Pre Cloud Security Considerations in IoT

Introduction

Over the past decade, hybrid cloud adoption has steadily increased, with closed network becoming less the option of choice. But this comes at a cost to security and trust metrics. As we become more dependent on intelligent devices in our lives, how do we ensure the data that is within the web is not compromised by external threats that could threaten our personal safety?

As the adoption of IoT increases, so does the risk of hackers getting at our personal information. As Alan Webber points out on his RSA blog6, there are three key risk areas or bubbles that companies need to be aware of.

1: Fully enabled Linux/Windows OS systems: This area concerns itself with those devices that are not part of a normal IT infrastructure, but are still run on full operating systems, such as Linux or Windows. As everyone knows, prior to IoT, these OS have vulnerabilities, and when they are deployed in the “free world”, they are not as visible to IT admins.

2: Building Management Systems (BMS): This pertains to infrastructure systems that assist in the management of buildings, such as fire detection, suppression, physical security systems and more. These are not usually classified as threatened, yet shutting down a fire escape alarm system could lead to a break-in scenario.

3: Industry Specific Devices: This area covers devices that assist a particular industry, such as manufacturing, navigation, or supply chain management systems. For example, in the case of a supply chain management system, route and departure times for shipments can be intercepted, which could lead to shipment intercept and reroute to another geographical location.

So, how do we guard against these types of risks, and make the devices themselves and also the web of connected devices less dumb? Security must be looked at holistically to begin with, with end to end security systems being employed to ensure system level safety, and to work on device level embedded control software to ensure data integrity from edge to cloud.

Data routing must also be taken seriously from a security standpoint. For example, smart meters generally do not push their data to a gateway continuously, but send it to a data collection hub, before sending it in a single bulk packet to the gateway. Whilst the gateway might have an acceptable security policy, what about the data collection hub? This raises a major challenge, as how does one micro manage all the various security systems their data might migrate across?

Security Design Considerations

Early stage IoT devices unfortunately had the potential loss of physical security in their design, so it is necessary for security officers to be aware of the focus and location of their security provisioning.

To apply security design to the devices is not the most utilized method (similar to internal storage), as the cost and capacity of these devices is counterproductive to same. The devices would look to ensure consistency of communication and message integrity. Usually, one would deploy the more complex security design upfront within the web services that sits in front and interacts with the devices. It is predicted as the devices themselves evolve, and nanotechnology becomes more and more of an enabler in the space, the security design will become closer to the devices, before eventually becoming embedded.

It is proposed that shared cloud based storage will play a pivotal role in combating the data volume perplexity, but not without its issues. How do we handle identification and authentication? How do we ensure adequate data governance? Partnerships will be necessary between security officers and cloud providers to ensure these questions are answered.

Searching for the holy grail of 100% threat avoidance is impossible, given the number of players in an entire IoT ecosystem. Whilst cloud service providers own their own infrastructure, it is very difficult for them to know if the data that is received has not being compromised. There are ways to reduce this, but using metadata and building “smarts” into the data from typical known sets as it transitions from edge to cloud. It seems like an approach of something equivalent to a nightclub security guard checking potential clients to their nightclub is a useful analogy. “Whats your name (what type of data are you), where have you been tonight (whats your migration path), how many drinks have you had ( what transactions happened on your data).!!

IoT Security and Chip Design

One area that could bring about increased data privacy is the increased usage of the concept of “Trusted Execution Environments” or TEEs, which is a secure area in the main processor of the device. This ensures that independent processing can occur on critical data within the silicon itself. This enables trusted applications to run to enforce confidentiality and integrity, and protect against unauthorized cloning or object impersonation by remove and replace. Taking it into a real world example, a home owner tampering with their smart meter to reduce their energy bill would be one scenario that would be avoided with TEEs.

If cloud services companies can somehow increase their influence on the IoT device design (outside of the popularity of TEE’s in cellular applications). then utilizing technology such as this will ensure less risk once the data reaches the cloud. Collaboration efforts should be increased between all parties to ensure best practice across the entire IoT landscape can be established.

Figure 1. Generalized framework for a secure SoC
Figure 1. Generalized framework for a secure SoC [7]
References:

6 RSA RISKS of IOT

https://blogs.rsa.com/3-key-risk-areas-internet-things/

7: EDN SOC TE

http://www.edn.com/design/systems-design/4402964/2/Using-virtualization-to-implement-a-scalable-trusted-execution-environment-in-secure-SoCs

