The world’s leading cyber security companies have repeatedly emphasized, over the last year, the detrimental potential emanating from inherent vulnerabilities in IoT (Internet of Things) devices, and for a good reason. Only recently, reports regarding the ability of Smart TV sets to pick up and transmit whatever takes place around them have been featured extensively in the media, while the US Senate has devoted, for the first time ever, an entire hearing to the potential implications of the IoT phenomenon, as well as to the government’s involvement required in order to guarantee a proper balance between innovation and the protection of user privacy and security in the shadow of that phenomenon. Although the inflated use of the term “IoT” has led some experts to disparage the scope and impact of this phenomenon, it is evidently expected to generate substantial changes, not only in the world surrounding us, but also to our traditional concepts and approaches regarding the cyber security needs of private consumers, industries and governments.

The term “Internet of Things”, and such equivalent terms as “Internet of Everything”, describe an increasing trend in the context of which additional sensors and computing systems, which are connected to the Internet, and in some cases to other networks, are embedded onto various physical components (from home appliances, through medical devices to industrial machinery). This convergence of technological advancements will make it possible to generate virtual representation of “things” that were hitherto detached from the internet, like the human body, animals (especially if the electronic components are implanted in the organism), plants and even inanimate objects. According to the prevailing estimates, until the year 2020 the number of devices connected to the Internet will be between 25 and 50 billion, while the market cap for these components and the services they offer will amount to hundreds of billions or even to trillions of dollars. Either way, it is estimated that even during the past decade, the number of “things” exceeded the number of human beings connected to the Internet.

The range of possible usages for IoT devices is assumingly unlimited, as the number of physical objects capable of containing communication systems and the scope of the information that may be derived from them are theoretically unlimited. Consequently, many people regard the IoT trend as a potentially powerful “growth engine” for various industries (and subsequently, for the economy as a whole), and as a catalyst for the creation and shaping of new markets. At present, numerous government-sponsored and private IoT-oriented initiatives, some of worldwide proportions, are being promoted in an extensive range of fields (healthcare, utilities, transportation, energy, retail, home equipment, etc.). With all of these initiatives, the ability to monitor activities in real time through the usage of sensors, and the abundance and diversity of the information that may be generated as a result, are intended to help improving efficiency and enhancing centralized control in human-driven activities, which in turn could lead to reduced business costs and enhanced human security and welfare.

As the connectivity of these components with other components, as well as with the Internet, improves, this nexus will allow the employment of analytical tools to derive insights that were hitherto unavailable or inaccessible. In other words, the components may be utilized more effectively and identify patterns that could reduce loads, provide focused, dedicated solutions to individual needs, reduce response intervals vis-à-vis incidents and improve cost-effectiveness, all while promoting an increasing trend of automation (“machine-to-machine” communications), which ultimately leads to the removal of the “Man” from the “Loop”.

The IoT trend has been defined by leading technological corporations as revolutionary, and its effects were publicly recognized, even by government agencies worldwide. Even so, it is yet unclear whether this trend also reflects or leads to a paradigmatic change with regard to traditional and consensual cyber security concepts and approaches.

According to one school of thought, the IoT trend reflects a natural – albeit accelerated – continuation of existing trends that have already left their mark on the field of cyber security. In this context, it should be noted that one of the primary changes that affected the field in the last decade was the exposure of the operational networks and ‘legacy components’ to the Internet (through the transition from proprietary networks to standards-based IP networks, that were connected to the web), despite the fact that these components, like the industrial control systems (ICS) operating them, had not been manufactured while factoring up-to-date cyber security considerations. Accordingly, some would argue that the IoT trend and the implications associated with it may be regarded simply as the natural continuation of this known development and the deterministic exponential progress of technology (that could be traced back to Moore’s Law). In the context of this continuity, an holistic and effective model for coping with the primary security problem of an IoT world has yet to be produced, as it stems from the traditional inherent tension between the consumers’ need for “usability” and “availability” and the requirements for “security”, “integrity” and “confidentiality”.

Nevertheless, substantial changes brought about by the IoT trend are not only conceptual in nature, but can be identified “on the ground”. Some of these changes reflect developments of a precedent-setting nature: the effects on the telecommunication infrastructure (massive amounts of information to be stored, processed and made accessible); the effects on the commercial world (hyped trend that attracts attention and “draws” resources from global industries); the psychological-cultural effects (delegation of decision-making authority to automated and relatively autonomous systems); the effects on the personal autonomous space (pervasiveness of automated systems in our immediate surroundings, on-going monitoring of our whereabouts and activities and growing dependence on computerized processes that pertain to our immediate vicinity and personal well-being). The last aforementioned development is reflected, for example, in the expanding market segment of wearable computing and the “smart” medical devices that constantly monitor our physical day-to-day activities.

