By Joshua Fisher and Michael Swinson King & Wood Mallesons’ Melbourne office.
The “internet of things” or “IoT” may be the defining technology buzzword of our age. Certainly just about every technologist is busy explaining how the IoT will revolutionise the ways in which businesses work and societies function.
Yet, as IoT systems and devices proliferate, so do the security implications. While many benefits of the IoT can only be realised by expanding the ecosystem of interconnected IoT devices, this can also be one of its greatest flaws; networks are only secure as their weakest link.
Many readers will already be familiar with some of the more famous examples of IoT vulnerability, such as the demonstration at the 2015 Black Hat of taking control (remotely) of a Jeep Cherokee travelling at over 110kph or the recent incident when IoT-connected CCTV video cameras and DVR players were used to facilitate one of the largest internet denial of service attacks in history. However, despite the high level of awareness of these security issues, industry is yet to take a coordinated approach to dealing with these matters.
The IoT Security Guideline
Against this backdrop, the IoT Alliance Australia (the primary industry body for the IoT in Australia) has released an IoT Security Guideline (“Guideline”) to assist the IoT industry come to grips with its security challenges before they are pushed into the ‘too hard basket’. The Guideline emphasises that:
“The attack surface for IoT is enormous, there are no accepted models for security across IoT, and there is a risk that security may become an afterthought due to the demands of getting products to market.”
The Guideline aims to bring security considerations to the forefront of IoT development and production, in particular by:
- promoting a ‘security by design’ approach to the IoT;
- assisting businesses, carriers and digital service providers (who use IoT systems or devices) in various industries to better understand the practical application of security and privacy for IoT device use; and
- promoting awareness of the relevant legislative framework.
Are all IoT systems created equal?
One of the most challenging features of the IoT is its sheer scope. IoT devices may do things as mundane as automatically ordering groceries or switching on your home heating, or they may do things as critical as control essential infrastructure (like energy distribution networks) or deliver medical treatments. The Guideline acknowledges that a class of IoT systems and devices used for critical applications (known as “Critical IoT”) may require special attention from a security and resilience standpoint.
The Guideline emphasises that Critical IoT applications must be “fault tolerant, dependable, and trustable”. Indeed, they require higher levels of reliability, availability and survivability (e.g. by ensuring that a minimum level of functionality will still be available, even if there is some loss or degradation of the underlying IoT network) than typical consumer-grade IoT applications. For this reason, the Guideline notes that there is no single solution which can define security for the IoT – network architects and device designers will need to identify security requirements relevant to their particular applications, and then adopt corresponding and proportionate security measures. This is all part of the ‘security by design’ ethos promoted by the Guideline.
Compatibility of the IoT with traditional security practices
As the Guideline notes, many traditional security practices are fundamentally unsuited for use in an IoT context (irrespective of whether an application is “Critical IoT”). It recognises that:
“Traditional IT systems implement security based on 25-year-old security control standards which hardly address the current cyber security demands are quite unsuitable for use as the basis of security and trust in the IoT. The use of enterprise security controls has not worked well in the industrial control systems sector, where the requirement for continuous operation is incompatible with routine patching and restarts. Similarly, it is unlikely that a home light bulb will continuously check for patches, apply updates, and monitor for cyber-attack – with IoT modules at sub-$1, a highly commoditised security paradigm is required.”
By way of example, some low-powered IoT devices—such as micro / nano-technology enabled sensors—may not provide the requisite level of computing power needed for security at the physical and media access control layer. Accordingly, a new security paradigm may be required for the IoT; one that is more agile, one that can apply across a range of technologies, and one that does not require a high level of distributed processing power. The Guideline proposes that a common foundation for this new approach may be to address security at a data level rather than at a device or network level. In other words, to focus on protecting the output of the IoT system rather than the system itself.
Future approach to IoT security
The Guideline encourages developers of IoT systems and devices to adopt secure IoT frameworks—which incorporate security by default—to ensure that security does not take a backseat to product rollout and development. However, the Guideline freely acknowledges that:
“There is no best design for IoT security. There are many different IoT devices, and security needs to be considered in the context of how the device will be used. The device alone will not provide complete security; it needs to be supported by a good end-to-end architecture.”
To help tackle this reality, the Guideline provides details of IoT security “best practices”. It references various third party standards that deal with different layers of the IoT ecosystem (from the application layer, to the routing layer, to the access control layer and the hardware layer). The Guideline also canvasses industry-based approaches from around the world, which address particular security concerns associated with specific industry domains (such as healthcare, smart cities, automotive and agricultural domains). The Guideline will be a valuable resource for any IoT operator looking to identify, and apply, a security design that is most appropriate for their particular situation.
While it is clear that the best approach to security is situation specific, the Guideline recommends the following seven key questions distilled by the IoT Security Foundation (an international non-profit organisation dedicated to addressing security issues with the IoT) as a useful starting framework:
- Does the data need to be private?
- Does the data need to be trusted?
- Is the safe and / or timely arrival of data important?
- Is it necessary to restrict access to, or control of, the device?
- Is it necessary to update software on the device?
- Will ownership of the device need to be managed or transferred in a secure manner?
- Does the data need to be audited?
For new IoT applications, the answers to these seven questions should highlight the key areas requiring attention from a security and data protection standpoint. And if a designer is unable to answer any of these questions, it should set alarm bells ringing about important security features that may be missing. The IoT Alliance Australia hopes that the Guideline, in the long term, “may form the foundation from which sector specific IoT security profiles and controls can be developed.”
Security is not purely a business concern
Importantly, the Guideline clearly flags that paying attention to IoT security is not purely a business concern. IoT applications operate within an existing framework of laws that impose specific compliance standards on different participants, including general privacy laws (e.g. the Privacy Act 1988 that applies to all private sector organisations with an annual turnover in excess of $3 million) and specific laws that apply to those that operate the communications networks over which the IoT operates (e.g. the Telecommunications Act 1997, the Radiocommunications Act 1992 and the Telecommunications (Interception and Access) Act 1979). Inadequate attention to security issues may lead to security breaches, critical media coverage, damaged customer relations, and potential legal liability. The Guideline is a useful starting point for IoT operators wanting to understand, and ensure compliance with, their legal obligations.
Next steps for the Guideline
It is clear that the IoT is here to stay. It will continue to grow as engineers develop more creative ways for us to interact within a connected environment. Likewise, concerns about IoT security will remain, particularly as new technologies are released. In order to continue supporting good security practices, the IoT Alliance Australia intends to progressively develop and publish IoT security design patterns to further support the Guideline.