Subscribe to our Newsletter | To Post On IoT Central, Click here


security (43)

In 2016, the Industrial Internet Consortium gained agreement upon an understanding of the term “trustworthiness” and its effect on design and operation of an industrial system. At the core of that understanding was a definition of trustworthiness and the designation of five characteristics that define trustworthiness.

As defined by the IIC in its recently released Industrial Internet of Things Vocabulary v2.1 document: “Trustworthiness is the degree of confidence one has that the system performs as expected. Characteristics include safety, security, privacy, reliability and resilience in the face of environmental disturbances, human errors, system faults and attacks.”

Let’s take a deeper look at the 5 foundational characteristics at the core of trustworthiness:

  • Safety ensures that a system operates without causing unacceptable risk of physical injury or damage to the health of people. This protection of humans is focused either directly or indirectly, as the result of damage to property or to the environment.
  • Security protects a system from unintended or unauthorized access, change or destruction while Information Technology (IT) security ensures availability, integrity and confidentiality (AIC model) of data at rest, in motion or in use.
  • Reliability describes the ability of a system or component to perform its required functions under stated conditions for a specified period of time.
  • Resilience describes the ability of a system or component to prevent or at least reduce any serious impact of a disruption while maintaining an acceptable level of service.
  • Privacy protects the right of individuals to control or influence what information related to them may be collected and stored and by whom and to whom that information may be disclosed.

Achieving trustworthiness in industrial IoT systems requires recognition that a complex IoT system is comprised of subsystems and the integral components of the subsystems. The trustworthiness of the overall system depends upon the trustworthiness of each of the subsystems and each of the components, how they are integrated, and how they interact with each other. Trustworthiness must be pervasive in IoT systems, which means there must be trustworthiness by design and a means to achieve assurance that the trustworthiness aspects have been addressed properly. Permeation of trust is the flow of trust within a system from its overall usage down to its smallest components and requires trustworthiness of all aspects of the system. Trustworthiness requires ongoing effort over time as systems and circumstances change.

As such, the IIC Trustworthiness Task Group, in close cooperation with the IIC Security Working Group, is tasked to frequently enhance and redefine the definition and role of trustworthiness in industrial systems as the IIoT continues to evolve. Ultimately, their goal is to moves system designers from traditional safety thought processes into a new paradigm for system design that takes into consideration all 5 of the trustworthiness characteristics and their interactions within the system.  

You can read more about trustworthiness and its relationship with industrial systems and the convergence of IT/OT in the Fall 2018 issue of ICC’s Journal of Innovation.

By Marcellus Buchheit, Co-founder of Wibu-Systems AG and President and CEO of Wibu-Systems USA

This blog originally appeared as a Wibu-Systems Blog

Read more…

Supply chain managers know better than anybody how many things can go wrong between point A and point B. Damage from mishandling and the elements, contamination, and product and IP theft are all very real threats. So how can you use technology to secure yourself against known and unknown threats in your industry? Just as importantly, how can you keep that technology sufficiently secure?

An ounce of prevention is worth a pound of cure — and IoT technologies for the supply chain boast a lot of potential cures. Luckily, with the right approach, you can have all the benefits and still minimize the risks.

What Kinds of Supply Chain Challenges Do IoT Technologies Cater To?

The most obvious advantage of bringing IoT technologies aboard is that you grant yourself true visibility of all your operations. You might justifiably feel a little intimidated at the prospect of newfound access to real-time data at a truly granular level. However, depending on the type of work you do, there are many IoT solutions that might add to your value and help you work more intelligently — without a crippling learning curve.

For example, some elements in your industrial IoT might be as large as pallet trucks and order pickers. Major companies are already deploying warehouse and supply chain equipment with self-driving functionality to achieve higher levels of vehicular safety and productivity throughout their operations.

Other times, bringing IoT to your supply chain provides far quieter, but equally impressive, results. The cost of RFID tags and near-field communication has been dropping reliably for years. What this means is that even large quantities of shipped products and components can receive per-unit identification through trackable, sensor-equipped tags. The right technology can feed you real-time information about the condition of your shipments and details about the environment in which your remote vehicles, personnel and teams are operating.

Of course, gathering all this information is one thing. Sifting through it and actually arriving at efficiency-boosting action items requires the right data analysis talent. In some cases, you'll need a reliable third party who can help you make sense of it with a dashboard or cloud business tool that's tailored to the work you do.

As you've probably been able to gather, the rest of the challenge centers on keeping all these devices — and the vital data they carry — safe from prying eyes. It also has to be accessible and useful to your team and partners.

