Security for the Internet of Things (IoT) must be fixed for the long term, and requires top-level guidance.
According to Beecham Research, the potential damage to people, possessions, businesses and national critical infrastructure from a successful attack on cyber-physical systems through the IoT cannot be underestimated.
Professor Jon Howes, one of the authors of the report and technology director at Beecham Research, said that devices must be securely managed over their entire lifecycle, to be reset if needed and to enable remote remediation to rebuild and extend security capabilities over time.
Speaking at a launch event for the research in London, Howes said that the industry needs to move faster than standards, and needs to be done rapidly. He said: “We have to assume devices will be compromised and deny attacks, and make sure there are methods to reset and refuse failures when attacks succeed. Attacks have little impact on daily lives, but attackers still get away with it.
“Security is the major challenge for IoT, and we require a holistic approach and extend essential encryption to both at rest and in flight, as well as adding interoperability for authentication and authorisation to fit into the IoT architecture. Mostly we need to work together, as these things go in place and stay there for ten years. There is a big need and impact to put security in place.”
Beecham believes the answer to these challenges lies at the architectural level for both devices and systems, and stretches from semi-conductors through to network operators and system integrators. This approach underlines the need for common security objectives across the industry and interoperability within broad systems.
This first report is the first significant component of a longer study that includes substantial industry collaboration – covering silicon device vendors and extending across all major industry stakeholders – followed by publication of frameworks for an array of use cases.
The report also highlights potential future attacks on IoT systems and how these may ultimately impact users, from home owners losing control of white goods, door locks being disengaged or security alarms being monitored.
Haydn Povey, Technical Associate at Beecham Research, said: “We know from IT that the wheels come off when it comes to security, and if Government cannot define it they will get the blame for it.
“It needs standards and certification and problem is they are relatively slow moving and the problems need to be fixed faster than that. We need to focus on users, and managing devices in your home – how do you add a new appliance into IoT over next six years? Enable a broad stream to build and enable these systems.”
He went on to say that as we build more complex systems, we need to know how we will solve these problems. “This is not about laying down rules for IoT, but all nodes and devices need to be secure to ensure trust and privacy,” he said. “The problems for the long term are with lifecycle management, this is key as we need to play on fact that we are fallible and complexity means we will get it wrong, and we have to be lucky all of the time while an attacker only has to be lucky once.
“What happens if we are infected? We cannot go out and replace things as we did with Heartbleed. These things have to live for a long time and exploits change daily, so how are we supposed to know what to fix? We have to support expectations and move security from a burden to a value creation, as people won
‘t pay for security but will pay for what security enables.”
Povey concluded by saying that security will drive the adoption of IoT, as it is a key enabler and needs to be in there. Asked who should be leading on IoT security, Povey said that Government recognise the problem, and say it is an “accident waiting to happen”.
He said: “In some ways this is the coalition of the living and CTOs of security companies, not silicon companies who are putting rules into IT, not IoT. We are trying to close the loop, and job of this report is to do this. It is not just crypto, it is remediatable systems and assuming we are fallible and how manage it.”