Updated: Feb 18
Many sources estimate that by end of 2020, 50 billion Internet of Things (IoT) devices will be deployed worldwide leading to a > $1( http://bit.ly/2KqDvm8 ). IoT devices, active sensors, are specifically designed to connect to a TCP/IP network taking the data they are reporting on to corporate locations via the internet. Typically, they are Linux systems with applications on them to execute reporting and receive updates including any updated configurations. Once configured, there is very little management and oversight required...except from a cybersecurity perspective.
Typical IoT Capabilities Marketing
The Internet of Things (IoT) transforms industries around the world, and it’s not hard to see why. IoT solutions can help you unlock new revenue streams, improve efficiency and increase customer engagement and loyalty.
From a security perspective the active sensor, like any other node on the corporate network, requires the same protections in this heightened cybersecurity.
What is the track record of data breaches? The chart on the right can only conclude that since 2010, it has been getting exponentially worse.
Consider the following:
1. We are shortly heading towards >50,000,000,000 (50 billion) sensors on a network to “unlock new revenue streams, improve efficiency and increase customer engagement and loyalty”.
2. In 2015 Forrester Research reports ( http://bit.ly/2OZoJqQ ) that there have only been 2 billion computers sold over time, and that did not include mobile devices.
3. We are at the birth of extremely fast 5G bandwidth capability which is supposed to be 100 times faster than wireless speeds of 2018.
4. We have massive computing power
a. Quad core computers on a watch
b. Super computers
c. Quantum computers around the world
5. The massive increase of computer memory is now commonly >32GB per device
6. The massive increase of storage capabilities is now normally measured in Terabytes for desktop computers and Petabytes+ for high capacity server storage
7. There are nation states with global attack units that target any industry
a. China with PLA Unit 61398
b. North Korea with APT38 ( https://tcrn.ch/2KCoEVR )
8. NSA hacking tools stolen and used by China to attack ( https://cnn.it/2yZxVAX )
Referencing this list, ask the logical next question…
With the rapid growth of IoT devices, with limited security using 20+ year old aged security techniques and methods…
What Could Possibly Go Wrong?
Consider the initial introduction of these technologies over the decades:
We must learn from the lessons of the past!
Advanced security must be a forethought, part of
the design on the implementation of IoT!
Not an afterthought!
The stage is set for difficult cybersecurity times to occur with status-quo security maintained.
This paper examines the currently known issues and the steps which can be taken today to secure the IoT environment for any corporation, organization or the industry at large.
2 Cybersecurity IoT Issues
2.1 The Landscape
Considering the projections, including 2-3 IoT devices for every human on the planet within 3 years...and growing from there, there will be major opportunities for evil actors and nation states to wage an IoT Cyberwar to control humans and countries.
IoT devices lack even the most basic cybersecurity protections
Justin Sherman, cybersecurity policy fellow at the think-tank New America
Without advanced security and proper configuration, the IoT sensors will be able to attack an industrial or corporate network once the evil actors or nation states are inside the sensor. With the advent launch of 5G wireless service globally before the end of 2019, the ability to get into a corporate network is the largest target rich environment in the history of computing if not adequately secured.
The IoT hacks will no longer be about stolen credit cards, social security numbers or denial of service attacks, etc. IoT device attacks will be surrounding the citizens of ALL sovereign nations. IoT device attacks will soon provide access to trillions of real-world objects, not just digital data. Why? An active IoT device is pure and simply another node on a network, in most cases. If the security profile (authentication/identification, grades of encryption and trust establishment) is not tightened down to a level equivalent or beyond of what the US government defines as top-secret, an IoT attack has the propensity to cause real harm.
