Internet of Things: next big thing or next big fear

Security and trust in the connected world

The IoT revolution is not scary... it’s just exciting in essence and offers endless opportunities.

I was 12 years old, young, passionate and enthusiastic about my recent expensive achievement: a white, thick plastic brick covered with brown keys called Commodore 64. Framed blue screens, a big white square cursor blinking on my grandma’s TV and a world made of sprites and numbered lines of Basic were storing dreams into only 64 Kilobytes of RAM.

Not even 30 years later we are confronted, once again, with the next big thing; powerful processors and better operating systems capable of handling digital media contributed to the internet revolution. We brought the internet to our daily mobile life, imposed new needs and finally blended an ancient established human process called “communication”.

What is missing to meet the 70s vision of the future?

Flying cars, jet packs, and droids! Bruce Schneier defines the IoT as a robot. We are giving machines human senses; the Internet of Things can hear, see and smell, can feel cold and hot. The robot got arms to actuate commands in the physical world, even drive our cars.

We are giving the IoT a brain to think through sophisticated analytics, sentiment analysis and machine learning and, finally, we are giving devices nearly real time communication powers, inter-connecting them in a way humans are certainly not to one other.

Commodore 64 computer

Commodore 64C system with 1541-II floppy drive and 1084S RGB monitor. © image: Bill Berram, commons.wikimedia.org

Photo of IoT robot during PwC event

Say “hi” to the 21th-century robots

Security is still perceived as a barrier to the adoption of IoT solutions. Building a safer IoT means embedding security from the ground-up. “Billions” and “trillions” in market forecasts will not save the IoT from failing, badly, if the Droid does not meet one basic human requirement called “trust”.

Security of the IoT is about trust and keeping control of the robot.

Look at the recent facts: we clearly lost control facing one of those events whose possible occurrence  cybersecurity  experts, like prophets, had been discussing for years: an army of infected cameras in a botnet controlled by hackers, maybe just one, maybe a teenager, to exploit DNS (the internet’s domain name system) vulnerabilities and bring down several sites and services.

A few days later, Mirai (the malware used in the attack) struck an entire country. The same malware was used to attack the heating systems of two house blocks in Finland, which is anything but a laugh when winter hits at -22 degrees Celsius. Hackers demonstrated how to hack medical devices, voting machines and critical infrastructures like power plants.

What’s next?

Ransomware for washing machines to steal your expensive clothes or an armada of toasters to attack critical infrastructures? I wish connected things could stay far from influencing operational processes .

More than any abused parallel between humans’ immunity and IT, the droid can get sick, can be infected by a virus, for instance exploiting wireless protocols like ZigBee. Recent research shows how to trigger a “chain reaction,” spreading a worm infection by proximity to adjacent IoT devices. Keep your neighbour’s drone away from connected light bulbs. The Droid could get infections like humans get the flu. The pandemic, comments the paper, could start with a single infected bulb being fitted in a city with a high density of vulnerable devices and trigger a catastrophic spread.

The heat map shows areas in the US most affected by Denial of Service attack of Friday, Oct. 21st.

Heatmap shows the areas in US most affected by Denial of Service attack of Friday, Oct. 21st.

© image: en.wikimedia.org

The IoT revolution is not scary; it’s just exciting in essence, from wearable technology and toys IoT to the Industry 4.0, it offers endless opportunities.

Should we fear the IoT?

The IoT is a compelling, unstoppable, big revolution that is already ongoing. I realize that many Security Experts bring negativity and fear about IoT and this article does not seem to be doing differently. On the contrary, in this article I want to bring a positive message and insist on how great the opportunities are and how amazing the technology behind it all is.

 

Time is crucial while we’re navigating the awareness cycles. We will certainly land in the IoT mitigated insecurity but how long will it take? Let’s make sure it will be a short time, let’s do it now as it might take longer than we’re used to.

 

Security in the IoT will follow what I would coin “Cybersecurity Awareness Cycles”. The same happened to web applications and mobile security. At the advent of every new disruptive innovation, we fall into a “total insecurity” phase. Risks and threats are completely “unknown”. Slowly, by learning and researching, we move into a more conscious phase. Risk acceptance and threat modelling create security awareness but also generate fear. It is the process that pushes us to remediate, apply fixes and mitigate issues.

Only by security awareness will we move into the “mitigated insecurity” phase, facing the uncertainty and learning how to deal with it.

Timing of awareness cycle

 

At PwC, we like the holistic approach and provide an ecosystem-aware framework based on three dimensions built on top of technology, modeling and crypto.

