Assumptions are dangerous things to make, and like all dangerous things to make -- bombs, for instance, or strawberry shortcake -- if you make even the tiniest mistake you can find yourself in terrible trouble. (Lemony Snicket, The Austere Academy)
In my time at PA Consulting, I have been privileged to watch the development of IoT technology and work with some of the finest minds in this exploding market situation.
There is little doubt that IoT is the future and now is the time to try for a large share. When it comes to writing and presenting on issues of IoT security, I often find myself taking on the role of The Doubter, when in many ways, I am just as delighted as my IoT designers by the exciting possibilities that this degree of connectivity facilitates. But …
Assumptions are dangerous!
With this thought in mind, I recently read an Op-Ed article in an industry magazine about the four issues impacting IoT security. Whilst I can agree with the identity of the issues, I have fundamental differences regarding the thinking behind each one.
The first can be summed up in the following quotation:
“If devices are shipped with the low-hanging fruit problems removed, security becomes a consumer requirement, which will lead hardware vendors to guarantee a baseline level of security.”
The reality is that in the race to the bottom on unit cost and time to market, security is often the first casualty of the design process. Historical evidence has shown (e.g. Foscam 2016, Wificam 2017, Mi-Cam 2018) that manufacturers are either not learning from previous security issues or simply don’t care about them. Designing and assuring a secure product adds time, complexity and cost to the product lifecycle and they don’t see it as adding any value to the product. The NCSC has just published a report concerning this issue. While the ideas for improving product security contained in the writer’s statement are good, it notably lacks either carrot or stick that would prove effective in motivating a device manufacturer to adopt them.
The only way that I see a change happening in the attitude and approach of the manufacturers is if it is demand-led by consumers who ask for better security and selecting products that have it. The management mantra of ‘Faster, better, cheaper’ does not yet have ‘safer’ as the fourth component – and it should. The financial pressure to accept risks instead of managing them means that many organisations are failing to secure their data and services. The challenge of security is being addressed by some organisations, including ARM, Google and Intel, especially those who are looking to deliver firmware updates to the ever-increasing numbers of semi-autonomous cars such as Tesla. The reputational impact of something going wrong could close some operations, so they put in the hard yards … but this isn’t cheap. Normally it’s only the larger enterprises with the big budgets that do it, or even try.
We gamble for ROI: no racecourse punter ever made a bet without hoping to win!
The risks of IoT appear to be a long way off – but the day of reckoning still arrives.
Ask Facebook’s Founder about time travel: would he do things differently next time?
The IoT Technology marketplace is immature. It may be years (decades?) before the majority of today’s consumers understand the data privacy and cyber security risks associated with IoT devices in their lives. For example, it took most people around 20 years to become aware of the threat to data privacy represented by social media. However, this rude awakening has finally happened. The fall-out from it is, or will be soon, new legislation in the USA (to match the European Union’s General Data Protection Regulation?) loss of trust and a conspicuous shift in consumer behaviour.
Perhaps IoT developers should ask Facebook whether they would have thought about app security differently had they known then what the world knows now? Assumptions along the lines of Scott McNealy’s comment: “You have zero privacy, get over it” are unlikely to be made again by any developer accessing personal data.
“Because the idea of internet-enabled toasters, coffee machines, toys, planes, trains, and automobiles is relatively new, security has not always been considered in product design.”
Once again I must respectfully disagree. Firstly, these ideas are not new. They are twenty years old [See https://tools.ietf.org/html/rfc2324] Consumers may not yet be demanding IoT security standards in the rush to benefit from internet connectivity, but the concept of ‘secure by design and default’ is certainly not new and can trace its roots back to the Capability Maturity Model and the Zachman model of the 1980s. Ignoring security in your design methodology has nothing to do with IoT applications.
“At the turn of the millennium, software vendors were forced to rethink their approach to security and ensure that it was built into products throughout the development lifecycle.”
