More Related Content
Similar to Reinventing Cybersecurity in the Internet of Things (20)
Reinventing Cybersecurity in the Internet of Things
- 2. 1151022_oml_reinventing_cybersecurity_IoT_v1p | Public | © Omlis Limited 2015
Reinventing Cybersecurity in the IoT
By 2020 the IDC predict that the IoT will
incorporate 200bn sensors â most of
which will be communicating over open
networks. This mass of connected
devices will be doubly susceptible as
their physical security parameters will
be exposed as well as their software
based security mechanisms. Itâs
further predicted that by 2016, 90% of
all IT networks will have experienced a
breach stemming from the IoT.
1
These figures clearly illustrate that the
mass production of IoT (Internet of
Things) devices is accelerating beyond
the capabilities of traditional security
protocols, which have been left
floundering in the wake of innovation.
A number of security propositions have
been mooted to assist in narrowing the
gap, with few as compelling as Omlisâ
mobile-first core technology.
As the connected world continues
to churn out increasing amounts of
sensitive data, Omlisâ core technology
will grow as a key enabler, neatly
bundling the most powerful encryption
and authentication qualities which this
valuable data demands â as recognized
by leading cloud infrastructure and IoT
platform provider SoftLayer through
our recent collaboration.
The IoT is a media-friendly term which has very little
prescriptive meaning, yet it perfectly captures the notion
of a wild proliferation of non-uniform devices involved in
open networks. Pulling this array of exposed devices into
the safe realms of a secure network was never going to be
an easy task. It would appear that we need to treat such
a diverse ecosystem on a case-by-case basis, classifying
in terms of risk and applying the appropriate security
mechanisms.
Itâs implausible for the IoT to adopt some kind of âsilver
bulletâ security concept such as an evolved version of a PKI
(Public Key Infrastructure) which would act as a panacea
for all security concerns; practicalities will demand a
layered approach, with different devices requiring different
levels of protection according to capability and the value
of the data being transmitted. Separating âmission criticalâ
aspects from sensors which may be involved in low risk
networks with low risk applications seems a logical step.
Encryption algorithms need to retain their basic strength
whilst exhibiting a small software footprint which doesnât
place too high a demand on the processor; in addition,
robust encryption needs to be supported by strong mutual
authentication techniques for machine registration and
updates.
Methods such as digital certificates will inevitably have
a place in the early stages, before weâre driven to define
more practical methods of machine based authentication.
An adaptable security architecture is the best response
to the threat emerging from a complex mixture of devices
operating over open networks. This in turn requires a
number of solution providers the key enablers will be those
firms which can successfully marry the core characteristics
of their technology with the needs of the IoT. Many of these
pioneers will come from the mobile-first security sector
on the grounds that their core security platform enhances
the offerings of more traditional mobile services; as was
the case with Blackberry and the Good Technology
acquisition.
The idea of a collective response is becoming clear.
VMWare enhanced their mobile base with the acquisition
of AirWatch in recognition that the mobile would become
the âremote controlâ for the connected world
2
, and similarly,
companies such as Hitachi are also looking to harness the
synergies of complimentary industries to enhance their
IoT offering; they recently acquired Pentaho Corp for their
ability to analyze collated IoT data.
As more and more data becomes âsensorizedâ Omlisâ
mobile-first design principles and core technology will
increasingly represent an excellent fit for high value,
mission critical IoT applications.
- 3. 2151022_oml_reinventing_cybersecurity_IoT_v1p | Public | © Omlis Limited 2015
Problems With Securing the IoT
and the Shortcomings of Traditional
Methods
Many of the sensors in the IoT donât have the computational
capacity to implement any form of complex cryptography
with interpretation and encryption of data duties falling
on the smartphone or web-based device in front of the
sensor. Of the sensors which do, traditional encryption
delivered through protocols like SSL / TLS is often too
much of a burden on low processing power.
Traditional security mechanisms such as PKI are trying
to adapt and frantically rediscover themselves with new
methodologies such as elliptic curve cryptography using
reduced key lengths. Omlis on the other hand offers
an entirely new solution which isnât conditioned by the
demands of outdated architectures and is suited to the
emerging practicalities of IoT security.
PKI is buckling under the weight of heavily manual
processes already, and its methodology will be further
tested by the IoT, for which it was never designed.
If PKI is to be used in the IoT, it will represent a shift from
a near universal human user base, to tens of billions of
additional interconnected non-human devices. The design
remit for PKI was very much for public consumption and
how we secure what effectively represents a seismic
population growth is a question which cybersecurity
vendors need to answer.
Whereas a few years ago, certificates were the domain
of servers, laptops and personal computers, theyâre
now commonplace in everything from TVs to medical
equipment.
