Can the IoT be immunized?

This entry was posted on Monday, August 14th, 2017.

The Financial Times recently published an article that explores the dangers of an unsecured IoT ecosystem. As the article notes, human pandemics such as the Spanish Flu illustrate how poor cyber-health could potentially lead to a global malware attack.

“The deadliest plague in history is the influenza pandemic of 1918. The so-called Spanish Flu claimed victims on virtually every continent, infecting 500-million people, or one-third of Earth’s population,” the writers explain.

“Contributing to the contagion were the poor conditions of soldiers during World War I, as well as their movement around the world. Worse still, at a time before vaccines, the population lacked immunity to the virus.”

As the Financial Times notes, while the infection of millions of electronic devices and systems is not equivalent to the loss of human life, the economic losses of a global cyber-attack could exceed $120 billion.

“With research firm Gartner projecting IoT penetration to reach 20 billion devices by 2020, civilization is reaching a turning point where consumer appliances, industrial devices, mass-transit systems and critical infrastructures will all link together online, forming a vast cybernetic organism that co-exists with humanity,” the writers continue. “This surge of IoT device connectivity could amplify the impact of a malicious network effect. The weakest link will be industries and manufacturers that have never before factored cyber-risk and data security into their industrial designs.”

According to the Financial Times, networks and devices are vulnerable to a number of threats, including distributed denial of service (DDoS) attacks where hackers manipulate vast “bot armies” of hijacked devices to shutdown websites; zero-day exploits, or previously unknown software vulnerabilities that adversaries abuse to sabotage enterprise systems; and military-grade malware that is now commercially available on the dark web.

“Using Gartner’s estimates, IoT device growth will see a three-fold increase from 2016 to 2020, meaning there will be that many more hosts for malware worms to infect and coerce into DDoS botnets, or to encrypt host data and hold it for ransom [ransomware],” the Financial Times elaborated. “Two recent ransomware outbreaks, WannaCry and Petya, in May and June of this year, illustrate the scope of the threat. Both attacks repurposed EternalBlue, a leaked National Security Agency tool, to infect hundreds of thousands of targets in over 150 countries. More unsettling, over half of Petya’s targets were industrial.”

Commenting on the dangers of an unsecured IoT ecosystem, Dr. Martin Scott, the Senior Vice President and General Manager of Rambus’ security division, told the publication that authenticating trusted devices is critical to managing IoT security risks. This entails “immunizing” both devices and cloud networks, where data is transmitted and stored. Nevertheless, a software solution alone is not always sufficient.

To prevent the spread of the disease, says Scott, one should confirm both the identity of a device and its digital health status (infected vs. uninfected), which can be accomplished with a hardware-root-of-trust.

Put simply, a hardware-root-of-trust (HRoT) is an on-chip vault that uses cryptographic keys, or numerical strings of algorithmically generated identity to securely house a device’s unique DNA.

Using HRoT technology, chipset vendors can inject unique and unalterable device identities directly into chips. In addition, the cryptographic verification protocols embedded in these chip modules enable manufactures and other end-users to verify the authenticity of any device that attempts to connect to their networks.

Chip vendors can deploy these cryptographic IDs throughout their clients’ supply chains and register this information on central databases of trusted entities. This whitelist denies rogue devices access to end-user networks, neutralizing the impact of DDoS attacks and malware outbreaks. Open-source chips further improve IoT security by tailoring device rules according to each client’s unique risk profile. This ability to personalize and reprogram rules into hardware is critical to protect IoT devices throughout their lifecycles.

As Scott emphasizes, enterprises should view cyber-hygiene as a risk-based process that varies across industries and organizations. Therefore, a chip-to-cloud security strategy rooted in cryptography and open-source innovation is needed to inoculate the ecosystem against infection. Building a healthy and resilient cyber system means being reactive and proactive; putting measures in place to deal with outbreaks as they occur; immunizing against known threats and adopting habits and check-ups to avoid contagion, he concludes.