Why the Internet of Everything Requires the Security of Everything
Daksha Bhasker, Bell Canada
The Internet of Things (IoT) is a complex internetwork intertwining everything. Billions of objects and people will communicate with each other every millisecond around the clock: some simultaneously, others intermittently or in bursts, some broadcasting to all recipients, others on command, observing communication channels, in bidirectional, hierarchical and multivariate patterns.
Notwithstanding this resulting complexity, businesses, consumers and the general public implicitly expect their security and privacy to be protected. This responsibility swiftly cascades onto the network operators to not only manage this inevitable cacophony of communication but also with securing them. Let us explore if the IoT environment could be sustained by a single uniform security paradigm: Is everything connected to everything?
Overhead and Cost of Connections
At first glance it would appear that every object is connected to every other object in an any-to-any fully meshed architecture. As masters of the IoT universe, we would indeed like the convenience of being absolutely interconnected, wouldn’t we? At this very moment your network operator is considering the overhead and cost of unnecessary connections, its management and the burden of securing each one of them. Do we really need smart toothbrushes connected to traffic lights or smart light bulbs connected to printers? Probably not. In reality, a smart toothbrush interfering with a neighborhood traffic light would pose serious security risks that could impact vehicular traffic adversely. Therefore it is highly probable that IoT architectures will involve a predetermined set of meaningfully interconnected subsystems of objects, separated from the broader IoT ecosystem via intelligent gateways, servers or controllers.
Further, a large percentage of objects that are out in the field have low power and processing capabilities rendering them incapable of anything more than minimum application specific functionality. These low-end devices will require different mechanisms to secure them. This natural grouping of edge devices and segregation of networks enables the pruning of communication noise generated, hence allowing operators to focus on securing zones of meaningful interconnections in IoT. The security parameters applied to these logical zones will directly depend on the technology, application and capabilities of the end device.
Technology Goes Where Cash Flows
Technology goes where cash flows, is a classic business rule. Needless to say, IoT solutions and development will occur where they solve the most pressing problems or offer nifty conveniences that businesses are willing to pay for. Successful IoT solutions will be designed based on reverse engineering architecture from the value proposition or solution they provide. The type of solution developed will dictate the levels of security requirements that network operators must consider.
For example, medical devices such as pacemakers or insulin pumps must not only meet health care regulatory requirements, but must also be highly secure as lives directly depend on them. These devices will have low fault tolerance, require high availability, secure access and high privacy parameters. The security requirements for a smart decorative water fountain in a public park would be completely different.
Consulting firms as Cap Gemini and Goldman Sachs report that the early adopters of IoT are wearables, smart homes and buildings, manufacturing and resource management, smart electric grids and smart vehicles. The various parameters of security: confidentiality, integrity, availability, authorization, non-repudiation and privacy will be amped-up or downplayed in degrees based on the industry vertical, the criticality of the service rendered, the design architecture and protocols of the solution as determined by the application.
Are Some Technologies More Equal than Others?
Industry forecasts offer mind-blowing figures for volumes of IoT devices ranging from 20 to 40 billion by 2020. To date, there has not been a determination of the single winning technology or protocol stack driving the IoT infrastructure behind these diverse volumes of devices. Technology pundits continue to debate the superiority of their favored technology, architecture or protocol for IoT be it Wi-Fi, Cellular, LTE, bluetooth or fiber to the node, while another faction debates centralized intelligence versus distributed localized intelligent nodes.
In real terms, the answer is Yes to all of them. IoT will indeed be an internetworking of legacy, emerging, proprietary as well as open technologies in a seamless, ubiquitous manner. Herein lies the challenge for security practitioners. Security of IoT is clearly not a one size fits all scenario. IoT is true to its very core the “Internet of Everything” right down to a myriad of technologies that in turn requires the “Security of Everything” interconnected.
Hierarchy of Standards will Evolve
In terms of standards, security of IoT is one of the more complex challenges that the technology industry has faced. Not everything in IoT is connected to everything in unanimous undistinguished continuum. Nor are the “things” in IoT equal in technical capability and objectives. The underlying infrastructure for IoT has diverse technology and protocols supporting applications as dictated by business and industry. The variety in IoT introduces an extremely divisive nature to an intended ubiquitous solution.
Securing the underlying fabric of IoT requires multidimensional systems thinking to address the variety of devices, technologies and applications in interplay. Many industry sectors, technologies and protocols already subscribe to different sets of industry specifications and standards. Therefore, one must conclude that the framework for security standards governing IoT must be a framework of many frameworks encompassing security standards of many industry standards.
An inevitable hierarchy of standards will evolve, from international, regional and national standards through to industry-specific, manufacturing, transmission and operating standards for every “thing” in IoT. Setting course for all “things” in IoT to comply with a common hierarchy of standards will bring order to potential chaos and the starting point for the Security of Everything.
Daksha Bhasker, MS, MBA, CISM, has over a decade of experience in the telecommunications industry, in various roles from business intelligence, strategy planning, business management operations and controls, governance, SOx compliance, complex technical solutions, security risk management and cybersecurity.
She is a member of the network technology development team at Bell Canada.
Views expressed in this article are the author’s and not necessarily those of TIA.