Towards an Internet of Secure Things

The rhythms and operations of modern society are regulated by IoT devices. On the street, at the office, in the car or in the train, at the airport or at home. IoT systems monitor our buildings, regulate traffic, listen to our conversations, deliver energy to our homes, and automate and operate our factories. Their applications and numbers increase by the hour, and we are quickly heading to a trillion devices deployed worldwide – approximately 150 devices per person on the planet.

Increasingly often, these devices are turned against us: spying on us, launching massive, distributed cyber-attacks, used as bridges to infect networks, employed in sophisticated nation-state attacks targeting our facilities We are losing control of our own infrastructure and soon we will be unable to manage the IoT we created. The sheer number of devices, their heterogeneity, and their varying longevity (days, or decades) represents a huge challenge impacting our personal safety, the security of our data, and our economy.

We are on the verge of losing the capacity of managing IoT: “Classic” constructs we used relatively successfully to manage IT systems, such as trust separation and graceful degradation, are now failing us, as they do not accommodate for the very characteristics and nature of IoT devices. There are several dimensions separating IoT from regular IT. In this context, the “old” IT-based security paradigm, based on ad-hoc solutions developed and deployed specifically for each system, is doomed to fail. In fact, it is already failing, as humans lose sight of the huge complexities characterizing such a heterogeneous, vast environment.

> The dimensions separating IoT from regular IT <

Space

IoT devices are oftentimes dispersed across large geographical areas, even when they are operated by the same entity; updating and fixing them is complicated as there is no unified solution, and the large distances mean that if something goes wrong, the operational overhead needed to fix them is a disruptive disincentive for updating in the first place.

Time

IoT devices often long outlive their “support lifespan”, resulting in devices deployed for decades only a few years of which are covered by some level of product support, for example to fix critical software vulnerabilities. The result is that long forgotten and lost devices keep operating and remain connected to our networks, while remaining freely exposed.

Structure

Billions of IoT devices manufactured in countries all over the globe will be connected to the internet; our current security models based on separating a trusted “inside” from an untrusted “outside” will be inapplicable as this distinction blurs away. IoT devices are extremely diverse, from design to implementation, from deployment to functionality, from durability to application domain. Giving order to this structure is proving impossible, let alone managing it.

One Problem, several Perspectives

Such a multifaceted problem, needs to be tackled from different yet interrelated perspectives. To structure our approach, we align with the most recent edition of the National Cyber Security Research Agenda and we tackle the problem ‘integrally’ from various different, and complementary, perspectives: “Design”, “Defence”, “Attack”, “Governance”, and “Privacy”.

   Design   

The state-of-the-art in secure software engineering is exemplified by lists of common security flaws, at the coding level or at the design level, e.g. the OWASP Top 10. There is even already an OWASP IoT Top 10, of things to avoid when building, deploying or managing IoT systems. Such lists, of what not to do, are still a long way off methodologies to get security-by-design. More constructive approaches, suggesting do’s rather than don’ts, include the BSIMM security maturity model and more recently the secure engineering methodology being developed by NIST and community efforts on assurance and certification in AMASS.

We need to move beyond Security-by-Design to Resilience-by-Design, while incorporating the autonomously adaptive security principle in our designs: We should expect systems to be attacked and compromised, in parts or as a whole, and design them to autonomously manage their security while acting selflessly. This means systems should be designed to allow for good monitoring to facilitate defence and to evolve in the face of new attacks, or rather, a better understanding of attacks. Our approach for this should be integrated with the NIST and AMASS initiatives mentioned above.

Unfortunately, it is a well-known tragedy that the same standard security mistakes keep being repeated, and better practices keep being ignored. So we also need to understand why this is the case to make sure that new tools and techniques will not suffer the same fate. Insight into where and how incentives for secure practices are lacking also provides a basis for the perspective Governance.

   Defence   

In general defence is losing ground against attackers and in IoT specifically, defence is nearly non-existent. IoT offers a huge and heterogeneous attack surface, where standard ICT defence techniques are of limited applicability. Present defence techniques are very labour-intensive and as such they do not scale and cannot cope with the IoT specific dimensions of space, time and structure. Novel defence techniques are needed for IoT, addressing these dimensions while supporting autonomously and adaptive security. These techniques need to cope with the cyber-physical nature of the IoT setting, with potentially hostile environments, and the heterogeneous devices (low resource sensors, edge nodes, and powerful cloud back-ends).

To supervise devices that you do not manage, awareness of their behaviour and status is essential. Monitoring is thus an essential part of IoT defence. Current intrusion detection approaches, however, are not up to the task of efficiently monitoring the plethora of IoT devices and typically do not offer enough insight to make effective decisions, let alone to automate them. Today, we see the first steps in designing adaptive systems that respond to detected situations, however the underlying assumption that one has a full specification of the system, is not realistic in IoT (structure dimension).