Thereâs a fundamental difference between PKI setup for
public usage and PKI in a closed or M2M (Machine-to-
Machine) sense in the fact that humans canât interfere
as easily. This could be construed as a good thing or
also as something which could be disastrous in terms of
device registration, authentication, cloning and malicious
substitution.
3
Highvolumeissuanceofcertificatesonthemassproduction
lines of IoT devices would represent an extremely awkward
process and the ongoing management of these certificates
would be particularly difficult, especially with regards to
revocation. Providing lifetime certificates is an option but
is wholly inappropriate due to increasing calls for lifecycle
management.
PKI might be suited to many low value IoT communications
if it can be repackaged for devices which have low
processing power and thus limited ability to continually
generate keys, but for data that demands complete
integrity itâs far from ideal.
This question of how to provide a unique identifier for
each IoT object is therefore very much open and as yet
unanswered. Solutions such as DNSSec have been
touted as a method of securing crowded networks and
guaranteeing communications between client and server
but is hugely susceptible to eavesdropping. This leaves
the door open for more targeted solutions such as those
offered by Omlis, which can wrap robust encryption of
data with mutual authentication and lifecycle management.
Omlisâ software defined core technology can be tailored
in such a manner that it can perform state of the art key
management and authentication from low power devices
using robust encryption. This facilitates the safe transfer
of remote software updates and enhanced mobile device
access, whilst at the same time negating the threats we
associate with open networks and malware.
- 4. 3151022_oml_reinventing_cybersecurity_IoT_v1p | Public | © Omlis Limited 2015
Industry Specific IoT Security Issues
Automotive: Remote Software Updates
The automotive industry is often cited as one of the
emerging areas for connectivity, with âAutonomous Carsâ
assuming the pinnacle of the Gartner 2015 âHype Cycleâ
4
,
but security issues are beginning to overshadow this
sense of opportunity. Quite pertinently, SDS (Software
Defined Security) follows on the heels of Autonomous
Cars, highlighting how security has lagged behind product
innovation.
As cars become increasingly connected, clear security
gaps have appeared, particularly in terms of remote
software updates, digital rights management and highly
publicized cyber-physical attack vectors.
Teslaâs connected cars provide an active example of how
vehicle infotainment and telematics have fully incorporated
mobile technology, with the Model S regularly receiving
software updates over-the-air in a near identical manner
to the updates youâd receive on your smartphone. When
updates impinge on cyber-physical features such as
steering, autopilot and collision avoidance, itâs clear that
strong authentication and encryption need to be high
priority.
The need for wireless patching and remote updates will
become ever more pressing as cars and IoT devices in
general acquire increasing amounts of complex software.
Because this software is attached to high value / high
liability products, mass car recalls have sometimes been
the only option in terms of securing a mission critical
update. The growth of these recalls in recent years exhibits
the manufacturerâs inability to update remotely through
wireless patches.
BMW recently updated its wireless patch distribution
system to use https, which shows that despite taking an
industry lead, even the most conscientious manufacturers
are still behind the times in terms of actually applying
security in the first place. A recent HP research project
pointed out that 60% of the IoT devices they studied didnât
use any form of encryption on software updates.
6
Omlisâ core technology can provide the levels of strong
mutual authentication which is required for secure software
updates, guaranteeing that products are communicating
with the intended source and encrypting communications
throughout the entire product lifecycle.
- 5. 4151022_oml_reinventing_cybersecurity_IoT_v1p | Public | © Omlis Limited 2015
Healthcare: Mobile Device Access and
Authentication
According to MarketResearch.com there will be a $117bn
market for IoT in the healthcare sector by 2020, but this
kind of growth is fully dependent on security as the great
enabler.
As well as the latent privacy issues associated with such
personal information, health records are estimated to be
worth ten to twenty times more than credit card details,
with criminals using stolen records to file fake insurance
claims or illicitly buy drugs or equipment.
At present, many of the leading wearables issued by
commercial firms such as Fitbit donât tend to fall under
the scope of global data protection acts. These wearables
transmit to server databases which arenât used by health
practitioners so the information has very few compliance
issues. However, if this information is redistributed to
professional health practitioners, then the data becomes
sensitive.
Many of these wearables are known as âheadless devicesâ
with little or no user interface and an inability to exchange
credentials
6
. They rely on beaconing out to a smartphone
(or similar device) via Bluetooth in order to enroll into a
network, which then places the primary security demands
on the phone. According to Symantecâs âInsecurity in the
Internet of Thingsâ whitepaper, 84% of analyzed IoT devices
offered a smartphone application
7
, bringing us back to the
idea of the smartphone as the ultimate remote control.
Connected healthcare is an emerging industry where
mobile-first security vendors such as Omlis are ideally
positioned to help guide what equate to fairly scant data
security standards in terms of mobile device access and
authentication.