Consider some of the recent articles demonstrating IoT security issues today:
Hack of High-End Hotel Smart Locks Shows IoT Security Fail. Great features, very poor security – http://bit.ly/2TllVD2
IoT in the healthcare industry is most commonly used in infusion pumps & patient monitors. What are you doing to keep nation-state hackers, ransomware pirates, crypto-miners, and spear-phishers from impacting patients? –http://bit.ly/2ZVPPjH
“Consider a common Smart City initiative – Smart Metering. Now picture a metro utility being hacked, causing electrical outages or compromising customer’s personal information or payment data. These are potential large-scale events that affect entire communities, not just individual users. The potential risks and impacts are real. IBM and Poneman Institute research estimates that the average cost of a data breach is $3.86 million dollars. That’s enough to strain any city’s budget” – http://bit.ly/2MfT9mE
Confirmed: 2 Billion Records Exposed in Massive Smart Home Device Breach – http://bit.ly/2KIVJP1
Over 283 attack surfaces on the Boeing 787 – http://bit.ly/2z0pCEI The level of connectivity in even a single aircraft – engines to flaps to landing gear and anything else that is connected to the 787 – represents a huge attack surface, including
-Action Spoofing -Insecure WiFi Channel
-Alteration of installed BIOS -Manipulating Writable Configuration files
-Device Hijack -Targeting Malware
-Faking the Data Source -WiFi Jamming
Threat of a Remote Cyberattack on Today's Aircraft Is Real…” It's not beyond the realm of possibility that a determined, properly prepared malicious actor could break into and compromise an airplane's network — without ever so much as entering the airport.” - https://ubm.io/300T0H1
Autonomous Vehicles and the Threat of Hacking – “DRIVING 70 mph on the edge of downtown St. Louis when the exploit began to take hold. Though I hadn't touched the dashboard, the vents in the Jeep Cherokee started blasting cold air at the maximum setting, chilling the sweat on my back through the in-seat climate control system. Next the radio switched to the local hip hop station and began blaring Skee-lo at full volume. I spun the control knob left and hit the power button, to no avail. Then the windshield wipers turned on, and wiper fluid blurred the glass” – http://bit.ly/2KMCfcl
3 The New Requirements
NCoded Communications presents our views on what needs to occur, in detail, to secure IoT to a level above the U.S. government definition of Top-Secret. We believe that the overall security, especially when human lives are involved, must be failsafe. A single breach is unacceptable.
Leveraging a stated position by Ed Technology ( http://bit.ly/2Mhemwn ), the position for the IoT future is as follows:
As IoT becomes an important part of future internet and national/international infrastructures, the need to provide proper security to such infrastructures becomes even more important.
IoT applications and services are having more vulnerability of attacks and information theft.
DoS & DDoS attacks are not allowed – Require specific techniques and mechanisms to ensure that transport, energy, city infrastructures cannot be disabled or subverted.
General attack detection and recovery/resilience
Cyber situation awareness tools/techniques
Variety of access control and associated accounting schemes to support the various authorization and usage models that are required by users.
The IoT needs to handle virtually all modes of operation by itself without relying on human control.
We present NCoded’s requirements in three critical security areas:
· Authentication / Identification
· Privacy / Encryption
Unlike the technology proliferation of the past, we must think beyond the original feature sets that will be so great for the general public and address security approaches beyond the standards of the past 2 decades for general public safety to prevail.
With this great new technology, security must be a forethought, a part of the initial design. Not an afterthought and a cybersecurity band-aid.
Smart cities will remain a dream if public safety without fail safe cybersecurity is built in from the beginning. If the IoT industry addresses security as an afterthought, as did so many other technologies before IoT (e.g. internet, worldwide web, music industry with CD’s & digital music, DVDs & digital video players, media streaming, credit reporting, etc.) this time the stakes are higher, well beyond the hype of the great IoT feature capabilities. With this great new technology, security must be a forethought not an afterthought, otherwise the consequences could be dire.
4 What Can be Done?
The Ed Technology requirements are a very good start; however, they are not complete enough for implementation achieving hardened objective of: fail-safe cybersecurity with top-secret levels of protection. We have built a cybersecurity capability over the past several years that takes all of Ed Technology requirements into account before they were documented. Only, we take it to a higher level.
Trust No One
The starting block conceptual design principles:
With these two principles, we began our journey…always observing:
What was occurring in the marketplace…the data breaches and how they were occurring.
What was being reported on at Blackhat and DEFCON conferences.
One may ask: What, no leverage of any NIST (National Institute of Standards Technology) / FIPS (Federal Information Processing Standards) standards? There are multiple answers:
If the NIST / FIPS standards were that solution in their security virility, then why were all the data breaches occurring?
When former Bell Labs engineers (NCoded founder and others brought in to analyze) conducted code reviews on some of the standards
Why were there either security holes or backdoors discovered?
NCoded Communications (NCC) added to the conceptual design principles after security holes or back-doors in a supported standard:
Trust No One
Be Different - Don’t Follow the Herd
If It Doesn’t Exist– Invent it
Given the Bell Labs heritage in the initial NCC staff, we followed the spirit, ingenuity, and the methodologies in a culture that produced technology greatness long before other areas of the country and other corporations.
The next sections explain how to protect an organization’s IoT deployment from evil actors and nation states by keeping them from taking over control of their infrastructure and corporate network keeping in mind the above requirements…and more.
For further information, please contact:
Peter W. Rung
NCoded Communications, Inc.