Intelligent IoT monitoring is needed, to allow the system to adapt autonomously both on the short term (e.g. a detected attack) and the long term with changing environment and use (time dimension). Monitoring and awareness will also be instrumental to provide indispensable input to other activities: Governance, Design, Attacks and Privacy, by supplying up-to-date evidence regarding attacks methods and activities.

Finally, existing defence mechanisms typically focus on protecting a device, system and its data, without considering how this impacts others. Sharing of security information or sacrificing functionality of a device to protect others (selflessness principle) are essential for IoT security. Collaborative defence approaches are needed.

   Attack   

How good is a secure design, how strong a defence, and how complete are advances in privacy and governance? To achieve a secure IoT, we need to understand the attack surface. Unfortunately, for IoT this is unprecedentedly large with complex and poorly understood chains of interdependencies between devices and systems. The deployment complexity (trillions of IoT devices), heterogeneity (from smart dust to self-driving cars), and characteristics (physical vs. remote access) immediately translate to a huge, previously unexplored attack surface. In addition, today’s understanding of offensive techniques is not adequate for systems where software is tightly integrated with hardware. Today’s methodology of ad hoc probing of the security of a handful devices is no longer an option; so far however, the community has no idea how to assess the security and find dangerous weaknesses automatically at such an enormous scale, covering so many (systems of) devices but also so many design processes and defences, etc. The primary research challenges are to develop automated techniques to detect vulnerabilities in complex constellations of IoT systems and to guide these efforts by prioritizing the most dangerous weaknesses.

In other words, we need attack prediction models, based on empirical evidence that help security analysts focus on the most important systems and attack vectors (e.g., because they are popular among attackers in general, on the rise, or simply relevant for particular sectors). The analyst will then analyse these systems in terms of fundamental security principles and security properties (single-system properties such as confidentiality, integrity, availability, but also properties for the wider system, such as isolation, abusability, etc.). In addition to vulnerability analysis, the evidence-driven prioritization of what are important attack vectors and modus operandi will provide input and directions to the design, defence, governance and privacy efforts.

   Governance   

IoT manufacturers already devote far too little attention to develop secure products due to the lack of market incentives. We cannot expect them to follow the selflessness security paradigm in their devices to create autonomously adaptive security for their platforms without governance-based incentives. Instead, we already see interdependence between stakeholders contributing to a blame game between the actors within the IoT supply chain accusing each other of insufficient security efforts. Limited security specifications in IoT products signal a market failure that require regulatory intervention. According to the European Commission, governing the IoT requires rules and processes to drive the way in which powers are exercised, particularly as regards openness, participation, accountability, effectiveness and coherence. To satisfy these “principles of good governance” within the multi-stakeholder IoT landscape, we must revisit traditional governance models.

There are, however, a number of challenges to implementing these governance principles when it comes to cybersecurity. First, there exists a wide array of standards in cybersecurity, ranging from technical specifications for encryption at device level to risk management at the organisational level. Moreover, given the wide application of IoT, standards are being developed within, rather than across, sectoral verticals. Thus, the landscape for privacy and security standards that apply to IoT is increasingly complex, and the market has so far indicated limited convergence towards a core set of standards to support these principles.

In addition, due to the pervasive interconnectivity of IoT devices, determining liability is more difficult than ever. With traditional products, liability mostly falls to the manufacturer/service provider. However, if an IoT product does provide basic cybersecurity measures and an attack occurs, current regulatory frameworks do not always determine who should be held liable.

   Privacy   

Many IoT business models depend on the large scale processing of personal data for personalised services and generating revenue through advertising creating what has been termed surveillance capitalism. Although consumers benefit from IoT devices and applications, they are also confronted with a sense of diminishing transparency and control. Privacy considerations have played a very limited role in the development of IoT devices inter alia due to economic obstacles, interoperability concerns, and usability concerns. The European regulator has acknowledged the importance of privacy and data protection. The new General Data Protection Regulation (2016/679), enhances transparency and user-control and introduces Privacy-by-Design and Privacy-by-Default (art. 25) as new instruments for data protection.

Privacy-by-Design and Privacy Enhancing Technologies (PET) have a long history, yet their uptake has been limited due to concerns raised above. There are also concerns regarding the notion of implementing data protection requirements in code. The IoT landscape raises specific challenges due to its spatial, time and structural characteristics. On top of this, it is not clear what the Privacy-by-Design requirements in art. 25 GDPR entail.

Privacy and regulatory compliance are seen as a significant obstacles in the industry. There is a need for guidance with respect to Privacy-by-Design in the secure IoT context, from design patterns, development frameworks and privacy enhancing technologies to secure IoT specific PETs. Our privacy has been designed away, but can also be designed back into it in a new generation of IoT devices and services.