device operator or the maintenance operator?

Will the answer be dependent on the IoT device application?

These questions need answers if robust security measures are to be put into place. Otherwise, the right information might end up in the wrong hands.

“We’ve seen a range of responses about data ownership and a lot revolves around privacy,” said Colm Pendergast, director of IoT technology at Analog Devices. “To a large extent, it will come down to negotiations between various partners in an ecosystem.”

“[Who owns the data] is a question that is always on the table,” said Chris May, account executive at ARIDEA SOLUTIONS. “It depends on the type of data being acquired. If it’s general weather data, then people are not very concerned. The weather is the weather… When you get to environmental data, it’s a completely different story. They are very protective of that data. [What] If the wrong person gets that data and they don’t understand how to interpret it? [What] if they can’t understand it’s a sensor being recalibrated and they think a water shed was contaminated? It would be massive lawsuits.”

It appears that though 54 percent of surveyed consumers might be comfortable sharing their data with companies, the reverse is not always true.

Alternatively, Black used an example of a medical device company. If the company is sold, then it makes sense for whomever buys the company to also own the data. After all, it will, in theory, be using said data to service the same clients. It isn’t in the client’s interest for the data to start at point zero.

However, does the answer of selling data ownership change with the scenario? What if, instead of a company being sold, it’s a house? Who owns all the data of the smart home—the previous tenants or the incoming tenants? It might be useful for the new tenants to know the power usage history of the house so they can budget their expenses, but do you want strangers to have data like that?

“When you think about how many different entities are involved with an IoT implementation, there are a lot of them,” said Black. “Some of them probably have rights to some of that data and some it’s probably better if they don’t have it.”

Before security walls are put up for an IoT device, these questions must be answered. Otherwise, an owner of the data might be cut off from their property. This can lead to some serious legal ramifications. On the other hand, not understanding where the line in the sand is for data can also open up security risks.

“If there was one single challenge that people are concerned about and has slowed IoT deployments is the question of security and integrating security solutions all over that technology stack. It is one of the bigger challenges,” said Pendergast.

However, one solutions to the IoT data question may not lie with the engineers, programmers or designers. It might be in the hands of public relations educating the public about IoT security and what data is and isn’t being collected.

“We deal with the medical device market and we constantly face the issue that we can’t send patient data—and we are a cloud-based platform, so that is a challenge,” said Puneet Pandit, CEO of Glassbeam. “We are not taking the patient data; we are taking the operation data. I think that is a constant question. There is a lot of education that has to be done in the industry to clarify what IoT data means at the end of the day. People have created security barriers for all the right reasons, but in the context of IoT you are taking machine and operational data and that isn’t something that is included on data privacy.”

Reducing IoT Attack Surfaces: Do You Need Access to the Open Web?

Shodan is only able to show the IoT devices that are on the open web. The number, as well as types, of devices that it can find is certainly scary.

“[Security is] still the top-two or -three concern of customers when you read surveys and speak to them,” said Rhodes. “What you’ve basically done is you’ve opened up a surface of attack either as a gateway or the things themselves.”

Does your device need to be on the open web? Do multiple surfaces of attack need to exist? The answer is no—not if engineers design the device to be the one to initiate communications.

“Different IoT solutions have the capability to perform device-initiated communication,” said Black. “That means that from a connection standpoint, if your device initiates communications, then that device is exclusively paired with one server on the cloud. That device is only going to communicate with that server.”

In other words, the device won’t be generally available on the Internet.

“It’s something to think about. Can I communicate with this device from every [access point] on the earth or is it tied to a single server? Because you are really reducing your attack surface with that kind of capability,” Black explained. “You reduce your attack surface so you are not worried about everything in the world. You are only connected to a very limited set of servers.”

If your device can connect to any endpoint on the Internet, then any hacker at any location could in theory send a command to that device. However, if the device is connected only to one server via a device-initiated communication, then only that server can send commands. The theory is that your server will be within internal IT infrastructures and securities.

However, there is a downside to device-initiated connectivity. You will have to rely on the device to connect to the system in order to initiate an update or collect data. In other words, you can lose connections to the device as soon as a customer changes firewall securities or the network is interrupted. 

As a result, if engineers chooses to use device-initiated connections for an IoT system, then they will need to inform the customer. The customer will need to understand if the firewall and network connection isn’t interfering with the connection.