Published by

deniscanty

DENIS CANTY IS EXCITED TO BEGIN IN JULY 2017 WITH MCKESSON, A FORTUNE 5 COMPANY – AS THEIR SENIOR DIRECTOR OF CYBER SOFTWARE ENGINEERING IN CORK. HIS LAST ROLE (TO JUNE 2017) WAS AS THE LEAD TECHNOLOGIST FOR IOT WITH JOHNSON CONTROLS INNOVATION GROUP BASED IN CORK, IRELAND. THAT ROLE MEANT COLLABORATING EXTENSIVELY BETWEEN HIS TECHNICAL AND SALES TEAMS TO DRIVE FURTHER COMMERCIALISATION OPPORTUNITY THROUGH TECHNOLOGY (BOTH OUR OWN AND PARTNERS/STARTUPS) INTO OUR SALES CHANNELS, SPECIFICALLY LOOKING AT THE EMERGING SMART BUILDING MARKET. THE PROJECTS INCLUDE OUR EXISTING TECHNOLOGIES – BUILDING SECURITY, RETAIL, HVAC AND BUILDING ENERGY – AND EMERGING TECHNOLOGIES SUCH AS IOT, AR AND MACHINE LEARNING. A KEY COMPONENT WAS TAKING KEY INPUT FROM NUMEROUS STAKEHOLDERS AND PROCESSES TO DELIVER ROI FOR CUSTOMERS AND PARTNERS. HE THEN LED THE TEAM TO BUILD AND DEPLOY THE SOLUTIONS IN AN LEAN AGILE MANNER. DENIS SPOKE ON THE NATIONAL AND INTERNATIONAL CIRCUIT FOR JOHNSON CONTROLS AT NUMEROUS TECHNOLOGY CONFERENCES. HIS LEADERSHIP STYLE IS LEADERSHIP THROUGH TRUST AND DELIVERY, AND I TAKE RESPONSIBILITY FOR MY TEAM, COMPASSION AND HUMILITY ARE ALSO IMPORTANT AS A LEADER IN MY OPINION. I LIKE TO BUILD A BALANCED CULTURE, WITH THE PEOPLES PERSONALITIES IMPORTANT INPUTS INTO THAT. DENIS HAS A DEGREE IN ELECTRONIC ENGINEERING (2H) FROM CORK INSTITUTE OF TECHNOLOGY, A MASTERS IN MICROELECTRONIC CHIP DESIGN (1H) FROM UNIVERSITY COLLEGE CORK AND A MASTERS IN COMPUTER SCIENCE (1H) FROM DUBLIN CITY UNIVERSITY. PRIOR TO JOHNSON CONTROLS, DENIS HELD A POSITION OF PRINCIPAL DATA ARCHITECT AND DEVELOPMENT MANAGER WITH EMC FROM 2010 TO 2015, SPENDING 2011 IN SILICON VALLEY. HE LED A TEAM FOCUSED AT REDUCING AND CONSUMING NINE TEST AUTOMATION PLATFORMS FROM EXTERNAL MANUFACTURERS TO ONE EMC CLOUD HOSTED PLATFORM. HE ALSO WORKED ON A NUMBER OF WORKFLOW AUTOMATION SOFTWARE REPLACING TEDIOUS MANUAL EXTRACT, SEARCH AND REPORT COMPILATION THAT RESULTED IN EFFICIENCY GAIN (WRITTEN IN PYTHON). I ALSO BUILT PREDICTIVE ANALYTICS APPLICATION IN MANUFACTURING AND DATA SCIENCE MODELS FOR THE CUSTOMER VERTICAL WITH THE CTO OFFICE. DENIS BROUGHT MICROSERVICES BASED DESIGN ALONG WITH DISTRIBUTED STORAGE AND PROCESSING TO THE GROUP, CHANGING THE DEVELOPMENT CULTURE IN THE PROCESS. DENIS WAS ALSO A MEMBER OF EMC’S GLOBAL INNOVATION COUNCIL AND AS AN AMBASSADOR WITH THEIR OFFICE OF THE CTO, LEADING THEIR CUSTOMER INSIGHT SOFTWARE DEVELOPMENT. DENIS WON TWO GLOBAL INNOVATION AWARDS IN HIS TIME WITH EMC, IN THE AREAS OF SUSTAINABILITY AND E-SERVICES, AND HAS A PATENT IN INTELLIGENT POWER MANAGEMENT ON STORAGE ARCHITECTURE. HE ALSO WORKED PREVIOUSLY FOR ALPS AUTOMOTIVE DIVISION FROM 2005-2010, IN A VARIETY OF ROLES, INCLUDING AS THE LEAD COMPUTER VISION ENGINEER, AND THE LEAD TECHNOLOGIST ON EUROPEAN RESEARCH PROJECTS IN THE AREAS OF IN-VEHICLE DISTRACTION MONITORING AND SMART HOME DEVICES. DENIS ALSO SPENT TIME CONSULTING IN THE START-UP WORLD, SUCH AS A HEALTHCARE INFORMATICS CONSULTANT WITH ACE HEALTH, LEADING THE DEVELOPMENT FOR AN APPLICATION WHICH HELPS HEALTHCARE SERVICE PROVIDERS ACHIEVE BETTER PATIENT OUTCOMES AND CUT COSTS THROUGH A REGULATOR-APPROVED PREDICTIVE ANALYTICS PLATFORM IN THE DUTCH AND US MARKETS. HE ALSO HAD HELPED NUMEROUS STARTUPS ON BUILDING THEIR TECHNOLOGY ROADMAP TO ALIGN WITH DEFINED TARGET MARKETS AND CUSTOMER BASES.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s