Internet power to connect, communicate and remotely manage millions of networked devices is becoming pervasive. The market and nations are gung-ho about IoT phenomena globally and so does India. As per pundits, the IoT devices count would reach to 20 to 30 billion by 2020. McKinsey global institute research estimated the probable impact of the IoT on the global economy might reach $6.2tn by 2025. Along with it, the Indian market is poised to reach $15bn by 2020 as cited by a NASSCOM study “IoT in India - The Next Big Wave”. Consumers and organizations both are feeling the IoT gravitational pull in their respective ecosystems. Consumers are adopting the wearables and consuming services with the help of networked devices at public place or at home. Classic examples are smart watch, smart apparel, internet based glucometer etc. Industry has also experienced the transition from closed networks to enterprise networks to public internet to deliver its business leveraging industrial internet of devices (IIoT).
Industry use cases which are gaining traction are such as but not limited to,(i) Oil, Gas and Mining, millions of IoT devices would be used at the extraction sites to provide insights into environmental metrics (ii) Manufacturers are expected to leverage sensors for machine to machine communications, remote maintenance, worker tracking and workload optimization etc. (iii) Agriculture where sensors would be placed underneath soil to check acidity levels, temperature and other variables that can help farmer in improving the crop yields (iv) Retail in which sensors on trolleys and CCTVs are used to track consumer behavior (v); Healthcare where operating devices are available to the doctors from remote places to conduct surgeries without physical presence in the hospital or with the help of robots (vi) Smart buildings, where organizations globally are already demonstrating IoT based energy efficient solutions to connect and monitor rooftop HVAC systems (vii) Energy conservation to reduce carbon level emissions at home and industry via robust energy management systems leveraging smart grid devices, water quality management, controlled waste management and so on, all equipped with internet enabled sensors and gateways.
IIoT uses cases underlying IoT architectural components such as protocols, networks, sensors, associated IT systems and gateways warrant robust cyber security architecture to achieve the objective of end to end protection. One cannot imagine a non-secure future in which IoT devices surround us, optimizing time, furthering our wellbeing, improving our health and transforming workplace productivity. The trends in IoT security landscape by 2020 are, but not limited to, IoT security market is expected to reach nearly $29bn by 2020, as per a report published by Markets and Markets, 50% of manufacturers would not be able to patch vulnerabilities in IoT devices, 2.5% of attacks in an enterprise would be on IoT/IIoT, discovery, provisioning and authentication would eat significantly into IoT security budget and 50% of large IoT implementation would require cloud security services.
IoT landscape is changing at a blink of an eye and also the cyber threat landscape associated with it. IoT devices are exposed to cyber-attacks such as denial of services, identity theft, jamming, tampering, eavesdropping, side channel attacks, stolen keys of encryption and devices acting as bots etc.
In case of a cyber-attack on IoT devices, life may come to a standstill or it may cause harm to humans who is different when compared with risk landscape of IT environment in which the consequence is limited to data leakage or services not being available etc. The countermeasures against cyber-attacks which need to be deployed by the organizations globally have an arduous task cut out to achieve objectives such as integrity and confidentiality of data, availability, safety and resiliency of IoT systems.
The burning question is how we can find a silver bullet for thwarting the cyber-attacks on IoT? The answer is we don’t, because securing IoT ecosystem would evolve with time, learning from failures, and with data availability for the analysis. Now is the opportune time to understand in detail the security challenges landscape of the IoT ecosystem. The indicative challenges are, but not limited to, guarding program logic controllers (PLCs) embedded in the devices, patching industrial control systems without impacting its functional safety, prevention of unauthorized usage of private information hosted on plethora of IoT devices, anomaly detection in the behavior of IoT devices functioning and to counter remote hijacking of IoT devices etc.
The journey of secure implementation in IoT ecosystem is not a cake walk hence it warrants focused attention. Stages which need consideration from security and privacy aspect during implementation are design, implementation, deployment, operations and disposal. Each stage is to be given fair consideration so that there are no loose ends left while on the journey of end-to-end secure IoT implementation. The first stage is a ‘Design Phase’ which may involve building safety & security considerations such as threat modeling, conducting privacy and safety impact assessments, conceptualizing compliance engineering, writing processes and agreements for secure acquisitions and updating, managing SLAs and it is to be accompanied by robust technology selection for components such as hardware, software, third party libraries, authentication, authorization, edge & security monitoring etc. Second stage which is actual ‘Implementation’ consists of stitching elements such as security awareness training, system testing, secure system integration, system configurations and lastly to roll out IoT incident management procedures etc.
The third stage is when organizations actually take a leap of faith for ‘IoT Deployment’ which may consist of foundations such as red and blue teaming, asset management system, security provisioning, verification of security controls and monitoring and reporting etc. Fourth stage is when the organizations should wake up again and re-energize themselves to bear the fruits of all three stages completed till now. It is the stage of ‘Operating’ IoT ecosystem which is to manage eclectic mixture of systems that can continuously deliver compliance assessment, forensics, monitoring, device health management, incident management etc. Fifth stage is where organizations retire IoT systems as implement. It is the ‘Disposal Stage’ consisting of elements such as secure device disposal, inventory removal, data purging, data archival and records management etc.
The architectural layer of IoT ecosystem which is of paramount importance is the protocols on which it operates and functions. The protocols such as MQTT, CoAP, ZigBee and Bluetooth, etc warrants distinctive cryptography techniques for its protection. The traditional cryptographic method is a starting point but may not prove to be sufficient in the future. Another architectural layer which is one of the critical components of IoT ecosystem is its Identity Access and Management (IAM). Its sub-elements are identity lifecycle, authentication and authorization. Organizations need to take into considerations that next generation IoT devices need to be secured with techniques which may involve evaluation of context of transactions, application of dynamic authorization policies, leveraging registration authorities, deploying token based authentication and developing non-IP based device protection techniques etc.
The conundrum of IoT cyber security is not confined only to the organizational boundaries. The problem statement is also applicable for the nations working towards building smart cities and towns. The ambition to build smart nation brings new set of cyber security challenges. Some indicative challenges on national level are such as, butnot limited to, building IoT/IIoT sectoral inventory, formulation of technical standards to integrate IoT and IT systems, absence of robust field firewalls, field controllers, light weight encryption capabilities, techniques for auto-discovery and device authentication, ineffective threat analysis and intelligence sharing and not able to deliver secure interoperability in use cases integration etc. A national charter for IoT cyber security has to take a deep dive in the ocean of problem statements. The starting point could be building national policy on IoT implementation and its cyber security, funding R&D to build robust IoT technologies, conduct studies on its threat landscape and gaps to extract the directions needed for its future, building assurance ecosystem for IoT products& services and doctrine for health monitoring of IoT devices etc. The charter on IoT cyber security is recommended to be a live document that may change with technology developments and evolution of cyber-risks.
Do we want to wait until the rise of weaponization of IoT, cyber-attacks leading to loss of human lives and chaos in the social order? The fictional part of our life had demonstrated the same in movies such as Die Hard 4.0, Swordfish and recently released Blackhat. It’s time to rise before it is too late for the organizations and nations to prepare for the omnipresent cyber threats. The grave security and privacy issues of IoT need to be addressed before we miss our train. Factors such as but not limited to end users and clients demanding more secure products, government intervention, regulations and hackers activities may drive this ecosystem preparation. One should take cognizance and remember IoT/IIoT devices will remain targets due to its underlying design and gaps which we might leave unpatched. To end, cyber security quote for this would be “Prepare well or Perish”.
The topic will be deliberated in detail at DSCI Best Practices Meet 2017.