“We’ve seen a lot of software partners changing their architecture to support intermittent connectivity,” said Gerald Kleyn, director of engineering at Hewlett Packard Enterprise (HPE). “In some cases, if the weather gets bad and [satellite communication] goes down, then when it comes back up it starts releasing things that have been stored on the edge back up to the cloud.”

What to Do When You Find a Vulnerability on Your Connected Device

The longer your device is in the real world, the more likely it is that a vulnerability will be found. As a result, engineers will need to design software update compatibility into their devices.

“You need a software distribution mechanism that will work for all of your devices that’s scalable, secure, flexible and efficient,” said Black. “It needs to be flexible because all your devices are different, so they need different processes and procedures.”

“You need to be able to say, if the install isn’t going right, that you need to hold back and notify your system. You need to be able to say, ‘do this for North America first, or Europe or everyone but that customer that doesn’t want updates,’” added Black. “Without a plan, you will be sad when the next Heartbleed comes out. You are going to have to patch. So what is the mechanism you are going to utilize?”

This all must seem very complicated, but much of this IoT security issues will be answered when you choose the IoT platform to run, manage design the system. Black says that when choosing your IoT platform, keep these three main security challenges in mind:

  1. Managing the complex interactions between devices and user
  2. Patching security updates to your devices in an easy and secure fashion
  3.  Reducing the risk by mitigating cyber-attacks form finding your device

You can view the original post Here

Read more…

Why is the IOT Catnip to Hackers ??

2023458?profile=originalWhy is the IOT Catnip to Hackers?

The latest developments in IoT security will protect the companies that use them from disastrous hacks

Rob Enderle writing in CIO Magazine May 20 about a new security certification for IOT products lauded the new offering and cited other measures that responsible IoT businesses must take to secure the future of their companies. His opinion piece couldn’t come at a better time.

Those of us watching the IOT “back door” swing open to hackers have been wondering how and when a product certification like this would become industry standard. Underwriter Laboratory’s Cybersecurity Assurance Program (CAP) just might work. But it’s only a start.

The three-level certification process, according to Enderle, will work fine as long as it’s subject to a “rigorous audit process.” However, he also agrees that using a remote network hub with security stopgaps in place (which is what most are doing now) won’t do a thing to protect wireless devices.

Where we are now, where we need to go

During the NXP/FTF Technology Forum 2016, a group of panelists was asked if the Internet of Things was secure yet. What do you think they answered? Yes, they said, no.

Here’s the rub—and the same thing that Enderle writes about: The connected devices in cars, homes, phones need to have specialty security hardware to stop many attacks. Another missing link, according to Global Business Development Manager Damon Kachur at Symantec, is the need to institute “a massive education process compelling security providers to educate consumers on how to operate their devices securely.”

Using cryptography, requiring several rounds of authentication per day, and manufacturers hiring hackers to break into their IoT devices before they put them on the assembly line—these were also solutions that Forum panelists came up with to secure the IoT.

Horror stories averted?

The stories with the highest profiles are those that see connected cars taken over and crashed; cell phones hijacked and set on fire; and that Target breach, when hackers stole credit cards from Target headquarters using the building’s HVAC systems to get in. What else do we need to do, besides work on certification processes and make sure that before we build the next IoT device, we’ve protected it from hackers?

It’s clear that businesses engaged in the IoT revolution need to make security “job one”. There are heartening signs that this indeed is the case. A recent Accenture paper on IOT security claimed that “businesses surveyed by the World Economic Forum identified cyber-attack vulnerabilities as their most important IoT concern.” And an article last month in Forbes reported that venture capitalists are now “following the money” to underwrite cybersecurity start-ups: “Boston-based Lux Research says investment in “cyberphysical” security startups rose 78% to $228 million in 2015, and will increase to $400 million this year. The report cites rapid adoption of IoT tech, with the potential threats it brings in the area of internet connectivity in cars, homes and factories.”

Businesses that are eager to make money on the IOT without being willing to spend the money on securing it will be increasingly prone to customer data breaches and other high-profile disasters that will close their doors—and slow the adoption of IoT devices—and spending—for years to come. Smart companies need to make an investment in securing their latest IoT game changing use-case or product-- or their customers and partners won’t want to make an investment in them.

