Are We Looking at Our Last Chance to Get IoT Security Right?

The Internet of Things is growing and so is the risk of exploitation.

by / May 8, 2018

Time is running out on setting security standards for the Internet of Things. The President’s National Security Telecommunications Advisory Committee (NSTAC) has examined the cybersecurity implications of IoT and has determined that there is a small — and rapidly closing — window to ensure that IoT is adopted in a way that maximizes security and minimizes risk. 

While the adoption of IoT is increasing in both speed and scope, and will impact virtually all sectors of our society, NSTAC warns that if the country fails to develop and use security standards, “it will be coping with the consequences for generations.”

The President’s Commission on Enhancing National Cybersecurity reached a similar conclusion: “The IoT facilitates linking an incredible range of devices and products to each other and the world. Although this connectivity has the potential to revolutionize most industries and many facets of everyday life, the possible harm that malicious actors could cause by exploiting these technologies to gain access to parts of our critical infrastructure, given the current state of cybersecurity, is immense.”

To reduce such risks, the National Institute of Standards and Technology (NIST) Draft NISTIR 8200 Report has kept the door wide open for private-sector comments for developing much needed global IoT security standards. With IoT breaches increasing constantly, this comment request may have been just in time. 

IoT security is a public, private and international concern

IoT is everywhere and, if exploited by hackers or terrorists, could cause physical damage, including critical infrastructure devastation, human harm or even death. This puts standard groups in a precarious position of requiring international agreements on how to address IoT security on a global basis.  

There is an added concern with the interaction of IoT processes and unseen machine actions. For example, Intrusion Prevention System (IPS) security requires specialized authentication, validation, encryption and process management capabilities that are not necessarily possible under current cybersecurity standards. 

In encryption alone, two issues repeatedly come up, according to the NIST. First, IoT has limited processor and memory space that restricts high-end encryption hardening while extending connectivity to millions of new system process endpoints. Second, current authentication and encryption technologies were not designed to be implemented under these criteria. 

IoT offers deeper learning, systems actions and connectivity, which in turn requires security methodologies that can interoperate across all systems. These needed capabilities require security methodologies that can operate effectively across all hardware, network, protocol and software platforms with the added processor limitations and multi-protocol requirements of IoT. 

Securing IoT is a tall order. The comments on the NIST Draft show changes need to be made in existing standards with the potential of deploying completely disruptive cybersecurity technologies to achieve IoT security.    

Can IoT security fix all cybersecurity?

IoT security is not typical security. It sometimes adds an entire layer of process events to an already complex operating system. Many processing systems already have security issues. Adding IoT to them could open additional weaknesses. This is the “weakest link” scenario, in which the smallest IoT device could cause catastrophic consequences. 

There is an advantage to learning how to secure IoT. If a small IoT action can be secured at the processor level of an operating system, then the same techniques that require low overhead millisecond security can be used in a variety of system process applications. IoT security could be the learning process needed in achieving complete system process security.     

Finding the answer to IoT security requirements isn’t easy. The physical application of IoT requires many different human and machine security authentications while extending process intelligence and events throughout the system. This extension is often connected to system processes that already have security concerns, such as cloud applications and even locally isolated IoT ecosystems used in DDoS attacks. Obtaining a solid IoT security platform could be a road map in addressing all forms of cybersecurity. From encryption hardening to deep process learning, if you can secure IoT you can secure anything. 

Now is the time to get IoT security right

The Interagency International Cybersecurity Standardization Working Group offers an interesting direction for national and international standards evaluation of IoT. Global public- and private-sector IoT applications could be greatly affected in IoT cyber-attacks. This presents NIST with the daunting task of addressing the best technological solution for IoT security while still addressing the political and corporate influence already in existing cybersecurity standards. 

With the private sector pointing to big problems with IoT security and the International Organization for Standardization (ISO) rejecting NSA IoT encryption algorithms, this could be the time for getting IoT security right. It could happen through government guidelines and regulations involving global standards bodies, such as ODVAOPC and ISA; or it could happen through industry groups, such as the Internet Engineering Task Force (IETF), the Industrial Internet Consortium (IIC) security working group, or IEEE. The world understands the importance of securing IoT devices and systems, and NIST is in the forefront of this need.

Now starts the hard work. We need to get these standards right and fast. IoT security answers many of the problems existing that multiple cyberdefense systems can’t answer on their own. Data at rest, motion signature and key algorithms are all vulnerable to attack. So, too, is key and signature theft under current security technologies. These same signatures and keys multiplied by billions of IoT devices cannot be managed. Viewing and validating the smallest digital event must be addressed with a speed and accuracy that’s never been available in current cyberdefense technologies.   

Security environments are already having scalability, monitoring, management and cost issues. IoT offers a whole new extended endpoint in processes that will require deeper and easier managed monitoring and security methodologies. IoT security experts must find a way that allows this to be done at the deepest, most complex systems while adding needed process security simplicity. 

This may require a different way of thinking in an industry that is reaching a level of complexity and employment it can no longer sustain. The comments section of the NIST Draft offers an opportunity to respond to these IoT security needs in a public- and private-sector forum. Both sectors need to participate and collaborate in addressing the global requirements of IoT security.    

Standards on steroids 

Public- and private-sector participation in cybersecurity needs to continue. We all will gain by working together on this issue. There is no better picture of this than securing IoT. In fact, it requires international cooperation in many applications while still offering unique or even proprietary requirements for national defense and critical infrastructure. 

There must be a balance of authentication, privacy and security on both the human and machine level. We no longer can afford to use Band-Aids on legacy security standards. We must search and deploy security designs that don’t delay but fix the problem. By choosing the right capability, we can address this. 

IoT has the worst security record in the industry and little has been done about it. We need to find a different way of getting the job done if we are to catch up in the race to cyberdefense. IoT’s vulnerabilities have forced standards groups like NIST to think outside of the box of tweaking old standards into a whole new proof of concept era. We need to catch up in cyberdefense technologies and having a public-private collaborative approach just may be the answer. We have been given the opportunity. We must now change the opportunity to action.

Larry Karisny

Larry Karisny is the director of Project Safety.org, an advisor, consultant, speaker and writer supporting advanced cybersecurity technologies in both the public and private sectors.