The Internet of Things Security Foundation (IoT SF) is a non-profit collaborative organisation that provides an expert resource for sharing knowledge, best practice and advice in the field of IoT security. We chatted to co-founder and managing director, John Moor, about the myriad of security challenges that the IoT presents in what is perhaps the next evolution of technology.
When and why was the Internet of Things Security Foundation set up?
Back in 2015, I was working for the National Micro-electronics Institute (NMI) and the chairman of the board asked me ‘do you think we should take a look at IoT security?’ Given that he is a successful serial entrepreneur and was the CEO of an IoT company at that time, it wasn’t really a question, he was basically telling me to take a look at the state of security in IoT. At the time I remember thinking that it was perhaps a bit narrow, a bit esoteric, wasn’t it a mature discipline already and why me? This is because my background is in innovation and embedded – not security per se.
I started to have a look at it, and just from a cursory look, it became very apparent that there were massive problems throughout. The word I used to describe the state of IoT security around that time was egregious. It was not a word I used a great deal before hand, but it was a word that summed it up. There were holes in security everywhere.
As part of the proofing process, we held a summit at Bletchley Park in May 2015, and we tried to do a landscape piece on IoT security in one day. We heard from everyone in the field, from intellectual property providers (notably ARM), to the regulator, researchers, academics and practitioners. One of the presenters there summed it up that day neatly when he said, ‘we can’t carry on like this!’
What are the goals of the IoT SF?
The summit at Bletchley Park in 2015 was on the eve of a general election hence we decided to have a bit of fun and put voting cards out for the audience. The question posed was, ‘Was this simply an informative day out or do you think something more needs to be done about IoT security?’ 97% of attendees said ‘yes, something needs to be done’. But we didn’t ask what, so that was the next stage of the journey.
When we formed the Internet of Things Security Foundation, one of the things we said we wouldn’t be was a standards body. Aside from the fact that there were already plenty of good standards bodies in existence, it was clear to us that the need was now – immediate action was required. We therefore decided that we would put our immediate efforts into guidance and best practice.
IoTSF sets out to:
- Raise awareness. I think we’ve done a great job in doing that – not just here in the UK but globally. We are not the only body of course, but we were definitely one of the leaders – then and now.
- Improve the quality of solutions and make sure they are fit for purpose. In that process, we are also trying to raise the standards of deployed IoT security.
- Make it safe to connect, we’re fundamentally helping to enable the uptake and development of IoT applications by making sure the security foundations are secure.
What are the burning issues in IoT today?
The good news is that there’s been some solid progress made in the last 5 years, however, these things are not fixed overnight. When you look at where IoT can be applied, it’s pretty much across every market and industrial sector from consumer IoT through enterprise, medical, transport, manufacturing – all the way up to national infrastructure. It is fundamentally about the security of every connected system and these are much more pervasive today than they were 10 years ago, in part due to the mobile era and the mass production of smart technology components. The barriers have come right down and the cost of putting a piece of connectivity into a product is very low, but the implications are incredibly profound, way beyond the security risk. I like to think of IoT – or connected embedded systems in my framing – as simply the next wave of the internet, bringing the next evolution of innovation. It’s been interesting for me as it’s the first time in my entire career that I have thought, we perhaps need to move a bit more slowly, and more cautiously with technology. This is purely because of the vulnerabilities and the threats that connected systems now pose. Because of connectivity and the proliferation of software-defined products, there has been a complete paradigm shift in the way that we design applications and appliances. We can see this taking place now, for example, in the fundamentally different way cars are being designed.
Business models are also changing, as IoT brings an awful lot of opportunity to extend the life of products. It begs the question as to whether companies should be avoiding obsolescence in physical appliance and shifting towards selling services?
After the second world war, there was a time where consumer markets really took off as the conditions were right both socially and economically. The result is that we have acquired more and more possessions and today, we enjoy more choice than ever. However, we don’t really need to own more stuff – partly because the technology changes so quickly and also because more stuff means more things to look after. What we want is the benefit of all that stuff but without the maintenance problems or the burden of ownership. This plays neatly into IoT because connected services mean there is a lot of opportunity to add services and to extend the lifetime of products. This could specifically reduce e-waste. Manufacturers are often guilty of designing obsolescence into consumer devices which ensures that they don’t last long. This might be good for their business, but it’s not good for the consumer and it’s not good for the planet. With IoT, we now have the opportunity in many areas to look at more services as a business model which will change the way businesses and the economy work. We will increasingly become consumers of services rather than physical products.
What are the unique challenges to security that connected devices create?