Read more…
Smart homes are slowly but steadily becoming a reality. This concept, along with the Internet of Things, is supposed to bring us more convenience in everyday house tasks and life in general. But the opposite side of the coin is the risk this concept brings regarding our own security.
Read more…
Machine to Machine (M2M) and Internet of Things (IoT) realities mean that more and more devices are being deployed and connected to each other. This connectivity is both the promise of IoT (data gathering, intelligent control, analytics, etc.) and its Achilles’ heel. With ubiquitous connectivity comes security threats -- the reason security has received such a high profile in recent discussions of IoT.
Read more…

The Internet of Things is changing the world, heralded as one of the most pivotal technology trends of the modern era. We are getting ready to enter a time where everything, quite literally, is connected to the Internet.

For the industrial sector, this is a new area of exploration. Factories have smart infrastructures that use sensors to relay data about machine performance. Cities have smart grids that monitor everything from traffic to the energy used by streetlights. Hospitals can monitor the health of high-risk, at-home patients.

In other words, we are entering a hacker's dream world.

Recent attacks, like the Christmas 2015 attack on the Ukraine power grid, have shown that the Internet of Things possesses severe vulnerabilities. These weak points can be everything from back doors that allow a hacker access to a system to lack of proper use by untrained workers. If your business uses IoT devices, there’s a good chance they are not secure.

Why are so many systems left vulnerable? Weaknesses often come from the same set of five drivers:

Pa1e9cCyWAh6tGKUeQF4-UQgSS_pv-Yr6XRzUL7riY2wtQDkm4jWXT6ryb65N136M3onsWQW2y87NGr2N_Vof6fB1VljWojgrNIgU32gKScfKJceanEpf2x75eX3RaKRsT196PEr 

Source: Allerin

Whether your company is struggling because your devices were deployed too quickly or operational costs constraints got in the way, your team must take measures to fix security risks. Here are four security flaws:

1. Lack of Encryption

Any device that is connected to the Internet to relay data needs encryption. When communication between devices and facility machines are now encrypted, it provides a doorway for hackers to send malicious updates, steal data, and even take control of the system. 

In 2014, an Israeli security firm took control of cars using a specific connected telematics device that failed to use proper encryption.

2. Failing to Install Updates

Once you have a machine-to-machine communication​ system working properly, it can be easy to forget to install the necessary updates to keep the network secure. 

Yet, hackers are constantly updating their strategies and tactics. Failing to install updates and patches leaves your system vulnerable. 

Even if you’re worried about breaking integrations between systems, you should at the least install every security update released by the vendor. These updates are specifically designed to address vulnerabilities discovered in your devices. After all, if your vendor releases a security update, it’s because they found a problem.

You also should know that updates and patches are not always the final solution to security vulnerabilities. Unfortunately, many manufacturers are not able or willing to provide the necessary support to continue updating their devices. 

To avoid this risk, shop carefully for systems that provide updates and are backed by a trusted company.

3. Poorly Built Networks

The modern industrial network is designed to get tasks done. If the design focuses too much on completing that task, it will leave weak points in security. Things that are obvious when building IT networks are sometimes less obvious when creating industrial DNP3 and other network architecture.

The solution to this risk is fairly simple. Those tasked with building industrial networks need to ensure they are partnering with IT professionals to build networks that are safer from attacks. Security features, like deep packet inspection and network segmentation, should be in place from the beginning.

4. Sensors Outside of the Company's Control

Most of the sensors and other connected pieces that make up a network are controlled by the company. But for some companies, that is not the case. For example, power companies have sensors in their customer's homes. 

Sensors outside of the company's immediate control are hard to secure, which gives hackers access. Currently, cloud-based security using public key services to authenticate devices may be the best solution to this problem.

Don't Take The Risk

Industrial security breaches can cause devastating consequences.​ Therefore, the above risks need to be addressed.

As more industrial facilities rely on the Internet of Things, it's important for company teams to be aware of the potential vulnerabilities. Take security into full consideration.

Read more…

BYOD + IOT ≠ Security.

2023482?profile=originalLast year, the number of smartphones in the world hit a new record. Out of the 4.55 billion cell phone users worldwide, 1.75 billion of those were using smartphones. Users are rapidly switching to smartphones as these devices become more affordable, and as 3G and 4G networks are introduced into key markets, allowing faster than ever data transfer rates. For businesses, this increasing smartphone penetration has significant implications. As more businesses adopt BYOD (Bring your own Device), IT security professionals and CIO leaders will need to address the issues of security that are introduced as business data is taken on the road, and exposed to external networks.

How Does BYOD Impact IT Security?

Data security consultants, and anyone involved in information technology or management, will need to be clear on the risks that are introduced with BYOD.