Security by Design

It’s about guidelines, secure design, validation and proper SDLC. It’s also about the architecture, data security and many other properties of the final solution.

Security by Assessment

We need to test and assess the security posture of our solutions, considering the threat model before hitting the market. Ethical hacking helps and white-box hybrid assessments is the way to go.

Security by Trust

Trust and security are tightly linked. Extending machine trust to humans is the way to adoption of large-scale IoT solutions.

Tackling security for connected devices

For two years I have been speaking at events explaining how important “data” is. Data is the commodity business for the IoT. Information must be kept safe ensuring integrity, confidentiality and authenticity and protecting the intellectual property at all stages of the device lifecycle: at run-time, at rest, at boot, in communication. We are failing to bring the existing IT cybersecurity culture to the IoT and are making the same mistakes again. This time is hard, more than ever before. We face a scattered complex environment, a truly heterogeneous mix of different technologies, providers, and actors. Have a look at the IoT value delivery chain to sense this complexity.

How difficult is it to integrate security in this inherently unsafe design?

The market has severely neglected security in favour of rapid development and cost efficiency. Out there, there are plenty of insecure (low-cost) devices. I am still an ethical hacker. In the past, the DarkWeb and Bitcoins were the ingredients to mount a real Denial of Service attack. Today, I could just go to the supermarket, buy a cheap camera, tear it apart, dump the firmware, search and exploit a vulnerability. By querying Shodan you can find thousands of similar devices - et voilà: yet another botnet!

Security for the IoT is a concept that has spread across the entire value delivery chain. Obviously, I do not have a magic wand solution. There are no industry-accepted guidelines yet. Many are working and struggling to produce good material. Online Trust Alliance, Cloud Security Alliance, GSMA and the Industrial Internet Consortium are doing great but the level of complexity is still too high.

Vito Rallo in close-up with colleagues

 

GSMA suggests looking at security by type of ecosystem. It works like a charm as constraints and security requirements are different for each domain. We should consider:

1. Endpoint Ecosystem (devices, endpoints, sensors, etc),

2. Link Ecosystem (networking and communication), and

3. Service Ecosystem (back-end, APIs, data collectors and magic data processing services).

Trust is the challenge and the key to the IoT success. Trust is more than security. It is a concept influenced by many properties in the IoT value system, tightly linked to security and inevitably related to privacy.

Trust as key factor for IoT success

Identity, software integrity, and transaction integrity are all examples of trust issues. “Glitching”, “side-channel analysis”, “data tampering” and “identity theft” are some of the threats that could lead to corrupted data and/or broken privacy, and could wrongly influence decision-making processes in a failing trust design.

Get prepared; you will hear so much about it. In the upcoming years we will experience a tremendous growth and demand for solutions to establish machine trust. The answer is always an acronym: HSM, TPM, PKIs and TEE are just a few examples of great new or revamped solutions aiming to establish trust that are popping up in the IoT universe.

Trust is not entirely new to security folks. This time we’re about to grant trust to machines that can interact with the physical world; that's the big deal! It’s no longer about M2M. Humans must extend the trust circle to machines; that sounds scary but, again there’s nothing new as we do it every day when driving our cars or submitting bank transactions on-line. We trust our bank and the technology behind the home-banking service.  

IoT must learn to influence our “psychological safety”, but it’s not doing great for the time being! Such concepts are well known to economists and management experts. Psychological safety is what makes employees happy, creates trust in managers’ leadership and builds winning teams. End-users must trust the IoT solution; data, privacy, efficiency and availability, it’s all about trust.

View more

Establishing trust

We need guidelines and mandatory regulations governing IoT security. Probably something will come soon from the US National Institute for Standards and Technology (NIST) or a similar entity. The US may be the first country to impose rules and liabilities. People trust institutions as safety regulators. That’s one way to extend trust to the IoT but at the same time it forces companies to follow a proper secure development life cycle and consider security testing.

Humans establish trust by head and by heart. Machines can probably mimic head, learn to establish trust by means of technology, protocols and crypto. Establishing trust is a must in accomplishing the next big revolution. I just can’t wait to understand more about this fascinating relation between people and machine trust. How far I am now from the Commodore 64, after not even 30 years… So far, yet not far enough. No, I’m not afraid of the IoT; despite Spielberg’s vision, there is something that machines will never get. It’s called heart.

View more

Contact us

Vito Rallo
Senior Manager
Tel: +32 (0)2 710 4352
Email

Follow PwC Belgium