Iowa, USA-located company Icon Labs that provides embeddable networking and security technology recently announced its Internet of Secure Things initiative.
In a white paper on the initiative, President and co-founder of the company Alan Grau says The Internet of Things (IoT) had become a ubiquitous term to describe the tens of billions of devices that had sensing or actuation capabilities, and were connected to each other via the Internet. This includes everything – from wearable fitness bands and smart home appliances to factory control devices, medical devices and even automobiles. Security was never high priority for these devices until now, hence his company was initiating The Internet of Secure Things.
Making out a case on how it had now become necessary to secure “the Things” themselves, Grau says in his paper that there had been a lot of discussion regarding the hacking of devices and systems to obtain, information and data. But just as critical were cyber-attacks against the devices themselves as these could take over control of the device and cause them to operate in dangerous and insecure ways.
Unfortunately, he says, many of these systems which were thought to be safe were still vulnerable. For instance, even though Industrial Automation and Critical Infrastructure devices were usually installed inside the secure perimeter of an enterprise network, that perimeter “was porous and could be easily penetrated or disabled.” On top of that, says the white paper, insider threats, whether malicious or accidental, were found to contribute as much as 70 per cent of cyber-attacks.
Security Challenges for the Internet of Things
Now part of the expanding Web connected network, embedded devices, says Grau, are very different from standard PCs or other consumer devices. These industrial operational assets are commonly fixed function devices designed specifically to perform a specialized task. Many of them use a specialised operating system such as VxWorks, MQX or INTEGRITY, or a stripped down version of Linux. Installing new software on the system in the field either requires a specialised upgrade process or is simply not supported. In most cases, these devices are optimised to minimize processing cycles and memory usage and do not have extra processing resources available to support traditional security mechanisms.
As a result, in the view of Icon Labs President’s view, standard PC security solutions will not help solve the challenges of embedded devices. In fact, given the specialised nature of embedded systems, PC security solutions won’t even run on most embedded devices.
According to him, the use of multiple layers of protection is the driving principle for enterprise security. It includes firewalls, authentication/encryption, security protocols and intrusion detection/intrusion prevention systems. These are well established and proven security principles. Despite this, firewalls are virtually absent in embedded systems, instead relying on simple password authentication and security protocols. This is based on assumptions that embedded devices are not attractive targets to hackers, embedded devices are not vulnerable to attacks, or authentication and encryption provide adequate protection for embedded devices. These assumptions are no longer valid; the number and sophistication of attacks against embedded devices continues to rise and greater security measures are needed.
Some of the challenges for implementing the Internet of Secure Things and assuring security of embedded devices have been spelled out in this white paper.
These include:
1. Critical functionality: In addition to devices, systems and appliances in a home, embedded devices also are found controlling the world’s transportation infrastructure, the utility grids, communication systems and many other capabilities relied upon by modern society. Interruption of these capabilities by a cyber-attack could have catastrophic consequences.
2. Replication: Once designed and built, embedded devices are mass produced. There may be thousands to millions of identical devices. If a hacker is able to build a successful attack against one of these devices, the attack can be replicated across all devices.
3. Security assumptions: Many embedded engineers have long assumed that embedded devices are not targets for hackers. These assumptions are based on outdated assumptions including the belief in security by obscurity. As a result, security is often not considered a critical priority for embedded designs. Today’s embedded design projects are often including security for the first time and do not have experience and previous security projects to build upon.
4. Not easily patched: Most embedded devices are not easily upgraded. Once they are deployed, they will run the software that was installed at the factory. Any remote software update capability needs to be designed into the device to allow security updates. The specialised operating systems used to build embedded devices may not have automated capabilities that allow easy updates of the device firmware to ensure security capabilities are frequently updated. The device itself may not have the IO or required storage that allows for updating to fight off security attacks.
5. Long life cycle: The life cycle for embedded devices is typically much longer than for PCs or consumer devices. Devices may be in the field for 15 or even 20 years. Building a device today that will stand up to the ever evolving security requirements of the next two decades is a tremendous challenge.
Icon Labs, he says, delivers a full suite of security solutions to secure embedded and IoT devices and enabled Internet of Secure Things Initiative. The Floodgate product family provides a security framework that is designed specifically for use in embedded and RTOS-based devices.
The required security capabilities for the Internet of Secure Things initiative, described in Icon Labs’ new White Paper – “The Internet of Secure Things – What is Really Needed to Secure the Internet of Things?”, can be downloaded for free at www.iconlabs.com.
Image Credit: Icon Labs
– Advertising Message –