Securing the "Internet of Things"

Aug 26, 2010, By Larry Karisny

Reprinted courtesy of MuniWireless.

If we are going to live in a wireless Internet-connected world, we need to secure it first. Intel’s recent $7.68 billion acquisition of McAfee highlights just how important this will be to the future of Internet-connected mobile devices.

Current research estimates 5 billion Internet-connected devices later this month growing to 22 billion devices by 2020.
By adding an Intel/McAfee chip/software security combo, an additional layer of security could be offered in a more robust and manageable solution, that can react quickly to new security threats while maintaining interoperability. As an example, a multitude of network wireless access points have followed 802.x standards for several decades. These standards have not only offered vendor-agnostic backwards capability but leveraged these standards when upgrading security platforms. Just like wireless network access points, security needs to be interoperable and standards-based.

With billions of devices out there, the typical computer OS stack doesn't exist in the same way, and security will be a big problem. In fact these Internet-connected devices are not computers but small processors doing low-power functions. Your security overhead may be too big to fit in the processor. This was a terrible security lesson that was learned when deploying smart meters for the power grid.

The list of players pursing the smart-grid market is like a “Who’s Who” of the biggest companies in the world and Intel is no exception. In fact they are a major contributor to GridNet an industry consortium focusing on the smart grid. This smart grid target market not only offers billions of dollars in chip and security solutions but also is a good opportunity to learn from smart meters. Frankly if security issues with smart meters are not fixed first, it may stop Intel from securely connecting billions of Internet-connected home area network devices to the smart grid.

A recent report from Pike Research offered some sobering comments on just how important this is. “It would be naïve to think that smart meters will not be successfully attacked. They will be,” the report states. “In fact, smart meters represent a worst-case scenario in terms of security: the devices lack sufficient power to execute strong security software; they are placed in physically non-secure locations; and they are installed in volumes large enough that one or two may not be missed.”

“Smart meters are one of the weakest links in the smart-grid security chain,” says industry analyst Bob Lockhart. “Home area networks, commercial building networks, and utility networks all perform well in terms of keeping data encrypted within their domains. However, these domains terminate at the smart meter, and the only way for data to pass from one network to the other is for the smart meter to decrypt the data from one side and re-encrypt it on the other. Consequently, the data are, for a short while, unencrypted on the meter and could be successfully eavesdropped.”

Without adding needed security, Internet–connected devices could offer entry into the smart grid potentially turning remote power on or off through the network connection or by way of a worm that could affect the millions of smart meters and billions of wireless Internet-connected devices. This may seem like a showstopper but there are actually ways to offer high-end security with low overhead through layer 2 security technique.

A good understanding of layer 2 security is offered by Australian-based Senetas in its white paper describing the attributes and differences as it relates to today’s security models. Swiss-based InfoGuard explains layer 2 advantages as secure data transfer without any restrictions, no overhead, minimal latency and easy network integration and configuration. U.S.-based WirelessWall actually deployed this layer 2 security solution almost 10 years ago addressing similar eavesdropping issues between military field soldiers in Iraq when connecting end devices to short-range communication radio access points.

Just like today’s smart meters and Internet-enabled devices, the military application was faced with the need for high-end security with low device overhead. In addition they needed to be vendor-agnostic and be able to cloak existing network security. WirelessWall now offers this same capability to the commercial marketplace. Clearly, attributes of layer 2 security will have their place in the wireless Internet-connected device market and may be an immediate solution to a big problem in today’s smart meters and tomorrow’s wireless Internet-enabled devices.

It is great to see Intel is taking security seriously with the potential acquisition of McAfee. This is a start of being upfront about security and security not being second to product release. This is the type of responsibility we need in a world that will be connected by billions of Internet-enabled devices that will affect everything we do on a daily basis. Add a few missing links to the security model and Intel is in the security business.

Larry Karisny is the director of Project and a consultant supporting local wireless broadband, smart grid, transportation and security platforms.