Industry and Infrastructure: Securing and
Encrypting Data over Wi-Fi
Itâs telling that Dell Security gave special attention to the
concept known as SCADA (Supervisory Control and Data
Acquisition) in their 2015 Annual Threat Report, noting
that attacks on systems increased from 163,228 incidents
in 2013 to 675,186 in 2014. Buffer overflows, cross-site
scripting and cryptographic issues all featured prominently
amongst the most common attack methods.
8
SCADA formed the early foundations of the IoT in both
industry and infrastructure. The vision and scope of this
concept has grown exponentially with the incorporation of
connected devices and the lines between SCADA and the
IoT are increasingly beginning to blur.
SCADA was traditionally used over Local Area Networks
and Wide Area Networks, with appliances being wired
up to a central control system, as in traditional M2M
communications. Since then thereâs been a clear move
to more distributed architectures which has meant that
SCADA is encountering increased usage over Wi-Fi
networks.
Connections to Wi-Fi are obviously more dangerous and
less reliable, with many advising against it entirely for
industrial applications. Nevertheless, Wi-Fiâs growing role
in SCADA applications is acknowledged as an inevitable
consequence of the IoT, particularly in those sectors which
are slightly less critical than heavy industry or military.
Once again, Omlisâ core technology can provide reassuring
levels of machine-based mutual authentication, whilst
securing and encrypting data over Wi-Fi; all of which can
empower the advancement of the IIoT (Industrial Internet
of Things).
- 6. 5151022_oml_reinventing_cybersecurity_IoT_v1p | Public | © Omlis Limited 2015
âOne of the main challenges the IoT faces is the reduced
footprint on which a secure solution must run whilst
providing security and protecting privacy. Wearables and
other embedded electronic devices have cost constraints
that limit the size of the CPU and the memory. In these
conditions, only tailored solutions can be effective. Omlis
is the only provider bringing a fully secure solution bundling
key management, mutual authentication and encryption to
the IoT. Omlis offers a dedicated answer to a very specific
need of security and compactness.
âStĂ©phane Roule, Senior Technical Manager
How Omlis Addresses the IoTâs
Insecurities
Omlisâ core technology has already showcased its ability
to secure the channel between client and server via the
cloud with the recent release of SEM (Secure Enterprise
Messenger) on the IBM Bluemix platform.
The true value Omlis brings to the IoT is our software-
defined capability to wrap the strongest cybersecurity
traits into one tailored solution with the lowest imprint on
memory and processing power.
For example, strong mutual M2M authentication is a
discipline which the Omlis core technology can potentially
satisfy to a greater degree than any current solution
provider using our innovative authentication protocols.
The security of the Wi-Fi network is less critical because
of our innovative key management and key exchange
protocols. Unique keys are generated at the point of
transaction and due to the design of our distributed
architecture, actual keys are never sent over the network
and are never stored on the client or server side; so even
if a MitM (Man-in-the-Middle) attack takes place on a
relatively unguarded device, the hacker will fail to retrieve
any meaningful information.
This method of generating keys at both ends of the
communications channel, means that Omlis never
transmits sensitive data in plaintext and information related
to transaction keys can be erased from memory as soon as
it becomes redundant. Furthermore, Omlisâ high integrity
design principles and embedded software make security
less dependent on the increasingly vulnerable Operating
System thus increasing resistance to malware.
The Omlis core technology can package its powerful
characteristics into the IoT architecture in a manner which
older legacy solutions will struggle to achieve.
- 7. 6151022_oml_reinventing_cybersecurity_IoT_v1p | Public | © Omlis Limited 2015
1. https://www.idc.com/getdoc.
jsp?containerId=prUS25291514
2. http://blogs.air-watch.com/2014/10/airwatch-
vmware-signs-enable-iot-enterprise/#.
ViEHS36rSUk
3. http://www.researchgate.net/
publication/279063057_Enforcing_Security_
Mechanisms_in_the_IP-Based_Internet_of_
Things_An_Algorithmic_Overview
4. http://www.gartner.com/newsroom/id/3114217
5. http://www8.hp.com/h20195/V2/GetPDF.
aspx/4AA5-4759ENW.pdf
6. http://www.copperhorse.co.uk/the-quandaries-
of-headless-iot-device-provisioning/
7. https://www.symantec.com/content/en/
us/enterprise/media/security_response/
whitepapers/insecurity-in-the-internet-of-
things.pdf
8. https://software.dell.com/docs/2015-
dell-security-annual-threat-report-white-
paper-15657.pdf
References
Contributors
The following individuals contributed to this report:
Stéphane Roule
Senior Technical Manager
Nirmal Misra
Senior Technical Manager
Paul Holland
Analyst
Jack Stuart
Assistant Analyst