The Internet of Things is growing and so is the risk of exploitation.

Time is running out on setting security standards for the Internet of Things. The President’s National Security Telecommunications Advisory Committee (NSTAC) has examined the cybersecurity implications of IoT and has determined that there is a small — and rapidly closing — window to ensure that IoT is adopted in a way that maximizes security and minimizes risk.

While the adoption of IoT is increasing in both speed and scope, and will impact virtually all sectors of our society, NSTAC warns that if the country fails to develop and use security standards, “it will be coping with the consequences for generations.”

The President’s Commission on Enhancing National Cybersecurity reached a similar conclusion: “The IoT facilitates linking an incredible range of devices and products to each other and the world. Although this connectivity has the potential to revolutionize most industries and many facets of everyday life, the possible harm that malicious actors could cause by exploiting these technologies to gain access to parts of our critical infrastructure, given the current state of cybersecurity, is immense.”

IOT SECURITY IS A PUBLIC, PRIVATE AND INTERNATIONAL CONCERN

To reduce such risks, the National Institute of Standards and Technology (NIST) Draft NISTIR 8200 Report has kept the door wide open for private-sector comments for developing much needed global IoT security standards. With IoT breaches increasing constantly, this comment request may have been just in time.

IoT is everywhere and, if exploited by hackers or terrorists, could cause physical damage, including critical infrastructure devastation, human harm or even death. This puts standard groups in a precarious position of requiring international agreements on how to address IoT security on a global basis.

There is an added concern with the interaction of IoT processes and unseen machine actions. For example, Intrusion Prevention System (IPS) security requires specialized authentication, validation, encryption and process management capabilities that are not necessarily possible under current cybersecurity standards.

In encryption alone, two issues repeatedly come up, according to the NIST. First, IoT has limited processor and memory space that restricts high-end encryption hardening while extending connectivity to millions of new system process endpoints. Second, current authentication and encryption technologies were not designed to be implemented under these criteria.

IoT offers deeper learning, systems actions and connectivity, which in turn requires security methodologies that can interoperate across all systems. These needed capabilities require security methodologies that can operate effectively across all hardware, network, protocol and software platforms with the added processor limitations and multi-protocol requirements of IoT.

Securing IoT is a tall order. The comments on the NIST Draft show changes need to be made in existing standards with the potential of deploying completely disruptive cybersecurity technologies to achieve IoT security.

CAN IOT SECURITY FIX ALL CYBERSECURITY?

IoT security is not typical security. It sometimes adds an entire layer of process events to an already complex operating system. Many processing systems already have security issues. Adding IoT to them could open additional weaknesses. This is the “weakest link” scenario, in which the smallest IoT device could cause catastrophic consequences.

There is an advantage to learning how to secure IoT. If a small IoT action can be secured at the processor level of an operating system, then the same techniques that require low overhead millisecond security can be used in a variety of system process applications. IoT security could be the learning process needed in achieving complete system process security.

Finding the answer to IoT security requirements isn’t easy. The physical application of IoT requires many different human and machine security authentications while extending process intelligence and events throughout the system. This extension is often connected to system processes that already have security concerns, such as cloud applications and even locally isolated IoT ecosystems used in DDoS attacks. Obtaining a solid IoT security platform could be a road map in addressing all forms of cybersecurity. From encryption hardening to deep process learning, if you can secure IoT you can secure anything.

NOW IS THE TIME TO GET IOT SECURITY RIGHT

The Interagency International Cybersecurity Standardization Working Group offers an interesting direction for national and international standards evaluation of IoT. Global public- and private-sector IoT applications could be greatly affected in IoT cyber-attacks. This presents NIST with the daunting task of addressing the best technological solution for IoT security while still addressing the political and corporate influence already in existing cybersecurity standards.

With the private sector pointing to big problems with IoT security and the International Organization for Standardization (ISO) rejecting NSA IoT encryption algorithms, this could be the time for getting IoT security right. It could happen through government guidelines and regulations involving global standards bodies, such as ODVA, OPC and ISA; or it could happen through industry groups, such as the Internet Engineering Task Force (IETF), the Industrial Internet Consortium (IIC) security working group, or IEEE. The world understands the importance of securing IoT devices and systems, and NIST is in the forefront of this need.

Now starts the hard work. We need to get these standards right and fast. IoT security answers many of the problems existing that multiple cyberdefense systems can’t answer on their own. Data at rest, motion signature and key algorithms are all vulnerable to attack. So, too, is key and signature theft under current security technologies. These same signatures and keys multiplied by billions of IoT devices cannot be managed. Viewing and validating the smallest digital event must be addressed with a speed and accuracy that’s never been available in current cyberdefense technologies.

Security environments are already having scalability, monitoring, management and cost issues. IoT offers a whole new extended endpoint in processes that will require deeper and easier managed monitoring and security methodologies. IoT security experts must find a way that allows this to be done at the deepest, most complex systems while adding needed process security simplicity.

This may require a different way of thinking in an industry that is reaching a level of complexity and employment it can no longer sustain. The comments section of the NIST Draft offers an opportunity to respond to these IoT security needs in a public- and private-sector forum. Both sectors need to participate and collaborate in addressing the global requirements of IoT security.

STANDARDS ON STEROIDS

Public- and private-sector participation in cybersecurity needs to continue. We all will gain by working together on this issue. There is no better picture of this than securing IoT. In fact, it requires international cooperation in many applications while still offering unique or even proprietary requirements for national defense and critical infrastructure.

