A new report published by Beecham Research confirms that a successful attack against cyber-physical systems connected to the Internet of Things (IoT) has the potential to cause significant damage to individuals, businesses and national critical infrastructure.
“While we may have some visibility of potential attacks over a few months, we need to protect IoT devices in the field for 10 years or longer,” explained Professor Jon Howes, one of the authors of the report and Technology Director at Beecham Research.
“Devices must be securely managed over their entire lifecycle, to be reset if needed and to enable remote remediation to rebuild and extend security capabilities over time.”
According to Howes, the answer to these security challenges lies at the architectural level for both device and systems – stretching from semiconductors to network operators and systems integrators. This approach, he says, illustrates the need for common security objectives across the industry, as well as interoperability within broad systems.
“The attack surface of an Internet of Things system may be substantially larger than traditional PCs, as the complexity of ensuring multiple vendors’ systems working together will lead to a greater probability of exploits being available,” Howes continued.
“We have all become familiar with computer malware but the impact of equivalent IoT attacks could be to turn off a heating system in the middle of winter or take control of other critical IoT systems, which could be potentially life threatening.”
Rambus Fellow and futurist Rich Page concurs with Howes’ assessment.
“Ensuring the security of the rapidly emerging IoT is undeniably complex. This is why the current design approach to connected devices is undergoing a paradigm shift, with security being treated as a first design goal, rather than a tertiary priority,” Page told Rambus Press during a recent interview in Sunnyvale.
“It is also important to understand that cyber criminals may be motivated to compromise IoT systems for a wide variety of reasons, including fame, financial gain (theft/blackmail), the desire to cause temporary trouble (criminal mischief), or an ideological intent to inflict permanent damage (terrorism).”
For example, says Page, an attacker intent on criminal mischief may be content with simply hijacking Bluetooth-enabled deadbolt locks for kicks.
“Seizing control of deadbolts could be used to lock people out of their homes or open doors, leaving residents vulnerable to theft. It is not all that difficult to imagine the risks associated with IoT deadbolt locks managed by cloud-based servers. Similarly, hacking into a celebrity’s smartwatch and stealing workout data would be somewhat embarrassing for the victim, although the act isn’t likely to lead to injury or death,” he said.
“In contrast, disrupting a smart grid, an act that affects millions, if not tens of millions, would almost certainly be far more dangerous with immediate effects. It is a definite possibility that successful cyber attacks could very well leave us just 9 meals from anarchy. Of course, there are also seasonal variables to consider. Imagine Las Vegas in the summertime without air conditioning, or downed power plants in Boston during wintertime. To be sure, a series of documented digital intrusions over the past 15 years indicate the electric grid and related industrial controls remain vulnerable.”
As Page points out, various analysts and journalists have also voiced concern over the security of IoT-connected cars in recent months.
“The auto industry seems to be making rapid progress with self-driving vehicles. In general, this should be perceived as a positive development, although security protocols and standards will have to be ironed out before fleets of autonomous cars and trucks hit the road en masse,” he noted.
“Adopting a hardware-first approach to security – specifically on the SoC level – is a critical element of protecting all embedded technology – whether for wearables, smartphones, tablets or vehicles. Remember, a software-centric security strategy for vehicles, as well as other IoT platforms and devices, will inevitably require frequent updates. However, it is likely that most companies, automotive or otherwise, will stop pushing out new patches after a decade or so.”
Haydn Povey, Technical Associate and former Director of Secure Products at ARM expressed similar sentiments in the abstract introducing Beecham’s IoT security report.
“While many technologies such as advanced cryptography are being introduced in current IoT devices, governments around the world are concerned about the acceleration of IoT and agree that there is significantly more work needed to meet the demands of future threats as outlined in the ‘20 Critical Security Controls,’ originally developed by the Council for Cybersecurity for mainstream IT security,” Povey added.
“There is an urgent need to deliver cost effective solutions that enable robust security but also to retain the flexibility to deliver real benefits in the face of expected threats. This requires well-architected and interoperable frameworks across vendors and technologies, integrated at an IP and silicon level to enable the evolution of security services the whole industry can leverage.”
In a broader sense, says Page, security serves as the very foundation of a dynamic IoT, effectively facilitating the safe transfer of immense amounts of data across global networks.
“As the era of The Internet of Things evolves, the data being generated and moved across networks will continue to push the performance of the communication infrastructure well into the future,” he explained. “It is therefore essential to address the key needs for storing and transporting data in mobile clients and datacenters with low-power, high-performance memory and serial link interfaces.”
Indeed, datacenter power challenges arise from the sheer scale of aggregating tens of thousands of servers into a single facility. Moving data from one place to another – whether across a chip, between chips in the same system, or longer distances between servers and racks of servers – consumes a significant amount of the power budget in datacenter systems.
According to Page, reducing power consumption and improving data bandwidth rates is just as critical to meet the demands of next-gen mobile devices and wearables, the latter of which is increasingly being used for tasks such as health monitoring, augmented reality and video/image capture.
“Petabytes of data are continuously generated from a wide range of devices and platforms, including PCs, servers, smartphones, tablets, smart grids, connected cars, Maker boards, thermostats, intelligent appliances and wearables,” he concluded. “This never-ending flow of information requires a corresponding increase in bandwidth capacity, as well as hardware-based solutions that offer a solid foundation upon which secure software and services can be designed and built.”
Leave a Reply