From “Information Security” to “Cyber Defense”

As stated, the security issues associated with the connection of physical components to the Internet are well known – especially in the form of the cyber security threats stemming from the connection of “legacy components” to the web. These problems were the prime catalyst for the conceptual transition in recent years from the “Information Security” concept to the “Cyber Defense” approach, namely – a transition from protecting mere information in cyberspace to defending against the use of cyberspace for the purpose of generating an effect that exceeds the logical realm. But at the same time, in the emerging IoT world, the scope of components connected to the web, the distribution of these components and the extent to which they pervade people’s private lives, taking into consideration the demand for high accessibility and functionality in real time and the scope of the information being transmitted, have led to the emergence of a problem on a whole new order of magnitude.

It is Rezendes and Stephenson’s intriguing assessment, as published in the Harvard Business Review, that similarly to the manner in which the “Consumerization of IT” had a decisive influence on industries’ information security regimes, so, too, will the IoT phenomenon lead to the “Democratization of Information” (a situation where information will be shared more extensively than before and in “real time”), which, in turn, would have a substantial effect on the risk management strategies and policies in the private and public sectors, as well as on the procurement considerations of private consumers. At the same time, as long as consumers remain indifferent with regard to the level of security and privacy promised by the IoT devices’ manufacturers and service providers (and in the absence of incentives or mandatory regulation), so the pace of improvement in those parameters – especially as this improvement relates to products intended for private consumers – will remain slower and more moderate.

Sub-trends

Several primary sub-trends derived from the IoT trend, which directly affect the validity of traditional cyber security concepts and approaches, are already emerging. These include:

Intensification of known cyber threats – the proliferation of computer-based components is reflected, among other things, in the abundance of “attack vectors” and in the aggregation of computer power that may be channeled for the benefit of promoting familiar cyber attacks. In January 2014, the Proofpoint security company reported an incident where a botnet network encompassing 100,000 computers included, among other things, such home appliances and devices as burglar alarm systems, webcams and even a “smart” refrigerator, through which spam and phishing mails were distributed.

The connection of additional outdated “legacy components” to the web – the obsolescence of the components, protocols and operating systems of some CPS (Cyber-Physical Systems) makes it difficult to adopt security updates, and demonstrates the need for tailor-made security solutions. It should be noted that on the one hand, the overwhelming majority of these components had not been originally designed to facilitate internet connectivity, thus designed and developed without taking into account up-to-date security considerations; on the other hand, the components in question are commonly used in operational systems, the replacement of which by newer components is infrequent.

Susceptibility to disruption of on-going operations – as some IoT components constitute integral parts of critical infrastructures or directly affect our health, well-being and immediate vicinity, the end users’ readiness and willingness to accept disruptions in the functioning of these components and “denial of service” for the benefit of security updates, decreases as well. From a future-anticipating perspective, this reality calls for a pre-validation process for those relevant updates, in order to ensure that they would not damage the on-going operation of the component and the infrastructure as a whole.

Energetics requirements impose constraints on the scope of defenses that may be implemented in end components – small-scale computer-based systems (and RFID components all the more) embedded in physical components often do not contain extensive memory or any substantial processing capability (owing to energetics considerations). Consequently, the security measures they contain, as well as their ability to support current encryption standards, tend to be limited or even negligible. In some cases, even if security measures exist, the human-machine interface (HMI) offered to the user on these components might be minimal and over-simplified, in a manner that projects on the range of operations the user can perform in “real time” for the purpose of improving the resilience of the process.

Increased distribution of end components and databases – in the past, firewalls provided sufficient protection for networks. Today, in view of the proliferation and distribution of IoT components that are connected to those networks (as in the case of the Bring-Your-Own-Device trend), and the need to allow real-time accessibility from various systems to the information produced by the end components, it is no longer possible to settle for peripheral protection of a network, as was customary in the past. Instead, protection should be provided to each unique component and at least some information, exchanged between this component and other components or the cloud, should be encrypted. Additionally, the need for centralized management of the security resources and policy of all of the components in the relevant network is becoming increasingly more acute.

Accelerated automation and M2M trend – in view of the reciprocal connectivity and growing autonomy of IoT components, human involvement in the process is reduced in a manner that calls for similar automation of the relevant monitoring, information sharing and authentication processes generated in these components. In this context, a working paper prepared at the request of the Deputy Secretary of the US Department of Homeland Security (DHS) in 2011 included a reference to the term “Healthy Cyber Ecosystem”, which describes a situation where a sufficient amount of different components share information and cooperate autonomously, and sometimes even “locally” and in “near real time”, for the benefit of independently reinforcing their own resilience and security.