The IoT Comes With Challenges of Its Own

With few exceptions, the major challenges that accompany a supply chain's integration of emerging IoT technologies fall along these lines:

  • Ensuring continued connectivity throughout networks with virtually no downtime
  • Safeguarding vital data, such as shipment locations, and making proprietary information, source code and other IP resistant to theft and tampering
  • Making sure new hardware and software integrates well with existing platforms and IT solutions

You won't be surprised to hear this, but a majority of IT specialists in the corporate world cite increasingly complicated networks as the source of most of their security concerns. Think about the complexity of the IoT — and all its satellite devices, beaming information to each other and to you. You'll start to get a sense of the challenge awaiting you when your facility or supply chain operation performs its own digital upfit.

Using the IoT to augment your abilities as a market leader and add transparency to your organization doesn't have to come at the expense of security-mindedness, however. In fact, in making strategic IoT purchases, you're very likely to find yourself better prepared than ever for some of the general and industry-specific compliance and quality standards you might be expected to uphold, such as HIPAA, PCI-DSS and Sarbanes-Oxley.

These probably sound like consumer-centric security regulations, and they are — but they exist to protect you and your partners, as well. They're a reminder that every piece of technology in an industry that touches human lives is an opportunity and a responsibility in equal measure.

Productivity and Security Work Hand-in-Hand

One of your first steps is to work with your partners to develop a holistic security solution for your newly connected supply chain. Anything you come up with needs to be consistent and as strong as the weakest link. Where are mistakes or security breaches most likely? In client-facing operations? In the last mile of delivery? Communication is paramount at this stage.

After that, it's a matter of gradually rolling out the hardware and software you're bringing into your operations. There will be a learning curve, after all, but ensuring buy-in from your managers and process specialists can go a long way.

Making conservative changes, one at a time, is also good for getting your team members acclimated to changes in their workflows and helping them iron out the kinks. Think about the waste you'd incur if the sensors you've deployed with your outgoing shipments aren't recovered and returned to your facility, for instance. Technology is filled with opportunities, but some of it also requires attention to detail. A deliberate approach ensures things progress smoothly.

Depending on the technologies you deploy, the granular, real-time data you gather from your logistics, sourcing, handling, shipping and returns departments can help you peer into the future and more accurately anticipate fluctuations in customer demand. You can also plan for changes in parts and material availability throughout your supply chain.

You get to think several steps ahead of the game and stay ahead of your competitors. Think about the benefits of getting ahead of something like the electronics components shortage currently gripping the market.

That level of planning ahead is useful for keeping your operation secure in many ways. One is anticipating where your products will be needed and planning ahead for potential roadblocks. Others include better preparedness and more complete contingencies for emergencies such as natural disasters, lost or stolen shipments, lost internet reception for connected devices, extended power outages and more.

In this way, technology is a bit like a snowball. As it solves one problem, it seems to elegantly solve other interrelated issues. As a consequence, if you play this right and work with the correct talent, you'll find yourself improving efficiency throughout your operations — even as you make them more resilient against outside forces and unforeseen interruptions.

Read more…

We often don’t compare technology to fable stories, but when it comes to the internet of things (IoT), the story of Pandora’s Box comes to mind. It’s a technology that has great potential, but where the weakness and possibilities lie are in it’s lack of basic security measures. We might even go as far as to say, what security? These are the concerns we’re thinking about at IT Security Central.

As a completely remote company, we’re taking measures to understand how the internet of things can impact our company data security. Hackers look to exploit technology vulnerabilities to access valuable information. Hacking an IoT connected fish tank, smart fridge - these aren’t far-fetched stories. These are stories that are happening now. 

The lack of secured IoT devices starts in the development phase. These devices are developed on a basic linux operating system with default codes that buyers rarely change. When these devices are developed, security isn’t on the agenda; rather, developers are looking at human behaviors and outside threats. When they should be looking inwards.

An unsecured IoT device is the weak link in the connection. As one of the fundamental purposes of the technology is to provide connection and accessibility, this one weak link can bring down the entire network. And if your remote worker’s BYOD devices are in someway connected to that network, your company just became vulnerable.

Remote workers or ‘the gig economy’ is expected to increase in frequency. According to the Global Mobile Workforce Forecast Update, employees working remotely is suppose to increase to 42.5% of the working population by 2022. At that time, the world is projected to see half of its population working outside the office either full-time, or part-time. 

Security vulnerabilities, remote workers and IoT - where is the connection? The scary thing, remote workers are likely to already have IoT devices in their work environment, and most likely, they are not protected. These devices can mostly be smart home devices that workers have acquired to make their daily lives easier. Common devices include Amazon Echo, Neo and GeniCan.