There is really no good reason for any organisation to be ignorant of the need to include the security requirements of a product from day one of the design process. The PA Technology Innovation group design and develop leading edge products for our clients. One of the fundamental design considerations that we capture in the brief from the outset of a project is: ‘what are the security requirements for this product?’
“When it comes to secure development and patching, hardware vendors are at least a decade behind the software industry.”
PA knows from first-hand experience that there are major hardware designers and manufacturers working hard to design secure systems that can perform updates, either via the network or Firmware Over The Air (FOTA), which is a mature technique with well-defined standards. And while “many of today's hardware products have no easy means of patching firmware” It is important to accept that problems of this kind are the fault of the designer, not the nature of the hardware. There is nothing inherently insecure about IoT technology, although the brilliant, world-changing concepts are often sadly let down by the design processes ‘If a device can send data there is no reason why it cannot also receive data and instructions, including updates. Architectures for doing this securely already exist and work. Tesla provide a FOTA update to their customers in Florida in advance of Hurricane Irma to increase their battery capacity and range. Smartphones have been updating their operating systems and apps for over 10 years. The biggest challenge is getting the update process to scale securely and we have worked on this for clients in a wide range of environments. It can be done. No assumptions necessary.
Enterprise IoT visibility
I readily accept that “The organisational attack surface continues to expand; the more device types and form factors that we have to deal with, the tougher it is to have any semblance of enterprise visibility.” Yes, penetration tests do need to go beyond the traditional scope, however, including Multi-Function Devices such as printer/scanners has been known to responsible pen testing organisations for more than a decade and they do include these in their recommended scope for testing.
I take issue with the thought that “…that organisations simply don't know where they [IOT devices] are.” If an attacker can find an IoT device, then so can the owner, if necessary by using the same tools and techniques as the attacker. Effective change control and network security access controls also have an important part to play if properly implemented. None of this is new thinking or mere assumptions, far from it.
How do we fix the problem?
If we are to see any change in the security of most IoT products it will need to be led by consumer demand. That will require ongoing education and awareness of both industry and the public. The EU’s GDPR and NIS Directive may help prompt this, but how many manufacturers outside Europe will make the necessary design changes?
The National Cyber Security Centre’s report on how to improve product security in order to “protect individuals' online security, privacy, safety", offers great ideas but has no power to make manufacturers to adopt them. There are some who are taking this matter seriously, and PA Consulting have helped a few of them, but I expect the vast majority to carry on exactly as they have before. This report suggestions are sensible and practical, but they will add to the time to market, cost and complexity.
We must work to find better ways to make security easier and cheaper to design in, and guide the consumers so that they are aware of the risks and how to avoid them. It’s a two-pronged practical approach that builds on knowledge and not assumptions.
 The four issues impacting IoT security: https://www.scmagazineuk.com/the-four-issues-impacting-iot-security/article/745220/
About the Author
David Alexander MSc, FBCS, F.Inst.ISP, CITP, SCF, LCCP, CISMP, CBCMP, CIRMP
David is a highly experienced Information Security and Governance professional, strong in the areas of assurance, policy and technology. He is also well versed in commercial, government and defence organisational processes. Over the course of the last 30 years he has gained great insight into how large organisations and their business units work, how to identify their primary goals and requirements, then treat the risks to provide maximum protection for minimum cost and impact. This ability extends into the discipline of Security Architecture, where his detailed technical knowledge of systems and networks enables the design of complex and highly secure systems.
David is co-author of “Information Security Management Principles”, published by the BCS, and Module Leader for Network Security on the Royal Holloway MSc program.
We help you build resilience in IoT and ICS/SCADA systems
Cyber attack numbers and sophistication are increasing significantly. Businesses need to manage the residual risks more effectively. All of you systems should be regularly to determine how they respond to new attacks and what needs fixing to prevent them. Penetration testing provides the crucial information to businesses and helps them identify and eliminate vulnerabilities without disrupting services.
If you would like further information around how our penetration testing and cyber security services can help your business grow in cyber space, email to one of our experts today or call +44 (0) 1763 285 510.