As much as there is hype about the Internet of Things (IoT) and protecting it, there is no such thing as “IoT Security” per se. There is just the usual security engineering that is applied to IoT. Security engineering is about determining assets, threats to assets, and cost-effective means of mitigation. There are many models and ways for carrying out such analysis, but for the most part they all boil down to those key elements. Such security analysis applies to networks, it applies to servers, it applies to cars, and it also applies to IoT. That said, security engineering in IoT does pose a few unique challenges, which I would like to discuss now.
There are many different types of IoT devices with different properties. IoT is a tiny sensor running an 8-bit processor with a battery for ten years, and IoT is a multi-core control hub or a smart television. Those devices are different from one another in almost everything: their hardware, their operating system, their type of software, their level of assurance, and their ability to support different security protocols. The analysis of IoT security for a heterogeneous network consisting of a dozen types of components coming from different vendors, and yet that must rely on each other, is very complex.
Little industry know-how
Since IoT security is a relatively new domain, there are fewer standards; and more importantly – fewer industry practices for securing IoT networks. When an engineer wants to deploy a new web application, he has many checklists and do’s and dont’s he could follow. Same for the designer of a new mobile application. However, when an IoT vendor launches on the design of a new IoT device, wishing to make it secure, he is largely on his own. Securing unfamiliar platforms where no standard practices are yet available requires more know-how and leaves more room for errors by each vendor designing and implementing his own wheel.
IoT is all about connectivity. If it’s not for increased connectivity, we have already got IoT for decades. More connectivity, in security engineering, implies a wider attack surface, as it implies more ports for the attacker to possibly hook into the network through. One of the asymmetries of security engineering is that the attacker gets to choose his preferred method and point of entry into the system, while the defender has to protect all entry points against all methods. More connectivity implies more entry points that require attention.
Security mechanisms shall be deployed under the assumption that they need to last for a decade, and renewability mechanisms need to be deployed under the assumption that the security mechanisms that were designed for a decade actually break in a week. This is a theory that is easy to understand but is very difficult to implement in practice. Some IoT devices are actually designed to live for many years, and yet some IoT devices are limited in their ability to be patched, or need to be certified and thus patching can only be done in long complex cycles.
A psychological bias that leads to intolerance
The sense of security we feel as humans is a function of more parameters than just how secure we really are. The human brain reacts to risks in ways that involve a lot of pre-historic programming, causing some well known biases. For example: we tend to promote risks caused by malicious people over risks caused by nature, and we have stronger reaction to rare risks than to everyday risks. We also relate more to risks that involve tangible physical consequences over those that are completely digital, even if the monetary damage they cause is similar.
Compromise of an IoT system often has physical artifacts. As such, we perceive it as a bigger deal than credit cards being stolen from some database somewhere. It follows that the security engineer has less room for errors. We do not mind using operating systems that get us infected with malware once or twice a year, but a few publicized cases of burglary through a faulty lock system could be enough to bring the lock vendor out of business.
The element of the unknown
Since IoT is just in its infancy in terms of deployment, we still are not sure, as a society, what we should really be afraid of and what not. In more mature industries we more or less know what risks we need to focus on and what risks “just never happen". We know of all types of adversaries, what capabilities they have and how much they are willing to invest in getting to any of the assets of our system. We do not have this knowledge in IoT. Every new domain that emerges spurs a new parallel domain of adversaries attempting to exploit the system for gain. For IoT, a domain that is both new and heterogeneous, we do not yet have a firm grasp of the entire wealth of adversaries and their motives. Some of those adversaries do not even know they are adversaries as of yet.
What follows is that the security engineer can afford less shortcuts. When we protect digital video content against copyright infringement, we know that the analog signal gives degraded output that the adversary barely cares about, and that low-resolution content can be protected by cheaper means because the value for the attacker is significantly lower. In IoT we are still at the point of having to protect against an abstract adversary.