The first step in active prevention is to make your employees aware of the importance of data security and then aid them with the tools for success.

Best Practices for Protecting Your Network (from Remote Workers)

With the wealth of internet-based security technologies, the idea of protecting your network with in-house servers and the traditional firewall is (well) old school. With cloud-based companies, you can now access and protect data in easy step-by-step processes, and the best news, most of these companies do the data management for you.

One of the most progressive approaches to remote worker security would be to adopt a monitoring service to collect data and actively look for anomalies in the network. Through data collection and analysis, a monitoring software creates a user profile of normal, everyday behavior. The administrator can set ‘alerts’ for when certain data repositories and files are accessed, or when sensitive data is moved. The longer a data breach goes undetected, the larger financial implication for the company. Requiring remote workers to download and use a remote monitoring software is one of the highest levels of protect against data loss.

But if monitoring isn’t on your agenda, these are a few basic tactics that employers can encourage remote workers to undertake.

Permissions Management

Though the workers are remote, administration can set limits to data access. This process starts by undergoing a through analysis and understanding of each position. It’s important to understand who needs access to what information, and who doesn’t need access to information. Once this is understood, administrators can restrict information, and they can also set ‘alerts’ when information is accessed without prior approval.

Home Network Policy

Once employees leave the brick & mortar walls, the manager has little access where and on what internet network they’re accessing information. But don’t fret, this freedom and flexibility is part of what make remote work appealing. Where privacy might be a factor, we don’t suggest to go as far as asking remote workers to eliminate IoT devices on their network. Rather, we encourage to create a policy that specifically states the security requirements that the IoT must have in order for the work network to be accessed. By educating your employees, you can save them and data loss heartbreak.

Encryption

Encryption, encryption, encryption. You’ve heard the importance of encryption. For remote workers, the company can never be too safe, so they should go the extra mile and set remote workers up on an encrypted network. A VPN ensures all connections and communications are encrypted when the network is accessed. Don’t worry about IoT connectivity in their home, or when remote employees connect to an unsecured public wi-fi connection. A VPN provides the next level of security through encryption, and a hacker won’t be able to access communication or data without alerting administrators to a potential breach. 

IoT devices are already integrating into our at-home lives, and when remote workers access their at-home networks, suddenly the topics collide. As more workers go remote, it’s important to look inwards towards security to see how everyday IoT devices impact company data. Take the time to ensure that remote workers are protecting the network effectively.

Guest post by Isaac Kohen. Isaac Kohen is the founder and CEO of Teramind (https://www.teramind.co/), an employee monitoring and insider threat prevention platform that detects, records, and prevents, malicious user behavior in addition to helping teams to drive productivity and efficiency. Isaac can be reached at [email protected]. Connect with Isaac on social media: LinkedIn, IT Security Central and Twitter @TeramindCo.

 

 

Read more…

Quantifying IoT Insecurity Costs

Ever wonder what is the real cost of IOT insecurity?

Well reseachers at the University of California, Berkeley, School of Information recently published a report that attempts to lay out the costs to consumers in the context of DDoS attacks. The report focuses on exploiting vulnerable devices for their computing power and ability to use their network’s bandwidth for cyberattacks—specifically DDoS attacks on Internet domains and servers.

Researchers infected several consumer IoT devices with the Mirai malware and measured how the devices used electricity and bandwidth resources in non-infected and infected state. Their hypothesis: compromised IoT devices participating in a DDoS attack will use more resources (energy and bandwidth) and degrade the performance of a user’s network more than uninfected devices in normal daily operation.

Based on energy and bandwidth consumption they developed calculator to estimate the costs incurred by consumers when their devices are used in DDoS attacks. Two recent and well publicized attacks, and one hypothetical, were calculated:

  • Krebs On Security Attack: According to their cost calculator, the total electricity and bandwidth consumption costs borne by consumers in this attack was $323,973.75.

  • Dyn, Inc. Attack: They calculate the total cost borne by consumers as $115,307.91.

  • "Worst-Case" Attack: This hypothetical “Worst-Case” scenario approximates the costs that could result if the Mirai botnet operated at its peak power using a UDP DDoS attack. The projected cost to consumers of this attack is $68,146,558.13.

