'Threat Map' reveals IoT security challenges
08 May 2015
Beecham Research reveals extent of security challenges facing the Internet of Things (IoT) with new, freely downloadable IoT 'Threat Map'.
The proliferation of different devices, networks, platforms and applications to support the Internet of Things (IoT), multiplies the vulnerabilities and greatly increases the potential for malicious attacks, according to Beecham Research.
The new Beecham Research IoT Security Threat Map highlights the key areas where external or internal attacks may originate and where the fast growing IoT industry needs to do more to provide better security controls.
The IoT Threat Map was presented at this week’s ‘Internet of Things Security Summit’ run by the National Microelectronics Institute at Bletchley Park, to an audience of senior industry, government, research and end user delegates.
Professor Jon Howes, Technology Director at Beecham Research, believes that the only reason we have not seen serious IoT breaches already is because the IoT has not yet been deployed in large-scale consumer or enterprise applications that make them attractive to attackers.
“Traditional M2M [Machine to Machine] applications are typically very focused, using specific edge devices, a single network and custom platform, making it relatively easy for security professionals to secure to the acceptable level,” said Professor Howes. “But the IoT cuts across different sectors and embraces multiple devices and networks - from satellite to cellular – along with a growing number of IoT platforms and Big Data systems, which present threats on many different levels and fronts. Wherever there is a new interface between devices, networks, platforms and users, there is the potential for a new weak link.”
Beecham points to a number of specific internal and external threats inherent in the IoT ecosystem. When it comes to sensors and devices, the challenge is largely around identification, authentication and authorisation, to ensure a level of trust and avoid risks such as application hijacking. There is also the threat of physical intrusion. “Using Differential Power Analysis (DPA), it is well known that by ‘listening to’ very small changes in power consumption when different calculations are performed in a chip, it is possible to work out an encryption key,” explains Howes.
The main threat at the network level comes at the interface between different types of network. “With a mix of fixed, satellite, cellular and low power wireless networks as well as personal and body area networks (PAN & BAN), the challenge is to secure the transfer of multiple streams of data between selected networks without exposure of key secrets or equipment control,” says Howes.
With over 100 players now offering IoT platform solutions combined with the growth of Big Data and cloud based technologies across multiple market sectors, Beecham believes that this is where most attacks will be focused. “The benefits of IoT by definition rely on lots of data with high levels of searchability and analysis,” says Howes; “but this also means that the data must exist in plain text, which presents multiple threats – not least from insider attacks from sysadmins and authorised users.”
Beecham Research believes that while work is going on to secure different parts of the Internet of Things, there is no joined up approach. “We talk about the need for a deep Root of Trust in security and this is even more critical in a complex, connected IoT ecosystem,” says Howes. “This starts at device level with sensors and microcontrollers and continues through the networks, platforms and into the cloud. It’s a massive jigsaw and every piece has to deliver a level of trust to ensure end-to-end security and integrity.”
“Security in the Internet of Things is significantly more complex than existing M2M applications or traditional enterprise networks,” says Robin Duke-Woolley, CEO at Beecham Research. “Data must be protected within the system, in transit or at rest and significant evolution is required in the identification, authentication and authorisation of devices and people. We must also recognise that some devices in the field will certainly be compromised or simply fail; so there needs to be an efficient method of secure remote remediation – yet another challenge if the IoT is to live up to expectations.”
The Beecham Research Threat map can be viewed and downloaded here.
Time to think Internet of Sensors and not Internet of Things
When you cut through the hype around the Internet of Things (IoT), it’s the Internet of Sensors (IoS) and resulting data that matters most, according to developers at The Technology Partnership (TTP).
“The IoT is, to a large extent, a solution looking for a problem, rather than the other way round,” says Steve Taylor, a senior consultant at TTP. “There’s simply no point in objects talking to each other just for the sake of it and the IoT only provides the communications backbone. An Internet of Sensors looks more like the roots of a tree, with sensors of all types at the extremities, capturing and feeding data upwards to the main trunk – the Internet.”
Connecting things over the internet is certainly not new. TTP has been working on machine to machine (M2M) and even organism to machine applications for over 20 years, from sensors to monitor cow herds to sensors in orthopaedic joints and F1 engines. “The IoT hype is supported by silicon vendors eager to dream up new applications for chips,” says Taylor. “But that’s putting the ‘cart before horse’. It’s more important to look at the needs first and then create systems around them. In this world, small changes in the sensor map can lead to very significant commercial gains.”
Taylor points to Google that has proven the business case for data-mining everything we type, do, say and breathe in order to gain better insight into our lives, actions and needs. Business managers throughout industry now want to replicate this with their products and assets. There’s a huge amount of data which is not being ‘listened to’. In heavy industry for example, saving a few percent of energy by improved temperature modelling can be worth billions.
“Certainly there is a need to pump more data to the Cloud, to gain greater insight into systems and how they perform in reality,” says Taylor. “This information is extremely valuable, particularly if you can blend local sensor data with historical data.”
“There is a great business opportunity for both established companies and start-ups as the new connected world evolves, but it’s those who think first about real world information and how to capture and harness it – those who think about the IoS and not the IoT – that will emerge as the winners,” concludes TTP’s Taylor.