A 3-Tier Approach to IoT Security
To ensure the functionality of an IOT system, software designers should consider a 3-tiered stack of controls, where the lowest level ensures the integrity of the next.
The Internet of Things (IOT) ecosystem offers the opportunity to interact with daily items in a whole new way. Pervasive connectivity, affordable, embeddable compute platforms and rich inter-system interaction enabled by cloud technologies allows us to access and analyze data from physical systems in new ways. This enables greater levels of controls to improve the operation of the machine, improve business efficiencies or enrich the user experience. Our challenge is to make sure that we don’t allow today’s cyber-security risk to put us into a repeat cycle of the Y2K rollover issues.
When an embedded system is isolated physically, the security concerns are limited to the physical access to that machine. The moment we consider enabling network or cloud connectivity we need to redraw the boundary of the machine to include any and all systems that could exchange information with our system. Note that I use the word “could” not “should.” The potential for access to our machine is the hacker’s point of opportunity. That opportunity can be exploited as a result of the design or as a result of the deployment of the system. For example a hacker may take advantage of a newly discovered vulnerability in broadly adopted open source software, which was the case with the recent Heartbleed vulnerability in OpenSSL.
Alternatively, the hacker may take advantage of risks created at the time of deployment. I recently heard about an HVAC system that was designed to provide control access over an IP network. The system integrator installed a DSL line that allowed them to monitor the system remotely, and effectively created a backdoor into the owner’s private network.
We have to start looking at the embedded-connected software as a component that affects mean time between failures (MTBF) in the same way that we treat the physical components in the system. The reality is that the MTBF of any connected software application is non-deterministic, if we have not designed in the appropriate monitors and execution controls. It really doesn’t matter if we have a resistor that has an MTBF of 5 billion hours if the software could be subverted in 17 minutes. The reliability of the overall system is determined by the weakest component. So how do we make our software components deterministic in availability?
We aren’t talking about knowledge-worker devices. The traditional laptop or desktop computer was designed to enable a variety of applications and processing that could vary wildly based on the moment-to-moment needs of the user. That means in conventional computers, security controls were designed to look for bad activities rather than trying to limit to only acceptable activities.
Since the functionality of an IOT device is primarily determined by the physical design of the system, the functionality of the software is reasonably deterministic. For IOT, we can base our security model on one of positive control over the system. As the designer, we have specified a particular set of behaviors that are governed by a well-known software base. We know how user configurations will be entered and stored on the system. We can achieve positive control and delivery deterministic software reliability by limiting CPU execution on those well-known attributes only. Without strong security control, technology this can be challenging, particularly when the system is based on open software platforms such as Linux or even embedded Windows.
There are three technologies that an IOT software designer should consider to ensure the functionality of an IOT system. We should think of them as being a tiered stack of controls, where the lowest level is ensuring the integrity of the next level.
- Secure boot controls utilize hardware controls to ensure that the OS and bootloader haven’t been tampered with at the time of system initialization. It is important to include the operating system security enforcement components in the startup evaluation. Effectively we want to compare the state of our boot environment to a well-known state.
- Application control provides execution control at run time. We want to ensure that only our executable code can be loaded into the CPU stack. Even if a hacker were to find a vulnerability that enable him or her to tamper with memory, application control prevents the CPU from attempting to run any exploit code that they may have been able to load on the system.
- Configuration control gives us control over user or environmental parameters that govern the behavior of our software. It is important that the configuration parameters are loaded into our system in a way that is either assured by a known input driver/application that is enforced by application control or assured by secure boot controls.
These controls represent a comprehensive way to implement positive control over the software execution environment. Conventional software quality process still needs to be applied to the system, but the unknown software risks are effectively eliminated.
Finally, any effective security control should be able to identify when unacceptable conditions arise, and we must have a way to appropriately escalate those for user awareness or intervention. In conventional IT systems that is the security management console or a security event and information management (SIEM) system. For our IOT system, we need to integrate security events into the operate console, and potentially into the overall security and compliance management system.
Greg Brown joined the McAfee network security team in 2006. Brown has 20 years of experience in the network security and telecommunications industry, working with silicon technology vendors, security software/hardware vendors and service providers. He has provided design consultant services for national IT security infrastructure programs on four continents. Brown was the principal designer for first-time national Internet infrastructure programs in more than 30 countries.