Commenting on the study, Bob Noel, Director of Strategic Relationships and Marketing for Plixer said, “Organizations with enslaved IoT devices on their network do not experience a high enough direct cost ($13.50 per device) to force them to worry about this problem. Where awareness and concern may gain traction is through class action lawsuits filed by DDoS victims. DDoS victims can suffer financial losses running into the millions of dollars, and legal action taken against corporations that took part in the distributed attack could be mechanism to recuperate losses. Companies can reduce their risk of participating in DDoS attacks in a number of ways. They must stop deploying IoT as trusted devices, with unfettered access. IoT devices are purposed-built with a very narrow set of communication patterns. Organizations should take advantage of this and operate under a least privilege approach. Network traffic analytics should be used to baseline normal IoT device behavior and alarm on a single packet of data that deviates. In this manner it is easy to identify when an IoT device is participating as a botnet zombie, and organizations can remediate the problem and eliminate their risk of being sued.”

Or as we've argued before, regulation is key. And now that we have an economic cost on IoT insecurity, we have better information for regulators to pursue strategies and legislation for enforcing workable security standards to reduce the negative impacts of IoT devices on society.

 

 

 

Read more…

The Meltdown and Spectre microprocessor bugs not only compromise billions of desktops, laptops, servers, clouds, tablets and smartphones, they also put tens of billions more embedded, IoT, and control systems at risk.

Read more…

The current political events in Barcelona provide us with a barely-needed reminder that we live in changing times.  I was in the city as part of the Trustonic team exhibiting at IoT Solutions World Congress last week and took some time to speak with fellow vendors. I soon saw some fantastic product demonstrations that drew my attention - I wanted to learn more. Frequently though, the response to: “This looks great - how is it secured? How do we know the data is trustworthy?” was a puzzled look and a “It uses our cloud and we secure that” or “It runs on a secure OS”.  Sometimes the response was worse: “It’s a closed network. You couldn’t attack it”.

It didn’t fill me with confidence. Everyone has a secure solution, it seems. But how do we know that it’s secure? Who has validated it? The questions and the perplexed looks continued. I slept uneasily.

I don’t want to criticise the IoT solutions that I saw – they were interesting and point to an exciting future for us all. Unfortunately, securing these solutions isn’t exciting and probably won’t draw a crowd to your stand. It’s rare to see ground-breaking security solutions making the news – consumers just expect it these days. Of course, you can expect a media frenzy if you’re breached. There have been some horrifying examples already and we are still in the early days of this industry. IoT solutions need to be secure by design – or, to put it another way, the components of the solution must already be secure when they are deployed. With the headache (and tedium) of security taken care of, the industry would be free to innovate and dream up even more exciting products.

I was showing an IoT security demo built on a Samsung ARTIK board, which already has Trustonic TEE technology embedded. It showed an IoT device connecting to Amazon Web Services (AWS), cryptographically proving itself to be secure and having a trusted identity, thus enabling it to become automatically registered on the system. Perhaps not as exciting as an IoT boat or sports bike sharing data in real time, but it demonstrated that, by embedding a truly secure OS (one that’s Common Criteria certified and FIPS-140-2 approved) combined with a Root of Trust installed in the factory (think of this like a digital birthmark), an IoT device can be trusted pretty much automatically. Once you have an inherently trusted device, you can be confident that data from its sensors is also trustworthy.

Shakespeare wrote “Love all, trust a few”. So, love all the cool and exciting IoT products – but only trust the few which are truly secure.

Read more…

Every week, thousands of new apps are seen hitting the mobile market. Unfortunately, the number of hackers working assiduously to tap into these apps to implant malware or phish for user information has also been on the increase. By implication, there is every need to take the security of mobile users very seriously particularly when it comes to app development.


Apart from being highly vigilant about security, app developers need to be able to identify these security issues and know how to avoid them, so as to be able to provide users with the security they need to keep their information and other data safe. Security issues can be experienced in various forms during any mobile application development process; some of which are explained below.

Failure to implement secure communications to servers

Most apps are designed to connect back to a server particularly those applications that control sensitive user information. Therefore, as a critical area of concern, mobile app developers must ensure safe transit between the app and the server. Nothing has to be interrupted on an insecure WiFi connection. Basically, this type of security is achievable through SSL certificates and encryption. User information can be compromised particularly if developers fail to employ the right SSL libraries.

Inability to plan for physical security breaches

Nothing much can be done to prevent theft or loss of mobile devices. In fact, mobile app developers have a very little role to play in this. However, they can greatly help to minimize the problem by executing a local session timeout code. Usually, users are obligated to enter a password from time to time to access an app. Rather than making this a daily occurrence, password requirement from devices can be observed once a week or at the fifth time the app is used. Local session timeout can also prevent the use of software that helps users remember passwords.

The use of weak encryption or an entire lack of encryption

Obviously, improves constantly which helps to make algorithms become obsolete and very easy to crack. Failing to use encryption or using weak encryption in an app can put sensitive user information at risk of getting exposed. In the course of using certain apps, users are obligated to input sensitive data like personal identification information or credit card numbers. It is sad to know that this information can be hacked particularly with the absence of good encryption. An app is more likely to be hacked when it becomes more popular. So, if you are looking to push your app to the top, there is every need to invest in good encryption.

Bypassing systematic security testing

Most importantly, Indian app developers need to consider themselves as the last line of defense. You stand to put your app users at risk when you fail to ensure a secure app. In every development process, testing is very important and as such, there is no need to rush in releasing an app. Ensure to test every common inlet for security issues, such as sensors, GPS, camera, and even the development platform. Viruses and malware are no respecters of apps – every app is vulnerable to an attack from them.

Developers should try as much as possible to avoid the eruption of a crash and debug logs during testing. These are often common places hackers often take advantage of for app vulnerabilities. Apart from increasing the speed of an app, NSLog statements on iOS can be effectively disabled during iPhone app development to avoid vulnerabilities. Also, an Android app remains vulnerable until the Android debug log is typically cleared.

Lack of proper planning for data caching vulnerabilities

Unlike standard laptops and desktops, mobile devices are well-known for their ability to store short-term information for longer periods. This caching method generally helps to increase speed. However, since hackers can easily access cached information, there is every possible for mobile devices to be susceptible to security breaches. A major way of avoiding the problem is by demanding for a password to use an app. However, this can affect the popularity of your app, as most app users often find the use of passwords to be quite inconvenient. Alternatively, you can program the cache to be automatically erased every time users reboot their mobile device. This is another meaningful solution to data caching vulnerabilities.

Adopting other developers’ code

Developing an app from the start can be very time-consuming but with the availability of numerous free codes, this process has been extremely simplified. Interestingly, some hackers create codes for unsuspecting developers. In the hopes that application developers would pick up their codes, some hackers have ventured into creating anonymous codes. Through this, they tend to gain easy and free access to any information of their choice after the app has been designed and released.

Although it is never a bad thing to build upon people’s ideas, however, it is highly essential to carry out relevant research before doing so. In order to avoid experiencing security issues, it is well advisable that you make use of code from reliable sources. So, if you’re looking to build upon the ideas of a third-party, ensure to use sources you can trust. As a matter of fact, always use verified and trusted sources for code and ensure to be on the lookout for phishing scams by reading the code line by line.

Slow patching of app

Just because your app has been launched does not mean that you are done with the development process. Hackers are always on the move, they do not relent in their efforts to break through an app and so, they always work very fast. Most times, they search for apps with irregular security updates. Then they exploit these security breaches to bring down the app. Just to let you know, it is good to perform regular security updates by revisiting the app often.

However, users on their own part may be unable to get these patches on time. This is because they have to accept and download them. Additionally, the approval process of a patch on an iOS platform can typically take up to a week. Obviously, patches can take a while to reach users. To this end, you can put user information at risk if you fail to stay right on top of new security updates.

When it comes to creating apps that deal with confidential matters such as personal information and customer credit cards, there is always no room for error. To any app developer, the repercussions of the smallest security breach can be highly catastrophic. As a matter of fact, it is your duty to protect both your app and its users. So, ensure to take all necessary precautions so as not to get caught unawares.

Save

Read more…

Infographic: Securing Connected Cars

In my recent interview with Sam Shawki, the founder and chief executive officer of MagicCube, I wrote about getting a new Ram Truck and noted that it was a beast not just in size and towing power, but a beast of electronics and connectivity. According to Intertrust Technologies, the percentage of new cars shipped with Internet connectivity will rise from 13% in 2015 to 75% in 2020, and that in 2020, connected cars will account for 22% of all vehicles on the road. That number is sure to grow. More stats in the infographic below. 


Connected Cars

Read more…

Not far from San Francisco International Airport, San Bruno is a quaint middle-class residential suburb, yet underground in San Bruno was a gas pipeline controlled by SCADA software that used the Internet as its communications backbone. On Sept. 9, 2010, a short circuit caused the operations room to read a valve as open when it had actually closed, spiking the readings coming from pipeline pressure sensors in different parts of the system. Unbeknownst to the families returning home from ballet and soccer practice, technicians were frantically trying to isolate and fix the problem. At 6:11 pm, a corroded segment of pipe ruptured in a gas-fueled fireball.

The resulting explosion ripped apart the neighborhood. Eight people died. Seventeen homes burned down. The utility, PG&E, was hit with a $1.6 billion fine.