There must be a balance of authentication, privacy and security on both the human and machine level. We no longer can afford to use Band-Aids on legacy security standards. We must search and deploy security designs that don’t delay but fix the problem. By choosing the right capability, we can address this.

IoT has the worst security record in the industry and little has been done about it. We need to find a different way of getting the job done if we are to catch up in the race to cyberdefense. IoT’s vulnerabilities have forced standards groups like NIST to think outside of the box of tweaking old standards into a whole new proof of concept era. We need to catch up in cyberdefense technologies and having a public-private collaborative approach just may be the answer. We have been given the opportunity. We must now change the opportunity to action.

Larry Karisny

Larry Karisny is the director of Project Safety.org, an advisor, consultant, speaker and writer supporting advanced cybersecurity technologies in both the public and private sectors.

Despite a less-than-stellar record to this point, the Internet of Things space is forcing companies to think holistically about the security behind their devices.

BY LARRY KARISNY / JANUARY 16, 2018

It’s odd that the Internet of Things (IoT) industry — an industry with a dismal record of cyberbreaches — would be the one moving cybersecurity forward, but that is exactly what is happening. With regulation looming and the bad press from recent breaches, there is no longer a choice: Better IoT security is a must. I will be speaking at the IoT Evolution Expo in Orlando this month on this very subject, and thought I'd give you a sneak peek.

IoT Security Gets a Failing Grade

If I remember correctly, 50 percent is a failing grade and yet, nearly 50 percent of IoT companies reported some type of security breach in recent memory. This shocking reality confirms that something needs to be done to improve IoT cyberdefense — and quickly. I cover a lot of areas in cybersecurity and know of no other industry with such a bad track record of breaches. Though these hacks expose data, not all of it has value. Sometimes an IoT hack garners useless data and offers no intelligence to use in an exploit, denial of service or machine control attack. The better news is that there are, at last, cyberdefenses coming to market that can address the need for solid IoT security.

New Cyberdefense Technologies Needed for IoT

IoT is different and has the potential to change everything. It is the new extended edge that allows unprecedented applications and intelligence with tremendous economics and accuracy. These tiny devices are the next step in physical artificial intelligence (AI). I stress “physical.” They are out in the real world telling both people and machines what they need to know and need to do. If hacked, they can manipulate or destroy physical things with impacts that can extend to entire economies or worse cause loss of life. IoT is not just a database. IoT it is an actuary in the physical world that must be authenticated, validated and secured or risk the potential for very real danger.

Deep IoT Needs Deep Security

There’s no room for a standard encryption file sizes or even simple processor updates patches in IoT. These tiny devices were built around minimal battery life that required tiny low-powered processors with minimal flash memory. This limitation has pushed the entire cybersecurity industry to rethink how we currently secure all digital technologies. We are beginning to see the successful deployment of these new security technologies today. If we are going to have deep learning in artificial intelligence and IoT we need to have deep security as well. IoT is pushing new security technologies toward achieving this goal.

The Enhanced Blockchain IoT Security Fit.

Today’s centralized security models require high infrastructure and maintenance cost associated with centralized clouds, large server farms and networking equipment. The sheer amount of communications that will have to be handled when IoT devices grow into the tens of billions will create bottlenecks and points of failure that can disrupt the entire network. Decentralized blockchain technologies could address these limitations, though blockchain alone is not a complete solution. As a principal in a company offering enhanced blockchain security, I am aware that blockchain alone is promising, but it is not the total answer. Just like current layered security architectures today, what we need in blockchain is a secure and safe IoT where privacy is protected. Enhanced blockchain-layered security technologies can offer this.

Revolutionize or Regulate

It is always better to self-regulate, and I hope the IoT industry gets that opportunity to find security solutions on its own. In working with cybersecurity entrepreneurs, I find that compliance and regulation seem to never catch up to the pace required by cyberdefense technologies. Billions were spent in security compliance of the smart grid. And while these security guidelines have value, at the end of the day, compliance does not mean you are secure. Hackers change things daily while compliance recommendations can take years. Cyberdefense needs to be more proactive, as does the matured working technologies that need to be used.

Preparing for Post-Quantum

Quantum computing and IoT have a very bright future. I stress “future” because there are a lot of issues that need to be addressed prior to quantum computing and IoT working together. Quantum computing in the short-term though will have the processing power to crack any static encryption algorithm. Solutions of more complex encryption algorithms with larger files sizes will work for IoT or really any other industry. In my last article, Is Cybersecurity Encryption Ready to Break?, I discussed the importance of looking for new low-overhead encryption technologies.

The IoT security opportunity

IoT suppliers that have a future will be the ones that invest in the security of their products. Even venture capital startups are clearly aware that they need to secure their IoT applications. If they do not, they could lose customers, spend money on regulatory issues or, worse yet, be involved in legal action against them. The smart IoT suppliers are embarrassing security and advertising it, even if it involves a premium price. They are beginning to find that customers will pay the premium. There are even IoT enterprise, managed services and cloud computing companies getting into the game offering their own solutions. IoT security is not a matter of choice anymore, it is a requirement.

Larry Karisny is the director of ProjectSafety.org, an adviser, consultant, speaker and writer supporting advanced cybersecurity technologies in both the public and private sectors.

SmarTown™

Tuesday

Are We Looking at Our Last Chance to Get IoT Security Right?