Cyber Security of the Internet of Things
IT and control systems manufacturers are seizing the opportunity of selling new novel hardware devices to consumers, as excitement continues to increase about the coming “Internet of Things” (IoT). As the number of devices continues to increase, more automation will be required for both the consumer (e.g. home and car) and the industrial owner. As the number of devices in IoT and control system increases, software and hardware vulnerabilities will also increase. It is not clear how all of these devices will be adequately protected. Eventually the technology will need to be present in tactical environments in order to accommodate advanced cyber strategies of future adversaries.
Currently, data from IoT hardware sensors and devices are typically handled by proxy network servers (such as a cellphones) since current end devices and wearables have little or no built-in security. The security of the proxy device will be critical if sensor information needs to be safeguarded. The number of sensors per proxy will eventually become large enough so that it will be inconvenient for a single user to manually manage all of the apps for their IoT sensors. This implies new application technologies will be needed that controls many “things” and solves the data management (and vendor collaboration) problem. An exponentially larger volume of software will be needed to support the future IoT. The average number of software bugs per line of code has not changed, which means there will consequentially be an exponentially larger volume of bugs for adversaries to exploit.
Until there are better standards for privacy protection of personal information and better security guidelines on communication methods and data/cloud storage, security of wearable and other mobility devices will remain poor. More work needs to be spent on designing IoT devices before too many devices are built with default (little or no) security. The ability to create secure IoT devices and services depends upon the definition of security standards and agreements between vendors. ISPs and telecommunication companies will control access to sensor data “in the cloud” and they cannot provide 100% protection against unauthorized access. IoT user data will be at risk.
Diversity of the hardware and software in the future IoT provides strong market competition, but this diversity is also a security issue in that there is no single security architect overseeing the entire “system” of the IoT. The “mission” of the entire IoT “system” was not pre-defined; it is dynamically defined by the demand of the consumer and the response of vendors. Little or no governance exists and current standards are weak. Cooperation and collaboration between vendors is essential for a secure future IoT, and there is no guarantee of success.
The growth of the IoT and the increase in the number of vulnerable commercial sensors has created a situation similar to the current situation of CPSs – a large number of unique hardware devices are interconnected with little or no regard to security, and with little or no communication and security standards. It is not clear that these issues will be resolved before it is necessary to use some of the current and near-future IoT technologies on the battlefield.
Some IoT technologies will necessarily migrate from the consumer arena to the tactical arena, where soldiers will entertain the interconnectivity of a large number of sensors and devices. One technique that can be used to approach the enormous security tasks of the IoT and the “Internet-of-Battle-Things” is to accept the inherent risks of IoT technologies and focus on the most critical areas to protect one’s asses. As for our intrusion detection and security modeling methods, one can define the critical elements in one’s personal zone of influence and monitor or model only those particular elements. Trying to monitor and measure all possible elements of the IoT system will be increasingly difficult and eventually impossible. In effect, each person or soldier will be analogous to a CPS operator and the devices of interest will have physical, cyber, and process components, as illustrated in Figure 2. Security research of the commercial IoT and the Internet of Battle Things is a current and future area of focus at ARL.