The accident investigation report blamed the disaster on a sub-standard segment of pipe and technical errors; there was no suggestion that the software error was intentional, no indication that malicious actors were involved. “But that’s just the point,” Joe Weiss argues. “The Internet of Things introduces new vulnerabilities even without malicious actors.”

Joe Weiss is a short, bespectacled engineer in his sixties. He has been involved in engineering and automation for four decades, including fifteen years at the respected Electric Power Research Institute. He has enough initials after his name to be a member of the House of Lords—PE, CISM, CRISC, IEEE Senior Fellow, ISA Fellow, etc., all of which speak to his expertise and qualifications as an engineer. For instance, he wrote the safety standards for the automated systems at nuclear power plants.

The problem, Weiss claims, is using the internet to control devices that it was never intended to control. Among these are industrial systems in power plants or factories, devices that manage the flow of electricity through the energy grid, medical devices in hospitals, smart-home systems, and many more.

Continue reading this article on Quartz.

Read more…

Tripwire, Inc., a security company, recently announced the results of a study conducted in partnership with Dimensional Research.  The study looked at the rise of Industrial Internet of Things (IIoT) deployment in organizations, and to what extent it is expected to cause security problems in 2017.  

The big not so surprise: 96 Percent of IT Security Professionals Expect an Increase in Cybersecurity Attacks on Industrial Internet of Things.

Yes, you should expect to get hacked.  

Robert Westervelt, security research manager at IDC said in a statement: “As Industrial companies pursue IIoT, it’s important to understand the new threats that can impact critical operations. Greater connectivity with operational technology (OT) exposes operational teams to the types of attacks that IT teams are used to seeing, but with even higher stakes. The concern for a cyber attack is no longer focused on loss of data, but safety and availability. Consider an energy utility as an example - cyber attacks could disrupt power supply for communities and potentially have impact to life and safety.”

Key findings include:

  • 96 percent of those surveyed expect to see an increase in security attacks on IIoT in 2017 
  • 51 percent said they do NOT feel prepared for security attacks that abuse, exploit, or maliciously leverage insecure IIoT devices
  • 64 percent said they already recognize the need to protect against attacks against IIoT, as they gain popularity with hackers
  • 90 percent expect IIoT deployment to increase 
  • 94 percent expect IIoT to increase risk and vulnerability in their organization

The study was commissioned by Tripwire and carried out by Dimensional Research in January 2017. A total of 403 qualified participants completed the survey. All participants had responsibility for IT security as a significant part of their job and worked at companies with more than 1,000 employees. Survey respondents were based in the United States (278), the United Kingdom (44), Canada (28) and Europe (53). 

Read more about IoT and security on IoT Central. To receive these articles, sign up on IoT Central

Read more…

18 Articles on IoT and Security

This resource is part of a series of specific topics related to the Internet of Things. To keep receiving these articles, sign up on IoT Central

Read more…

Using Blockchain to Secure IoT

By Ahmed Banafa

IoT is creating new opportunities and providing a competitive advantage for businesses in current and new markets. It touches everything—not just the data, but how, when, where and why you collect it. The technologies that have created the Internet of Things aren’t changing the internet only, but rather change the things connected to the internet—the devices and gateways on the edge of the network that are now able to request a service or start an action without human intervention at many levels.

Because the generation and analysis of data are so essential to the IoT, consideration must be given to protecting data throughout its life cycle. Managing information at all levels is complex because data will flow across many administrative boundaries with different policies and intents.

Given the various technological and physical components that truly make up an IoT ecosystem, it is good to consider the IoT as a system-of-systems. The architecting of these systems that provide business value to organizations will often be a complex undertaking, as enterprise architects work to design integrated solutions that include edge devices, applications, transports, protocols, and analytics capabilities that make up a fully functioning IoT system. This complexity introduces challenges to keeping the IoT secure, and ensuring that a particular instance of the IoT cannot be used as a jumping off point to attack other enterprise information technology (IT) systems.

International Data Corporation (IDC) estimates that 90% of organizations that implement the IoT will suffer an IoT-based breach of back-end IT systems by the year 2017.

Challenges to Secure IoT Deployments

Regardless of the role, your business has within the Internet of Things ecosystem— device manufacturer, solution provider, cloud provider, systems integrator, or service provider—you need to know how to get the greatest benefit from this new technology that offers such highly diverse and rapidly changing opportunities.

Handling the enormous volume of existing and projected data is daunting. Managing the inevitable complexities of connecting to a seemingly unlimited list of devices is complicated. And the goal of turning the deluge of data into valuable actions seems impossible because of the many challenges. The existing security technologies will play a role in mitigating IoT risks but they are not enough. The goal is to get data securely to the right place, at the right time, in the right format; it’s easier said than done for many reasons.

