The traditional IT security architecture has been through a mammoth, global stress test in recent years thanks to the environment of escalating attacks and huge data breaches.
But perhaps the biggest challenge of all to the traditional IT security architecture has been in the IT evolution driven by the Internet of Things (IoT), Cloud Computing, Edge Computing and related innovations.
Data breaches in recent years have already been reaching epidemic proportions with millions of records compromised in typical breaches. Researchers report that the number of data breaches in 2017 were an order of magnitude larger than in 2005.
At the same time, the nature of IT deployments themselves are dramatically changing, adding more security risk as the IoT and new computing models expand the scope and nature of IT system deployment. Connected devices with the ability to execute relatively sophisticated code are now spread far and wide and have become targets of attackers.
Yet the security architecture commonly deployed in our enterprises uses very traditional controls and methodologies. Firewalled perimeters contain “trusted” zones within which we grant unfettered access to applications and data. Remote devices and users often undergo very basic authentication and access control procedures before being granted access to sensitive systems or data. Encryption may be used to ensure confidentiality of data in motion if it traverses untrusted networks, but such traffic is often in the clear on so-called trusted networks and devices that may be compromised.
And we have seen major breaches caused by the breakdown of these rudimentary security controls when they are applied to IoT and the related computing models. The Mirai Botnet and its continuing variations take advantage of a simple breakdown in security hygiene, the failure of so many of us to change default passwords, leading to huge Internet outages. Brickerbot saw attackers exploiting similar weaknesses, enabling them to “brick” IoT devices and render them useless.
Why is the traditional security architecture failing to protect the IoT? There are a wide range of reasons having to do with the fundamental natures of IoT, Cloud and Edge Computing.
The IT and OT Crossover: The IoT has blurred the lines between Information Technology and Operations Technology. Traditional IT infrastructure and systems — such as data networks, operating systems, application servers and so on — are being tasked with supporting mission-critical operational functions that previously might have used isolated, custom systems.
This creates new incentives for attackers, who may want to target critical infrastructure like utilities or transportation systems, financial services systems, healthcare institutions and so on.
IoT Scale: IoT projects are causing deployments of devices to balloon in scale. Vodafone reports that the number of organizations with IoT deployments greater than 50,000 has doubled in in the past 12 months.
This creates a massive attack surface in terms of deployment scope. Since by definition IoT devices have some form of connectivity, attackers have large numbers of targets to probe and scan for vulnerabilities. Many of these devices will not have undergone adequate security testing, penetration testing or the necessary software composition (software Bill of Materials or BOM) analysis to form an adequate picture of the risk they pose.
Further, the process of patch management can become massively complicated when you consider the need to update and patch tens of thousands of devices.
Compute Creep: IoT involves the placement of smart devices in new, non-traditional places, outside the firewalled borders of enterprises or isolated from other common security controls.
Further, a smart connected appliance in the home in an IoT deployment has much more computing power than the older generation of “dumb” appliances. That means the attack surface of an individual IoT device is much larger than a traditional appliance or non-intelligent device.
Similarly, many IoT deployments rely on analytics and other computing functions pushed close to the edge of the network, perhaps in the Cloud, or distributed among IoT gateways or even devices themselves.
Variously dubbed Cloud computing, fog computing or even “mist” computing, these examples of “Compute Creep” show that processing power and the ability to run sophisticated and perhaps malicious code are landing far outside the scope of our traditional security controls.
The Vulnerability Storm: In 2017 there were more than 14,000 publicly announced vulnerabilities affecting IT systems. Being able to parse these thousands of vulnerabilities to pinpoint the ones that matters, track patches and apply them, becomes a huge vulnerability management job for device makers and their IoT customers.
Security of Things for the Internet of Things
At Timesys, we have captured the industry’s best practices for securing the smart devices that make up today’s IoT.
Our TRST Product Protection solutions enable device developers to audit the security of their systems, harden them, establish secure update processes, minimize attack surfaces, and reduce the risk of compromise when the devices are deployed in production.
With our longtime expertise in embedded open source systems, we specialize in enhancing and maintaining the embedded system security of IoT devices that incorporate open source components. From embedded Linux hardening to CVE monitoring, our solutions enable device developers to design more secure products and maintain a strong security posture for them over time.
Timesys has extensive experience with embedded system development and lifecycle management. Timesys has been instrumental in working with global leader semiconductor manufacturers with smart, quick and quality solutions for highly complex systems with accelerated product innovation and multiple product variants.