A company that allows BYOD is able to receive great benefits from doing so. Systems that allow for users to bring their own devices mean that staff are able to use devices that are familiar to them, which can reduce training time and increase efficiency. At the same time, businesses can save significant amounts of money on IT procurement, because users are bringing their own cell phones, tablets, and even laptops, from home.

There are even benefits to recruiting - new hires will be more comfortable with their own device and the option to bring it in, instead of having to juggle phones and computers.

Even with these key advantages, there are some problem to overcome. The biggest challenge with BYOD is security. A BYOD device would be almost worthless if it didn’t have sufficient access to a corporate network, so that a staff member can easily obtain the information and run the applications that they need to perform their jobs. This means opening up access to systems which would have previously been protected by closed networks accessed by in-house devices, with security enforced through strict and robust security policies.

Another challenge exists when employees leave a company. Because they take their devices with them, there needs to be a mechanism in place that prevents access from devices that are no longer associated with an authorized staff member. Compared to a model without BYOD, this adds another layer of security, and a number of process layers within the organizational structure of a business. Without addressing this type of situation, businesses would be putting themselves at significant risk.

Security Is Even More Important than Ever with IoT

The Internet of Things has been called the future of business, computing, and entertainment. Indeed, IoT covers all of these areas, whether you look at a smart TV, an internet capable MRI machine, or even the cloud services that deliver email, streaming video, or music, to devices that will work from anyplace where there is an internet connection.

IoT exists in complex industries, too. Consider a production line that utilizes networked sensors along the line, which then transmit data in real time between ordering systems, packing robots, and even dispatch centers, to coordinate logistics. Considering the data that is collected using IoT sensors, and then the possibilities there are to interface with this data by using BYOD devices, it becomes clear that a system utilizing IoT technologies and BYOD access policies, needs to be secured to the highest industry standards.

Security breaches could mean that an unauthorized party is able to gain access to production data or even sensitive manufacturing secrets, or that a previous employee is able to take data and learnings to a competitor, using their own device that was once legitimately authorized through BYOD policies.

Similar risks exist in any industry. If you are an IT data security consultant within a contact center business, you could be tasked with protecting CRM systems, billing information, payment gateways, and other critical systems. Sales reps, telephone agents, and remote staff could all be using BYOD devices to connect to a decentralized cloud solution. Ensuring that access control and other security measures are present, will be a core aspect of the solutions that you design and implement. The reality is that a single violation can expose your entire network, making it critical to hire the right people and solve for these problems internally and for your clients.

Who are The Big Players in IT Security Today?

You only need to look at the world’s largest information security consultancies to see that data security is a big business.

Deloitte, currently the biggest player in IT security, made over $2 billion in revenue from security consulting in 2014. Other leading companies are seeing similar growth, with all of the top five, including IBM and KPMG, seeing revenue growth in security consulting. All of the top five exceeded 5% growth between 2013 and 2014.

This means that not only is there a clear growing need for security consulting, but also that there will be an increased demand for IT security consultants who are experienced in the latest technologies, including cloud and IoT technologies. The demand has been partially spurred on by high profile data security breaches, especially those at government level.

Businesses and Professionals Should Prepare for a Growing Market

Not only do businesses need to assess and respond to their needs regarding BYOD, IT security, and overall risk management, but they will need to begin to seek the most qualified consultants to lead their security initiatives.

Likewise, qualified candidates who are entering the job market need to seek out the most promising opportunities. Such as those that exist with businesses where they will have the opportunity to demonstrate their expertise in new and emerging IT technologies.

Moving forward, the businesses and professionals who recognize the importance and opportunity within data security consultancy, will be the ones who benefit the most in the next five years, when both IoT and IT Security are expected to experience drastic market growth.

How are you hiring to fill the need? Let's talk and see how your BYOD security concerns can be solved with a single hire - IOT Security Officer.

Read more…
RSS
Email me when there are new items in this category –

Upcoming IoT Events

More IoT News

Arcadia makes supporting clean energy easier

Nowadays, it’s easier than ever to power your home with clean energy, and yet, many Americans don’t know how to make the switch. Luckily, you don’t have to install expensive solar panels or switch utility companies…

Continue

Answering your Huawei ban questions

A lot has happened since we uploaded our most recent video about the Huawei ban last month. Another reprieve has been issued, licenses have been granted and the FCC has officially barred Huawei equipment from U.S. networks. Our viewers had some… Continue

IoT Career Opportunities