Dealing with the challenges and threats

Gartner predicted that more than 20% of businesses will deploy security solutions for protecting their IoT devices and services by 2017, IoT devices and services will expand the surface area for cyber-attacks on businesses, by turning physical objects that used to be offline into online assets communicating with enterprise networks. Businesses will have to respond by broadening the scope of their security strategy to include these new online devices.

Businesses will have to tailor security to each IoT deployment according to the unique capabilities of the devices involved and the risks associated with the networks connected to those devices. BI Intelligence expects spending on solutions to secure IoT devices and systems to increase five fold over the next four years.

The optimum platform

Developing solutions for the Internet of Things requires unprecedented collaboration, coordination, and connectivity for each piece in the system, and throughout the system as a whole. All devices must work together and be integrated with all other devices, and all devices must communicate and interact seamlessly with connected systems and infrastructures in a secure way. It’s possible, but it can be expensive, time-consuming, and difficult unless the new line of thinking and a new approach to IoT security emerged away from the current centralized model.

The problem with the current centralized model

The current IoT ecosystems rely on centralized, brokered communication models, otherwise known as the server/client paradigm. All devices are identified, authenticated and connected through cloud servers that sport huge processing and storage capacities. The connection between devices will have to exclusively go through the internet, even if they happen to be a few feet apart.

While this model has connected generic computing devices for decades and will continue to support small-scale IoT networks as we see them today, it will not be able to respond to the growing needs of the huge IoT ecosystems of tomorrow.

Existing IoT solutions are expensive because of the high infrastructure and maintenance cost associated with centralized clouds, large server farms, and networking equipment. The sheer amount of communications that will have to be handled when IoT devices grow to the tens of billions will increase those costs substantially.

Even if the unprecedented economical and engineering challenges are overcome, cloud servers will remain a bottleneck and point of failure that can disrupt the entire network. This is especially important as more critical tasks

Moreover, the diversity of ownership of devices and their supporting cloud infrastructure makes machine-to-machine (M2M) communications difficult. There’s no single platform that connects all devices and no guarantee that cloud services offered by different manufacturers are interoperable and compatible.

Decentralizing IoT networks

A decentralized approach to IoT networking would solve many of the questions above. Adopting a standardized peer-to-peer communication model to process the hundreds of billions of transactions between devices will significantly reduce the costs associated with installing and maintaining large centralized data centers and will distribute computation and storage needs across the billions of devices that form IoT networks. This will prevent failure in any single node in a network from bringing the entire network to a halting collapse.

However, establishing peer-to-peer communications will present its own set of challenges, chief among them the issue of security. And as we all know, IoT security is much more than just about protecting sensitive data. The proposed solution will have to maintain privacy and security in huge IoT networks and offer some form of validation and consensus for transactions to prevent spoofing and theft.

To perform the functions of traditional IoT solutions without a centralized control, any decentralized approach must support three fundamental functions:

  • Peer-to-peer messaging
  • Distributed file sharing
  • Autonomous device coordination

 

The Blockchain approach

Blockchain, the “distributed ledger” technology that underpins bitcoin, has emerged as an object of intense interest in the tech industry and beyond. #Blockchain technology offers a way of recording transactions or any digital interaction in a way that is designed to be secure, transparent, highly resistant to outages, audit-able, and efficient; as such, it carries the possibility of disrupting industries and enabling new business models. The technology is young and changing very rapidly; widespread commercialization is still a few years off. Nonetheless, to avoid disruptive surprises or missed opportunities, strategists, planners, and decision makers across industries and business functions should pay heed now and begin to investigate applications of the technology.

What is Blockchain?

Blockchain is a database that maintains a continuously growing set of data records. It is distributed in nature, meaning that there is no master computer holding the entire chain. Rather, the participating nodes have a copy of the chain. It’s also ever-growing — data records are only added to the chain.

A blockchain consists of two types of elements:

  • Transactions are the actions created by the participants in the system.
  • Blocks record these transactions and make sure they are in the correct sequence and have not been tampered with. Blocks also record a time stamp when the transactions were added.

What are some advantages of Blockchain?

The big advantage of blockchain is that it’s public. Everyone participating can see the blocks and the transactions stored in them. This doesn’t mean everyone can see the actual content of your transaction, however; that’s protected by your private key.

A blockchain is decentralized, so there is no single authority that can approve the transactions or set specific rules to have transactions accepted. That means there’s a huge amount of trust involved since all the participants in the network have to reach a consensus to accept transactions.

