The potential damage to people, possessions, businesses and national critical infrastructure from a successful attack on cyber-physical systems through the rapidly emerging Internet of Things (IoT) cannot be underestimated, according to a new study announced today by Beecham Research.
To mark the announcement of the study, an initial Beecham report entitled “Evolving Secure Requirements for the Internet of Things” warns that there are currently insufficient security capabilities within the emerging IoT standards to manage the long life-cycles expected of many IoT devices. “While we may have some visibility of potential attacks over a few months, we need to protect IoT devices in the field for 10 years or longer,” says Professor Jon Howes, one of the authors of the report and Technology Director at Beecham Research. “Devices must be securely managed over their entire lifecycle, which will allow for them to be reset if needed and will enable remote remediation to rebuild and extend security capabilities over time”.
Featured Download: CISO Data Breach Guide
Beecham believes the answer to these challenges lies at the architectural level for both devices and systems, stretching from semiconductors to network operators and system integrators. This approach underlines the need for common security objectives across the industry and interoperability within broad systems.
This first report is a significant component of a longer study that includes substantial industry collaboration – covering silicon device vendors and extending across all major industry stakeholders – followed by publication of frameworks for an array of use cases.
The report also highlights potential future attacks on IoT systems and how these may ultimately affect users, which include home owners losing control of their appliances, door locks being disengaged, or security alarms being monitored by malicious actors.
“The attack surface of an Internet of Things system may be substantially larger than traditional PCs, as the complexity of ensuring multiple vendors’ systems working together will lead to a greater probability of exploits being available,” said Professor Howes.
“We have all become familiar with computer malware, but the impact of equivalent IoT attacks could be to turn off a heating system in the middle of winter or take control of other critical IoT systems, both of which could be potentially life threatening.”
Securing the Internet of Things is significantly more complex than many system designers may think, says the report. One critical issue is keeping data trusted and private whether within the system, in flight, or at rest, as well as developing robust cryptography schemes necessary for this level of data protection. Additionally, significant thought is required to navigate the identification, authentication and authorisation of both devices and people into IoT systems. At the end of the day, systems designers must presume that all devices will become compromised at some point, so they need to ensure that it is possible to regain control should they need to do so. Those devices would therefore need to be quarantined yet remain functional inside the system while updates are created. This is no easy task.
The authors of the Beecham report welcome the work of industry organisations such as the AllSeen Alliance and the Open Interconnect Consortium in researching IoT security further, but various government organisations including the UK’s Centre for the Protection of National Infrastructure (CPNI) and the US Department for Homeland Security (DHS) have made it clear that IoT security must evolve very rapidly to meet real-life threats from hacktivism, terrorism and cyber warfare.
Haydn Povey, Technical Associate and former Director of Secure Products at ARM Holdings, said, “While many technologies such as advanced cryptography are being introduced in current IoT devices, governments around the world are concerned about the acceleration of IoT and agree that there is significantly more work needed to meet the demands of future threats as outlined in the ‘20 Critical Security Controls’, originally developed by the Council for Cybersecurity for mainstream IT security.” Povey adds: “There is an urgent need to both deliver cost effective solutions that enable robust security and retain the flexibility to deliver real benefits in the face of expected threats. This requires well-architected and interoperable frameworks across vendors and technologies, integrated at an IP and silicon level to enable the evolution of security services the whole industry can leverage.”
The Beecham “Evolving Secure Requirements for the Internet of Things” study is targeted at all organisations regardless of industry or government.
“While the industry has learnt many lessons from the traditional IT domain, the initial steps necessary to secure the IoT are sufficient only for the near term. Pressure must be applied to drive greater system robustness, ensure that interoperability is applied across the industry, and deliver standards that can be measured and certified,” concluded Robin Duke-Woolley, Founder of Beecham Research.
About Beecham Research
Beecham Research, Ltd. is a leading technology market research, analysis and consulting firm based in Cambridge, UK with offices in North America and mainland Europe. The company is the only global consulting and research firm focused solely on the worldwide and rapidly growing M2M (machine-to-machine), Internet of Things and Embedded Mobile markets. Beecham has specialized in M2M and related markets since 2001. Visit www.beechamresearch.com for more information.
Professor Jon Howes is Technology Director at Beecham Research specialising in analysing and researching the worldwide M2M/IoT markets’ technology challenges. He was previously CEO at NEuW and has held senior technical positions with Fujitsu Microelectronics, Ferranti and British Aerospace.
Haydn Povey has been in senior management at leading global technology companies for the past 20 years, with the last 10 years at ARM. Most recently he was responsible for ARM strategy and product roadmaps for security within the IoT and M2M marketplaces, working closely with US and UK governmental agencies and alongside leading silicon vendors, OEMs and system integrators and software solutions providers.