5 Reasons Why IoT Security Is Difficult
IoT security, no longer an afterthought
The Internet of Things (IoT) -- smartphones, multifunction printers, connected homes, self-driving cars and more – is everywhere. That’s the good news. The bad news: Hackers and cyber thieves know how to attack these devices in order to access your data or industrial control systems.
What’s worse, legions of IoT sensors, actuators, controllers and computing devices are connected to much of the world’s critical infrastructure. Most of these devices were designed long before hackers and electronic intrusions entered our consciousness. This means that smart power grids, nuclear power plants, military command centers, smart city installations and transportation systems – to name a few – present rich targets for hackers and other bad actors.
For this reason, designers, operators, vendors and users of today’s IoT systems no longer have luxury of prioritizing flexibility and interoperability in their IoT designs. Now, IoT security and privacy must be top of mind.
Researchers at PARC, a Xerox company, have noticed this. As a result, one of PARC’s missions is to develop innovative security solutions that prevent attacks on your cyber-physical device fleets that are part of the broader IoT world.
PARC researchers Ersin Uzun and Shantanu Rane define the problem:
Industrial controls: Originally restricted to their physical environment, these devices are now connected to computer networks. A device can become a gateway to your network if an attacker either presents the right credentials, or finds a way to bypass the credentials altogether.
A rich surface of attack: Advances in computation and connectivity have spawned solutions that automate, improve and simplify key tasks such as gathering sensor readings on a production line, implementing smart supply chains that verify the freshness of a food shipment, programming precise cuts and shapes that CNC machines execute on a block of metal. They have also, unfortunately, exposed a rich attack surface that can be exploited by hackers.
Security-by-design is difficult: This is because the system designer must understand the potential attacker, and the myriad creative ways in which he or she can compromise a particular system.
Complex solutions: Cybersecurity solutions can be far too complex for the low-power, inexpensive sensors that some industrial and enterprise applications need. It is necessary to develop security solutions that operate across a vast range of device capabilities.
Resilience: An IoT system can be compromised in one of two ways: Infect a component that interacts with other components; or compromise the device by spoofing a reading or changing a critical factor in the device’s external environment such as the temperature of the room where it resides. Crucially, we cannot depend on cryptographic solutions to address every possible attack.
Where do we go from here?
Moving beyond classical cryptographic approaches, security solutions must embrace the use of mathematical models to understand the behavior of the system that they protect. A deviation from the model implies that an attack might be imminent or underway. At this point, human operators can work to isolate the attack. For instance, affected components can be disconnected from the network, or a set of compromised keys can be revoked.
Traditional cybersecurity is a necessary starting point, it’s not adequate to secure IoT systems. This is one of the reasons why PARC focuses its research in security solutions on three agendas:
Secure-by-design communications platform for IoT systems.
Secure interactions between humans and cyber-physical systems.
Security based on hybrid modeling of cyber-physical systems.
Security is critical to every business. Secure, resilient and adaptive IoT systems require good partnerships. Talk to us about how we can help you protect your valuable business information.
Structural Health Monitoring Using IoT
Xerox and the Victorian Government are partnering to launch Eloque, a joint venture to commercialize new technology that will remotely monitor the structural health of bridges.