Most importantly, it’s secure. The database can only be extended and previous records cannot be changed (at least, there’s a very high cost if someone wants to alter previous records).

 How does it work?

When someone wants to add a transaction to the chain, all the participants in the network will validate it. They do this by applying an algorithm to the transaction to verify its validity. What exactly is understood by “valid” is defined by the blockchain system and can differ between systems. Then it is up to a majority of the participants to agree that the transaction is valid.

A set of approved transactions is then bundled in a block, which gets sent to all the nodes in the network. They, in turn, validate the new block. Each successive block contains a hash, which is a unique fingerprint, of the previous block.

There are two main types of Blockchain:

  • In a public blockchain, everyone can read or write data. Some public blockchains limit the access to just reading or writing. Bitcoin, for example, uses an approach where anyone can write.
  • In a private blockchain, all the participants are known and trusted. This is useful when the blockchain is used between companies that belong to the same legal mother entity.

The Blockchain and IoT

Blockchain technology is the missing link to settle scalability, privacy, and reliability concerns in the Internet of Things. Blockchain technologies could perhaps be the silver bullet needed by the IoT industry. Blockchain technology can be used in tracking billions of connected devices, enable the processing of transactions and coordination between devices; allow for significant savings to IoT industry manufacturers. This decentralized approach would eliminate single points of failure, creating a more resilient ecosystem for devices to run on. The cryptographic algorithms used by blockchains would make consumer data more private.

The ledger is tamper-proof and cannot be manipulated by malicious actors because it doesn’t exist in any single location, and man-in-the-middle attacks cannot be staged because there is no single thread of communication that can be intercepted. Blockchain makes trustless, peer-to-peer messaging possible and has already proven its worth in the world of financial services through cryptocurrencies such as Bitcoin, providing guaranteed peer-to-peer payment services without the need for third-party brokers.

The decentralized, autonomous, and trustless capabilities of the blockchain make it an ideal component to become a fundamental element of IoT solutions. It is not a surprise that enterprise IoT technologies have quickly become one of the early adopters of blockchain technologies.

In an IoT network, the blockchain can keep an immutable record of the history of smart devices. This feature enables the autonomous functioning of smart devices without the need for centralized authority. As a result, the blockchain opens the door to a series of IoT scenarios that were remarkably difficult, or even impossible to implement without it.

By leveraging the blockchain, IoT solutions can enable secure, trustless messaging between devices in an IoT network. In this model, the blockchain will treat message exchanges between devices similar to financial transactions in a bitcoin network. To enable message exchanges, devices will leverage smart contracts which then model the agreement between the two parties.

In this scenario, we can sensor from afar, communicating directly with the irrigation system in order to control the flow of water based on conditions detected on the crops. Similarly, smart devices in an oil platform can exchange data to adjust functioning based on weather conditions.

Using the blockchain will enable true autonomous smart devices that can exchange data, or even execute financial transactions, without the need of a centralized broker. This type of autonomy is possible because the nodes in the blockchain network will verify the validity of the transaction without relying on a centralized authority.

In this scenario, we can envision smart devices in a manufacturing plant that can place orders for repairing some of its parts without the need of human or centralized intervention. Similarly, smart vehicles in a truck fleet will be able to provide a complete report of the most important parts needing replacement after arriving at a workshop.

One of the most exciting capabilities of the blockchain is the ability to maintain a duly decentralized, trusted ledger of all transactions occurring in a network. This capability is essential to enable the many compliances and regulatory requirements of industrial IoT applications without the need to rely on a centralized model.

 This article originally appeared here. Header photo has been modified, credit here.

References

http://www.cio.com/article/3027522/internet-of-things/beyond-bitcoin-can-the-blockchain-power-industrial-iot.html

http://dupress.com/articles/trends-blockchain-bitcoin-security-transparency/

https://techcrunch.com/2016/06/28/decentralizing-iot-networks-through-blockchain/

http://www.blockchaintechnologies.com/blockchain-internet-of-things-iot

https://postscapes.com/blockchains-and-the-internet-of-things/

http://www-935.ibm.com/services/multimedia/GBE03662USEN.pdf

Read more…

Securing the Internet of Everything

The introduction of connected devices is complicating an already incredibly complex security environment for infosec professionals. In just two decades, the enterprise has gone from a controlled scenario of one device per user to a situation in which users may have five or more devices connected to sensitive systems and applications. As the IoT becomes more popular it will soon be impossible to quantify just how many internet-enabled, vulnerable points exist within an organization. So what can companies do to secure the IoT?
Read more…