"The same intelligence that enables devices to perform their tasks, must also enable them to recognise and counteract threats." -- WindRiver
IoT adoption is growing at pace as organizations discover more efficiencies, and develop new revenue streams and business models as the number of connected things grows.
A recent Gartner research note showed that 29% of respondents were currently using IoT, with an additional 14% planning to deploy projects in 2016 and 21% planning to implement post-2016. In 2016 alone we will see a 50% growth in adoption rates globally, according to Gartner. This is juxtaposed against a recent Microsoft study showing that security is the biggest hurdle for enterprise IoT adoption in 2016 and will remain so in 2017.
In the previous two articles I covered off security as a guiding principle for the IoT ecosystem and the need for a holistic, architecture-based approach encompassing people, processes and technology. In this article we delve deeper into three crucial capabilities that will underpin a secure approach to IoT security. These capabilities are by no means exhaustive, but for organizations looking to deploy IoT projects they are simple and achievable pillars as part of their overall security architecture strategy.
There is an old adage in security: "You can't protect what you can't see." Visibility is crucial in any cybersecurity ecosystem -- to know what assets you have and the ability to manage those assets is a prerequisite for securing those assets and the data that is either stored, processed or transmitted. But when we deploy IoT at a rate of 3 million things per day, reaching 100 billion by 2025, exactly how is this achievable?
To complicate matters there are multiple competing communications protocols for both short distance (6LowPAN, Zigbee, Z-wave, Bluetooth LE) and wide area (Symphony, SigFox, LoraWAN, NB-IoT) and an estimated 300 IoT platforms currently deployed.
The ability to discover devices and (if applicable) the user entity associated will be key and this is where the network and IoT platform layers will assist greatly. As devices are provisioned, the entity (user mapping to the device) needs to be shared to a common repository which is dynamically updated as devices respond to heartbeat and keep alive requests from the gateway or platform.
Due to the size and dynamic nature of the data, this repository will need to be distributed across the IoT ecosystem encompassing both data center and edge analytics. This IoT "data lake" can then be mined and correlated for threats as well as malicious or suspicious activity. Has there been a spike in CPU on the sensor? Have there been irregular amounts of keep alive packets? Has the device exceeded its baseline of data?
IoT analytics is in early adoption -- IBM's Watson IoT, SAP's Hana and Cisco Fog computing are just some of the options from the mainstream technology vendors. In the near future, the developing field of Artificial General Intelligence applied to IoT will help to analyze and identify threats from the massive amounts of data that the IoT will generate.
In an ideal scenario sensors are deployed, switched on and self-provisioned usually by having a certificate pre-installed, "calling home" to an update server to download its configuration.
This process is automated, otherwise we could not scale effectively. An example is a sensor which tracks telemetry for fleet vehicles in the field. As the sensor is powered on, it would update its factory settings by collecting the VIN, license plate and unique identifier for the vehicle it's tracking. Ideally, in the same manner as the device has automated the provisioning process, it should also then ensure the key exchange process is secure, have the ability to boot into a secure "known good state," and be updated over the wire with new firmware and security updates as they become available.
We can build upon this scenario by building whitelisting capability into the sensor. During boot-phase it checks its "known good state" against a defined whitelist of processes it can execute, and, if there is suspicious activity, have the ability to fail gracefully and reset itself to a known good state.
If our analytics platform detects anomalous or suspicious activity then the device is quarantined into an unroutable VLAN, or a dynamic ACL is pushed to the gateway the device is connected to. Other options could be to route traffic from the device(s) differently through the network to another inspection device where machine-based learning or sandboxing technology is implemented.
Unfortunately what I've just described is mere hypothesis at this stage of IoT maturity. The emerging field of blockchain within IoT is a promising development to deliver a decentralized and resilient IoT ecosystem.
If visibility and automation are the two key pillars of a secure IoT ecosystem then orchestration is the glue that holds it together. If we explore best practice in terms of a device being provisioned into an IoT ecosystem:
- Provisioning & authentication
- Configuration & control
- Monitoring & analytics
- Firmware & security updates
We should overlay a secure architecture over this best practice approach:
Proposed security architecture, Cisco Systems
We can quickly ascertain that in a secure ecosystem there are a lot of moving parts from secure provisioning and authentication through to post-installation firmware and security updates.
The only effective means to ensure coherence in this secure IoT ecosystem is having the capability to orchestrate components in an automated fashion. Using the example in automation, orchestration enables the device to self-provision, self-authenticate and ensure it has a known good state when it connects. From the edge network (Fog network), orchestration enables the device to be assigned the relevant resources in the data center/cloud layer and also revokes this if suspicious or anomalous activity is detected by the analytics platform.
This revocation can be in the form of certificate or network access using network access control. Organizations that have the ability to orchestrate these functions also maintain visibility in their IoT ecosystem and are able to automate security at scale.
VAO (visibility, automation and orchestration) are three crucial capabilities organizations need to develop to ensure secure practices within the IoT ecosystem. These capabilities are largely people- and process-focused, with technology as an enabler. VAO does not operate in isolation either and is only effective as part of a holistic, architecture-based approach to security in the IoT ecosystem.
— Lani Refiti, Security Lead, Cisco Systems