The diversity and capabilities as well as a lack of security found in the multitude of devices in the Internet of Things world is making people at the US Department of Homeland Security more than a little concerned.
This week it put out a call for “novel ideas and technologies to improve situational awareness and security measures for protecting IoT domains, as well as technologies that will help DHS operational and support components gain comprehensive and near continuous knowledge of IoT components and systems that affect their operations and assets.”
+More on Network World: 20 years ago: Hot sci/tech images from 1995+
By using the Internet and its various connection mediums (e.g., Bluetooth, Wi-Fi, serial interface, wireless), any IoT system can be connected to any other device on the Internet. This level of connectivity opens tremendous opportunities for the capabilities of IoT-based systems, but also allows every node, device, data source, communication link, controller and data repository attached to IoT to serve as a security threat and be exposed to security threats. Therefore, any IoT system’s security is limited to the security level of its least secure component, the DHS stated.
IoT security efforts are further complicated by IoT’s convergence of physical components and the virtual information flows and connections of IoT. Therefore, DHS stated, in addition to the typical vulnerabilities of IT systems, IoT enabled systems create additional security concerns because IoT domains are:autonomous and control other autonomous systems; highly mobile and/or widely distributed; and are vulnerable to physical and virtual threats.
+More on Network World: GAO: Early look at fed’s “Einstein 3” security weapon finds challenges+
What the DHS is looking for is summed up in three areas it describes as detect, authenticate and update.
Detect: DHS said it wants technologies that address the overall challenge of providing effective situational awareness of deployed IoT systems. There is currently no reliable method for IoT system security managers to detect and garner timely, dynamic, valid and comprehensive awareness of all components connected to and/or affecting their infrastructure.
Given that many Internet-enabled devices have the ability to connect to many IoT systems, the possibility of unauthorized or malicious connection to an IoT system is a very real threat. DHS is seeking technologies that can detect and collect information about all devices, components and/or connections in a given IoT system. DHS defines devices as active sensors or deployed autonomous hardware that is connected to an IoT system. DHS stated that there are a number of challenges that must be overcome to provide effective detection and situational awareness of IoT system components. These include:
• IoT devices may be connected from any location with virtual, networked access to IoT systems;
• IoT devices may not emit specific signatures and may only operate in “listening modes”;
• IoT devices may be connected only briefly or intermittently, requiring dynamic detection;
• IoT devices may be mobile;
• IoT devices may include legacy devices and connections incompatible with contemporary identification tools; and
• IoT devices may be deployed in remote, dangerous or otherwise difficult to access locations hampering physical inspection and/or connection.
Authenticate: Not only do IoT system managers need to know what is connected to their systems, they also need to validate the provenance of IoT components and determine that the components are not being spoofed or otherwise controlled. DHS defines this capability as authenticating IoT components. IoT systems include components from multiple manufacturers with a variety of security protections, encryption protocols, communication links and subcomponents. Often, the value of IoT deployments is the flexibility they provide for designers to deploy the best component regardless of manufacturer. If a component can connect to the network, it can potentially be deployed in any IoT system.
Specifically, DHS is interested in technologies that address the following goals:
• Able to accurately determine the provenance of IoT components from multiple manufacturers;
• Provide IoT component operators with tamper evident proof of authenticity;
• Detect spoofing of widely distributed IoT components;
• Work in low bandwidth, low power environments;
• Limit downtime of IoT systems during authentication; and
• Provide valid authentication of dynamic, rapidly changing systems.
Update: IoT systems grow and change over time. IoT users can add new devices, components, connections, sensors, information flows, and implement updates and upgrades to security and features, DHS stated. In addition, many IoT devices do not have the capability to encrypt the data it is reporting or providing. However updating systems, especially security and encryption updates, is extremely difficult with diverse widely distributed IoT domains. There are a number of challenges that make updating IoT systems especially difficult. These include:
• The wide variety of devices and manufacturers;
• The wide variety of communication and security protocols;
• Remote w/o physical access, so must be done via network;
• Legacy devices built without ability to update or obsolete connections
• Many low cost devices may be built without ability to update;
• Updates may result in costly downtime or limited functionality; and
• Low power and/or bandwidth may limit updating capability DHS is seeking technologies that would allow for frequent and timely updates of IoT components. The solution could be a “bolt-on” device or other novel approach that would allow IoT operators to:
• Provide timely updates and patches to IoT components as needed;
• Operate with remote and widely distributed IoT system components;
• Operate with extremely low power and bandwidth requirements;
• Minimize system reboots and/or downtime during update process;
• Support updates to numerous types of components, devices, connection modalities, including legacy systems;
• Introduce encryption to devices that do not have the ability to send encrypted data
• Provide IoT system managers with information detailing the function, operational and other impacts of an update;
• Create a record of updates by device and update version
The DHS went on to say that widely distributed devices, dynamic information flows, and lateral connectivity across environments provide new capabilities and create new threats throughout what it terms the Homeland Security Enterprise (HSE). The HSE broadly encompasses federal agencies, state and local governments, critical infrastructure operators, businesses and communities responsible for contributing to our collective homeland security. Interoperability and seamless communication across diverse categories of devices, which are critical for IoT to achieve its maximum value for society, exponentially increase the number of attack surfaces that a malicious actor may attempt to exploit.
Check out these other hot stories: