IOT Security: Game of Trust
The Internet of Things (IoT) will play a significant role in our daily life. To achieve this, the consumer must be ready to trust these communicating devices, which are often autonomous.
With the rapid deployment of IOT technologies, are we moving to a new era of cybersecurity challenges? Who will be the most affected? Who will be responsible? Should we trust connected objects? If so, how do we know if we can trust in these “things”? What security are we talking about? How do we measure security? Why is it that practices and existing standards do not apply to the IoT? And finally, could a Trustmark label express the degree of trust and motivate the consumer?
So, what is IoT?
Over the last decade, we have seen the transition from connected computers to connected smartphones. We have recently started to see the adoption of smart connected devices (smart meters, smart appliances, smart cars and smart homes) representing huge opportunities for organizations. This evolution, often called Machine to Machine (M2M) or more widely “Internet of Things” is where devices are smarter and can communicate with their ecosystem (including human, infrastructure, nature, applications or other machinery) via the Internet, using communication protocols such as RFID, Bluetooth, SigFox or Lora.
Several standard organizations seek to provide a reference architecture defining the relationship between IOT domains and devices such as IEEE (Institute of Electrical and Electronics Engineers), Industrial Internet Consortium (IIC), AIOTI, and OneM2M. What is clear for now is that, in general, there are 5 areas that could be clearly distinguished in an IoT ecosystem.
1. The IoT Device: or a machine equipped with sensors to monitor the device and actuators to control key aspects interacting with its environment. The information collected by the device may, for example, contain geolocation information, operational information (such as temperature, humidity, vibration) and usage information (such as the activity of the machine or production measures).
2. The Gateway: Is supposed to collect and process information from one or more devices, converts it into an independent format and communicates on the network.
3. The Network: Through reliable network technologies (PAN, LAN, WAN, LPWAN) allowing the gateway to communicate with the central servers.
4. The Server/Cloud: This is the Server infrastructure which filters, stores and aggregates “Big Data” of the device. The server is often able to analyse and/or act on the data collected.
5. Applications: And finally, the application business process, which is the key to providing an end-to-end solution. The application acts on the received information by alerting users to the required activities and, in some cases, by automatically controlling the device for repair or preventive action.
The role of IoT is thus to establish the conditions allowing the connected objects to exchange information with a commercial application via a communication network (bi – directionally).
Why are we talking about this today?
Connectivity and embedded systems are not new phenomena, so what has changed the game, so that we can start talking about IoT? Indeed, the appearance between 2004 and 2006 of the first ARM Cortex M microprocessors and microcontrollers as well as the Bluetooth Low Energy (BLE) technology made it possible to drastically reduce the energy consumption while increasing the performance of the processor. The micro dimensions of these processors and their very low prices (~ € 1) have allowed new forms of “light” objects to appear, compact and connected like, for example, the connected watch or the connected thermostat. These reasons made it possible to explode the connected objects manufacturing market and to implement solutions addressing all sectors. All estimates show that we expect to have about 50 billion connected devices in the world by 2020.
What threats and why is it so difficult to secure IoT?
Currently, organizations using IoT devices can see huge benefits, such as improving work efficiency, lowering production costs, improving services, having greater accessibility to information, and increasing productivity of their employees and thus satisfying the customers. But while there are many benefits, these organizations face serious security risks such as spying, sensitive data breaches, intellectual property theft and attacks on infrastructure components because they are simply more exposed to the Internet. Specifically, one could explore four categories of attacks on IoT infrastructure.
1. Physical attacks on the device itself (access / disassembly equipment, reading flash memory, …)
2. Network attacks (sending bad data to the network interface or MITM),
3. Server / Cloud attacks (inter-site scripts, SQL injection, …)
4. Software attacks / applications (malware, impersonation, buffer overflow, …)
These threat categories are not new but what makes the task of securing IoT so difficult are the following issues:
• The attack surface is vast and the possibilities of execution are multiple.
• The variety of development languages, OSs and network protocols, the complexity of the architecture, sometimes composed of distributed systems and specialized hardware.
• The sensitivity of the data that varies enormously from one application domain to another (personal, finance, health, geolocation, etc.)
• Lifetime: these systems will be deployed sometimes for up to 20 years or more (Critical Infrastructures, Power Meters, …) and their security must adapt to changing threats and thus allow the firmware update for example.
• Accessibility: These objects are not always close to humans. They could be physically or environmentally exposed to attackers requiring remote updates and physical protection of the hardware.
• Resources: The battery life is limited, communications are not always online, and often with limited bandwidth, limited memory, etc. Thus, integrated security by design has become a very complicated task and requires specialists.
But how do we measure “Security”?
Security is not one dimensional, so we cannot measure it using a simple rule. But like all measurement methods that exist, methodologies and metrics have been invented to measure security. So far, methodologies have been used to qualify the level of attack resistance of IT products including hardware and software in the perimeter. For example, Common Criteria (ISO 15408), CSPN, FIPS 140-2, FIDO, etc. These methodologies could be differentiated by the following characteristics:
• The recognition: global, national, European or industrial setting
• The formalism: from the definition of the security requirements to the execution of the tests, the methods could have a precise formalism based on a semi-formal or formal language
• The scope of coverage: covering a single type of product or multitude products, or sometimes even a specific part of a product (e.g. cryptographic module)
• The objectivity of the results: allowing to repeat the same tests to have the same results, to prove the coverage of the requirements or to compare two identical products.
• The variety of assurance levels: from the basic level to the high level, some methods provide a more granular degree than others.
• And the costs: the more effort a methodology requires, the more time that the assessment will take and so the cost will be high.
But, how do you trust “security”?
Trust is indeed a key issue. we are not only talking about trust as perceived by end users but also the mutual trust between all stakeholders (component suppliers, integrators, operators, etc.) which is an initial condition for ensuring the development of a sustainable economy.
But how is it possible to build confidence on connected devices?
In general, three types of means could be used to build trust:
1. The technical means covering evaluation methods, review of the security architecture, code audit and tests, obviously.
2. The legal means including contracts (commitment or liability) and regulations
3. The social means covering the reputation and transparency of stakeholders.
Needless to mention, all these means have their advantages and disadvantages, but they should ideally complement each other to improve confidence.
In this respect, certification frameworks exist to group these three means while relying on a technical evaluation adapted to the type of the product. Indeed, the goal of a certification process is to ensure that a product consisting of software and hardware or a system meets the needs (functionality and security) of the customer. This is a technical review evaluating security mechanisms and evaluating their effectiveness. And since the software and its environment are continually changing and evolving, certification should also continue to occur (every 2 years, for example).
Security assessments are performed by third-party laboratories providing a certain level of confidence (required by service providers, buyers or consumers) that the products implement sufficient countermeasures and that these measures are correct, which satisfies the security requirements and thus reduces the risk of having potential vulnerabilities that could be exploited by attackers intending to compromise sensitive assets.
The assessor conducts a detailed review of product safety aspects while performing in parallel the necessary tests to ensure they are working properly, they are effective and presents no vulnerability.
In an Information System, the assurance that “everything will be fine” is important. But to guarantee that, there are several things to check. In addition, each verification can be done in depth.
Therefore, the most common checks, in their different levels of strength, have been put together in a large list defined by the Common Criteria (CC): the list of assurance requirements.
The philosophy of CC asserts that a greater assurance results from the application of a bigger evaluation effort and the goal is to apply the minimum effort required to provide the necessary level of assurance.
The increasing level of effort is based on:
• scope – that is, the effort is greater because more of the product or computer system is included;
• depth – that is to say, the effort is greater because it is deployed to a finer level of design and implementation details;
• rigor – that is to say, the effort is greater because it is applied in a more structured and formal way.
But what is the problem with traditional product certifications?
IT product certifications cost a considerable amount of money, take a lot of time and are often valid for a limited time. Costs vary considerably, depending on the complexity of the product, the level of insurance coverage, etc. This also includes the preparation costs before the start of the evaluation process.
Costs for common criteria are generally divided into eight areas: product design, consulting, cost changes, and implementation / design of products, development, testing, documentation, production, laboratory verification, and certification scheme fees. To get an idea, a CC assessment will cost between 80K € and 400K € and could last from six months to up to two years.
Obtaining management approval to unlock a large investment required for CC assessments is essential to being able to start the evaluation project. Thus, developing a compelling business case becomes a big challenge.
Moreover, developers and IT product suppliers are used to differentiate products according to their features and associated costs. Nevertheless, customers are not used to differentiating products based on security and as a consequence, the manufacturing lifecycle time is minimized not allocating time to design, test, and update security.
And when we apply traditional methods to the IoT what does it provide?
The criteria of cost, duration and validity are not suitable to the market of 50 billion IoT products. There will simply not be enough resources to do it. And if we prioritize the subjective methods to minimize time and cost how can we appreciate the credibility of the evaluation laboratory, the pentester, etc.? But ultimately, will consumers understand the value of these certifications and are they willing to pay these costs?
Finally, one of the biggest problems in the security of IoT is the commercial problem adding more complexity to the technical problem that was mentioned before.
A possible solution?
To implement an adequate solution to measure the security of the IoT, we first need to agree on the objectives to be achieved and then re-adapt existing security certification frameworks in order to meet these objectives:
• Allow a quick and agile product manufacturing lifecycle
• Reduce costs and time of evaluations
• Motivate and educate the developer and the buyer
• Include training
• Recognize accredited self-assessment (for basic security assurance level)
• Provide simple methods / metrics for developers and evaluators
• Recognize existing evaluation methodologies and security standards
• Consider the operating environment / process / context / complete domain
• Allow the customer and the supplier to compare the different products in an OBJECTIVE WAY (when necessary)
• Mutual recognition
This type of evaluation must consider three aspects to measure security:
1. Verify that the product conforms to its specifications and covers safety requirements of security profiles (self-assessment … to the low-level design verification)
2. Determine the effectiveness of security features (authentication, key generation, key management, key storage, secure transactions, RNG, etc.) offered by the IoT product (from autonomous execution of test security … to an advanced vulnerability analysis)
3. Check the compliance of the manufacturing and operating environments with the appropriate security standards (ISO 27001, IEC 62443, etc.). (From verification of certificate evidence … to auditing processes and environments)
Keeping these goals and concepts in mind, Red Alert Labs created a security certification and assurance framework dedicated to IoT and addressing each market vertical needs (Consumer, Enterprise, Industrial and Critical) for a basic, substantial or high security assurance level. This solution helps reduce the costs of security assessment and consulting services, eliminates the lack of cybersecurity experts, raises business and consumer security awareness and ultimately creates a level of trust between the stakeholders, while still complying with security standards.
For further information, visit: