The IoT Files – intro and security
I will start a series of posts on the IoT (Internet o Things) since it seems me that most of the talking about IoT are missing some key aspects.
I will start with a general introduction, taken from a webinar I delivered recently.
There is a lot of rumors around IoT lately. It seems the new holy grail of the technology industry, the panacea that will solve every business pain and will drive us to the next point.
All those talking are interesting, but somehow a little bit apologetic, since there is a lot of things still to be evaluated in an IoT world, and some could give us some headache and concerns.
so let us start trying to understand what we are talking about when we talk about IoT.
IoT,internet of things is the extension of the consumerization of connected device, that will cover much more than we are used nowadays. the key target of the IoT is the User and its world.
This does not means that IoT is not about scada systems or industrial contol systems, or e-government or smart cities. is all about this and more, but the focus point will be the user, the new hyperconnectd guy: mr Guy Smart.
But aren’t we already hyperconnectd with our always present smartphones, tablets and now smartwatch?
What is the difference between us now and mr Smart?
The difference rely on the level of devicesystems connected that are related to the new user. Way more than the simple phone and watch; we can think of wearable devices, medical devices, glasses for augmented reality, smart shoes that tell us how we walk or belt that monitor pour waste and diet.
But My Smart is not only using those stuffs he wear, he is also living in a hyper connected world. driving a smart car (autonomous and more…) on smart roads, with intelligent traffic lights, in a smart city where he find its smart home.
All connected, all sharing information, all dynamically changing status upon the user request and the context.
A way to live quite different from our actually way of life, since everything can modify the behavior related to the heat of the moment.
All this look wonderful, a personalized environment that follow our needs and provide us a completely new experience. A new industrial revolution able to shape our needs and think and way of life.
But is this real? how far are we from this?
To understand what all this means we should start from the definition of Internet of Things. A good definition is the following:
The Internet of Things ( IoT) refers to the ever-growing network of physical objects that feature an IP address for internet connectivity, and the communication that occurs between these objects and other Internet-enabled devices and systems.
According to most of the analyst this is the main trend we should expect in the next years.
All analysts forecast billions of devices connected, a great hope for a growing business….
- But is this coming without a price?
- Is this so easy to achieve?
- What are the consequences?
IoT is a great opportunity, but is also something should make us think about the consequence. as every thing there is always a price to pay, and we should understand what is this price.
I will try to give a short description of 5 aspects related to IoT we should take care of:
- Security
- Privacy
- Infrastructures
- Business Models
- Culture
IoT and Security
I know that security is on everyone mouth recently, the rising of cyber crime and the warfare has put security under everyone attention.
But yet we are far away from a real understanding of what security really is, and what means make security. We usually focus on particular aspect of the security domain, or on specific technologies, forgetting that make security is a complex affair that cope with behavioral science as well as technology. Is more a process than a product or service.
What should be put us on alert is that in a IoT world the dependency of our lifestyle and life from the devices will be so tight that security will assume a completely new meaning for the normal user. We are not talking about an annoying virus on our laptop, but something that can literally kills us as in the case for medical device or smart drive systems.
IoT bring a lot of security concerns, some quite easy to understand, other alas too often neglected. Let us try to name a few:
Hacking
This is something everyone knows, every years the knowledge about hacking rise up as well as hackers ability. Is a never ending run. But can we try to imagine what would happen in a world where the number of hackable devices is in the range of billions?
This is something we should take into serious consideration, no OS is secure (sorry Linux, Unix and Mac guys) and we are talking of billions of objects that exchange data, transmit data, manipulate data, collect data through sensors. the attacking surface will become incredibly wider, and the result unpredictable.
The classical reactive approach of OS designer have to be radically modified, since this can be the door for a hell. A new security design approach is needed. And don’t think for a moment that IoT device will have few lines of code and therefore easy to be secured. Even the smallest simplest device will have its sensor and will have to communicate data and receive orders (otherwise wold not be SMART). so there is nothing like a simple OS here. beside the smaller the OS the herder can be to secure and patch it. in bigger environment it is a common operation to wrap the vulnerability into something that solve somehow the problem, will this be possible in the smaller IoT OS?
Cyber Criminals
And if the hacking surface will grow, we can expect also criminal activities to grow and find new way to monetize the risks.
For the ones who works in the Cyber Security arena, it is well known that Cyber criminality move more money than drug and weapon illegal market. this can only grow, making cyber crime more important than ever. And when something is so important, corruption and collaboration between the underworld and the official ones is to be expected.
So IoT brings with him a great concerns from this point of view.
Cyber Warfare
But if it is not a criminal organization, can be a government. Do we really think that this will be an area where government will not play the part? Do we realize that IoT will be tied to our life, and our productive environment. So targeting the IoT could harm a country more than a conventional war, blocking its productive system.
Science Fiction? Try to remember stuxnet and may be we can agree that this is a plausible scenario: a country that attack the IoT infrastructure in order to harm another country.
And if it is not a state, a government can be a terrorist organization, activism …..
Geopolitical Issues
And if it is not on purpose, may be the system can be harmed by geopolitical issues. In an Hyperconnected world damage can be done even targeting something else.
Censorship
Let’s take censorship as an example. we can not realize that censorship can harm the functionality of a device, at the end we are not talking about nor twitter nor facebook, but…
Take your android phone and go to China, as an example, and you will see directly the effect of censorship on IoT. Your wonderful android functions and services will not work since Google has be banned for censorship reasons from china. (Sure you can use VPN, but please, try to see the picture here).
Errors and Incidents
And even if it is not on purpose, accident and errors can anyway harm the system. probably in ways at the moment we still don’t see, due the complex nature of the various interrelationships between the objects.
Compatibility
And if will be not error or incidents the harm can be done by compatibility issues. At the end you will like to change object or location from time to time. some IoT objects will travel with you, compatibility will become a great issue.
What if you change medical device provider and the new does not support vital data taken from the old one? or if you go in place that does not allow the same level of communication? (may be because encryption is not allowed there).
What More?
Many other scenarios can be recalled related to IoT and security, this is not an exhaustive list, but it is good to make the point. Security is a serious issue in an IoT world.
The classical approach that consider security an “Add ON” of IT and a business weight to avoid have to change dramatically. Security Must become part of normal thinking because the risk is higher than ever.
When consider IoT and security ask yourself:
- Would you drive or feel safe in a easy to hack car, in a easy to hack road.
- Would you like to depend on easy to hack medical device?
- Would you like to count on a hackable safe city system?
- ….
We have to realize that Security is important in all realms.
It is not just a product add on §(the antivirus….) but we will have to deal with new things like:
Operating System security
- Vendor Security Approach
- Service Provider Security System
- Supply Chain Security
Authentication
Communication security:
- Reliable
- Protected
- …
Compatibility
Open Sources vs legacy code
Vulnerability and Vulnerability Disclosure policy
Hacking accidents communication
Training and awareness
Reliability
alas we are still far form the arrival.
Next post I will talk about Privacy in the IoT
Nessun commento:
Posta un commento