Poor security awareness on the part of users – the low degree of awareness of the cyber risks inherent in IoT components, at the corporate level as well as at the private consumer level, intensifies the traditional problem of inappropriate use of computer-based devices (and the services provided by those devices) by the end-users, as well as by the personnel charged with the maintenance of these components, like the need for regular security updates (especially in the absence of automatic updating mechanisms). For example, the ease with which hackers can hack into home cameras stems, among other things, from the lack of awareness among home consumers of the need to change the default password of the camera (the “weak” password recovery and reset mechanisms that are common in IoT components may be added to this problem).

Intensification of problems pertaining to user privacy – the demand, on the users’ part, for relevant, “customized” services in real time calls for continuous locating and monitoring of the user (often automatically and “transparent” to the user), in a manner that could lead to increased exposure of user Personally Identifiable Information (PII) to an extensive range of potential stakeholders. Additionally, the abundance of information available in the IoT world (Big Data) could enable user identification on the basis of integration of fractions of information supplied by various sensors, in a manner that increases user exposure even in the absence of intimate identifying details.

A Staff Report by the US Federal Trade Commission of January 2015 raised the need to present a data minimization demand to IoT components’ manufacturers to reduce the collection and retention of personal user information to a minimum or to reduce these activities to a reasonable level, to anonymize obtained information and/or to obtain the customer’s explicit permission to collect sensitive information or information the collection of which is inconsistent with the customer’s reasonable expectations.

Absence of centralized responsibility – in a world of IoT components, and especially of increased automation, one issue that grows increasingly acute involves the responsibility for enhancing security in the IoT environment and the ownership of the information produced in that environment, namely – whether this responsibility lies with the user, the service providers, the cloud service provider and/or the technology manufacturer. Without centralized responsibility, coming up with a comprehensive, holistic solution for complex systems becomes increasingly difficult, owing to technical and economic considerations.

These sub-trends emphasize the need to expand the concept that focuses on protecting only the network or the cloud (which is essential in itself, in view of the anticipated storage of massive amounts of information that are expected to be processed and made accessible for various purposes), so that it also focuses on authentication and authorization management within the end component itself, as well as on the encryption of the information passing through the network. Accordingly, some of the diversified cyber security solutions currently offered on the market claim to continuously protect all of the stages of the components’ communication process with the relevant network. Furthermore, new innovative cyber security concepts should adopt a holistic view that takes into account the complexity of the system (system of systems) and the process as a whole (for example, they should take into account the different interactions between all of the components that are collectively considered as a “Smart Home”). These concepts should promote constant examination, using a dedicated risk management routine, of the optimal security modus operandi that considers the entire system, from end to end (including the human element and the cloud services in the loop).

At the IoT component level, it becomes abundantly clear that in order to provide the component with a sufficient degree of safety, security and reliability that matches the severity of the risk, a Security-by-Design approach should be implemented, namely – a security-oriented thinking process, including a privacy and security risk assessment, should be incorporated and implemented throughout the R&D and manufacturing processes, and especially during the design of the physical component (when it is adapted specifically for network connection), rather than in retrospect as just another patch in the system. This is an opportunity in view of the preliminary phase in which the industry is situated with regard to the scope of development of IoT components. Moreover, a solution suggested at a relatively late stage could prove not only less effective with regard to the cyber security aspects, but also less than optimal owing to implementation cost considerations.

In order to properly prepare for these conceptual changes while taking the necessary preemptive steps, new, breakthrough knowledge and technological concepts should be developed through cooperative alliances and coordination between industry leaders (even though they may be promoting competing standards in their day-to-day operations), academia and governmental entities. At the same time, proper training and encouragement of awareness among the relevant engineers and senior executives are also required, along with change in the consumer habits and recalibration of the general public perspective and approach regarding the importance of cyber security of IoT components and the confidentiality and integrity of the information collected by them.

Similarly to related content worlds, the question regarding the characteristics of regulation remains relevant: is the state required to promote dedicated and more stringent regulation, beyond the inclusion of IoT products under the legal liability which sometimes applies to manufacturers in various sectors with regard to certain safety standards, or should it avoid intervention and enable the market forces and the existing competition to drive the firms to comply with higher cyber security standards? Additionally, the connectivity between components located in different geographic regions, and the impact of the cloud on the globalized nature of the IoT phenomenon, raise questions regarding legal jurisdiction and enforcement in situations where local statutes or international treaties have been violated. 

Eyal Balicer is the Head of Research and Analysis at the Israel National Cyber Bureau.

Dr. Tal Steinherz is the Chief Technology Officer at the Israel National Cyber Bureau.

The National Cyber Bureau (INCB) at the Israel Prime Minister’s Office promotes research in the field of IoT cyber security, for the benefit of identifying and interpreting the implications of the IoT trend on the traditional concepts and approaches regarding cyber security. At the same time, the INCB examines options for cooperation with leading multinational corporations, which promote IoT security-related activities while maintaining a significant presence and conducting substantial R&D activities in Israel, for the benefit of maintaining Israel’s status as a prominent leader in the field of cyber security.