Why IoT security need not be a blur | Q&A with Asaf...
IoT security

Why IoT security need not be a blur | Q&A with Asaf Ashkenazi, Rambus

One of the core challenges facing IoT implementations is cybersecurity, with multiple reports suggesting that devices are being rushed to market with poor security, and others revealing a lack of strategic planning by IT decision-makers, and insufficient care and attention being given to securing the IoT in operational terms.

Internet of Business spoke to Asaf Ashkenazi, VP of IoT Security Products at IP and semiconductor company Rambus, about these issues – and took the opportunity to ask what he thinks of the UK Government’s recent Secure by Design report.

Internet of Business: Data and systems security are big issues for IoT providers. Would you say the biggest threats come from inside or outside the organisation?

Asaf Ashkenazi, Rambus

Asaf Ashkenazi: “Throughout history, risks came from both external enemies and internal spies, or ‘bad apples’. Big data IT organisations face similar internal and external cyber risks. But until recently, the differences between an outside hacker and an ‘inside job’ were clear. However the Internet of Things blurs the lines between the two.

“For example, an employee connects a private IoT device within the organisation’s network, not realising that the device contains vulnerabilities that can be exploited by hackers. On the one hand, the threat comes from the inside, but on the other, the attacker is not a malicious entity within the organisation.

“Another example is the millions of IoT connected devices. Should we consider these devices a trusted extension of the organisation? How do we handle these devices and the users who use them? Are these devices considered ‘inside’ or ‘outside’?

“The point is that the IoT forces us to change some of the old paradigms and think differently. It dramatically expand organisations’ attack surface, and it should be addressed, whether we define it as an inside or an outside threat.”

Do you think those implementing large scale, complex IoT projects, whether in industry or smart cities, place enough emphasis on security? And what checks and balances are required to ensure that security measures are appropriate?

“There are three security layers that need to be present in any large-scale service: reducing the attack surface, early detection, and in-field recoverability.

“Reducing the attack surface includes incorporating security at the design phase, using well-studied, standard cryptographic building blocks, and applying secure software development practices. In other words, treating security as a primary design parameter rather than as an afterthought.

“Early detection is required because we know that no system is a hundred percent secure, so it is crucial to detect attacks at an early stage, before the attackers have a chance to cause significant damage.

“Finally, in-field recoverability means that once we detect an attack, we should be able to fix the vulnerability quickly and efficiently. This requires, as much as possible, the ability to patch IoT device software and firmware over the air and without the need of end-user intervention.”

Fast, yet secure

“In order to make sure that the industry uses proper security mechanisms, there is a need for security solutions that are cost effective, easy to use, and fast to deploy. Without simplifying security deployment for IoT providers, it would be difficult to significantly improve the level of security in IoT devices and the services that operate them.

“But in parallel to reducing the overall cost and time of deploying IoT security, there is a need for some level of regulation to ensure IoT device and service providers face financial consequences if they decide to cut back on security in order to save money.

“The biggest challenge today is the definition of a standard level of security. The IoT market is diverse and fragmented, and so attempting to standardise security is a real challenge in itself that will take time.”

How, in a practical sense, does an IoT project administrator ensure full security of a complex implementation involving hardware and software from multiple providers?

“This is indeed one of the big challenges. IoT devices contain many components from different hardware vendors, each coming with a different set of software and tools. More, the device software should work with a service, which is also comprised of software and services coming from different vendors.

“One way to manage this complexity and risk is to have a security solution across all aspects of the IoT system, from the device and the chipset that powers the device, through the cryptographic keys used to secure communications, to the service IoT platform.

“Another aspect, as discussed earlier, is providing additional layers of security, assuming that the device’s software might include some vulnerabilities. These additional layers should include early detection and in-field recoverability.”

“There is likely to be an explosion of IoT devices in the home and office over the next few years – a predicted 20 billion or more devices. What concerns you most about them in terms of their security, and what are the fixes?

“The attack surface increases as more devices are connected. It is possible to segregate and limit the abilities of these devices once connected, but usually this doesn’t work well with end-users and overall productivity.

“I’m worried that many devices are deployed with very little top-notch security, making them an easy target. But I’m most worried about the millions of devices deployed today that are expected to serve us in the years to come – without the capability to update their firmware in the field, or to mitigate against future security risks.”

The UK Government recently published its Secure by Design report. It proposes a code of practice for manufacturers of consumer IoT products, rather than legislation – although says it will legislate if the code of practice does not work. Where do you sit on the code vs legislation debate?

“Manufacturers need to provide the industry with practical and affordable solutions. I believe that most IoT device makers and service providers genuinely want to address their products’ security risks, but they are often forced to choose between security and profitability or business success.

“While there are many IoT security solutions available in the market, it is often the case that integration of these solutions requires expertise these companies do not have. It can also be expensive and time consuming.

“Best practices can certainly help, but they don’t solve the underlying problems. There is still a need to build security solutions based on best practices, and not all companies have the talent and expertise to do that.

“The solution is providing practical and affordable solutions to the IoT industry. These can follow the code of practice. Then, regulation can help with those who decide to cut back on security in order to reduce costs.”

Internet of Business says

Internet of Business is committed to providing solutions to security problems across different type of industry. Here are some of our recent reports in this critical area:

Our Internet of Manufacturing events take place on 5-6 June in London, and on 6-7 June in Chicago.