In the connected world, everything is built up of electronic systems. The reason I got into this area is because my background is embedded systems, and the IoT is made up of connected, embedded systems. We used to have air-gapped – stand-alone systems and we would concern ourselves with the safety, reliability and physical security of accessing that system. Now we are connecting them up and you can access them from anywhere in the world. What that means is we have created a massive attack surface and our systems need to be resilient on the face of a remote adversary.
Before we started connecting everything up, we didn’t need to think about security in the same way because the threat model was different. Innovators were usually just thinking about how to design something, and how to make it work, and that basically means that none of our computers, or our microprocessor architectures were designed specifically with security in mind. Just think about that for a moment, the entire computing base of the world, everything from toasters to mainframes, were not designed with security in mind at the component foundational level.
I am an engineer at heart and I like to think that engineers solve problems. You can’t solve problems until you really understand the nature of the problem, so you have to go in and look at it and do the regression. You say, ‘here’s a problem and here’s how it manifests, what’s underneath that? but why? but why? but why?’ Eventually, you get to the final issue and then you understand, ‘that’s what we need to fix’. If you try to solve problems higher up, all you do is treat the symptoms.
I often talk about the epiphany of the obvious. Certain things are obvious, but until you think about them, they are elusive to you. When I started to explore the security in IoT and border cyber security, I came across these two related words, security and safety. I had to work out if they were the same thing and if not, how were they different? The answer now is obvious to me – but only after I took the time to think about it. They are definitely not the same, safety is usually concerned with an unfortunate sequence of events that leads to something bad happening, it is often an accident. When you are looking at security in IoT, there’s always a human motive behind it – something nefarious done on purpose. You can cover safety off pre-market – by looking at how accidents might happen, but to deal with security, you also have to get into the mind-set of a hacker, design in mitigations and then maintain its efficacy throughout the system lifecycle.
As you try to understand the nature of security, you get into all kinds of nuances and you’ll find yourself getting a little pedantic at times. For example, it’s important to understand why trustworthiness is more important than mere trust, the limits of certification, the need for continuous assurance and why ‘secure’ is not a realistic objection (but secure-enough is).
Security is significantly more than the technology, it involves people, it involves policy, processes, culture, and psychology, it involves supply chains. You keep adding pieces to the mental model and with those pieces come more risks, threats and vulnerabilities. IoT security is a wicked and complex challenge with no universal solution. So how do we deal with all that complexity? Well, the only way I know how to approach complexity is to break it down until it’s simpler and more manageable.
At IoT SF, we started to break the issues down and look at putting solutions in place for each part. We started where we felt the problems were the most acute and it was clear back in 2015 that the consumer space was most pressing. There are many challenges with consumer IoT devices, low barriers to entry, lots of innovation, little regulation in security terms and it’s very easy to take a product and add a bit of connectivity. These, sometime ephemeral products, may not be the subject of an attack themselves, but they can become a pivot to something bigger. A well quoted case is the Darktrace example of the IoT thermometer sensor in a casino fish tank that allowed hackers to access the networks and steal data from an undisclosed American casino.
How do you view the proposed UK legislation for consumer IoT devices?
I absolutely applaud the approach that the UK Government has taken, if you look at the nature of security, as I’ve discussed, it’s very complex. Therefore, we have to start with the basics and what is being proposed in the legislation is a very practical step forwards. It’s not an end point, it’s a start of a longer journey and we will improve it along the way. At the IoT SF, we have been raising awareness and preparing the ground for so long, the next stage now is to give industry a practical scheme that they can demonstrate that they’re compliant with the fore-coming regulation. There is certainly a place for a basic level certification like IASME’s IoT Security Assured scheme.
The IoT SF have been working with the relevant Government departments to prepare guidance to help industry understand what its obligations will be in anticipation of the new legislation. We’ve done a series of webinars about the first three guidelines in the ETSI standard which will become the focus of the legislation, we’ve also produced some quick guides, literally one or two pages to give the headlines about what each of those three initial guidelines are about. All the guidance is available free on our website on the consumer IoT page.
The first guideline is no universal default passwords. At the IoT SF, we’ve been looking at the utility of passwords, and it’s raised a simple question, are passwords fit for IoT? Perhaps they are fine when you’ve got one or two devices, but when you’re talking about dozens of devices in the home, and billions of devices worldwide, are passwords fit for purpose? We don’t think so, they are not particularly good and there are better ways to do what they were intended to do. So, passwords in the world of IoT don’t make a lot of sense. When we look at consumer IoT devices, we tend to think about something that is attached to your mobile phone with an app. That’s not what IoT is going to be about in the future. The fabric of technology will involve machines making decisions and talking to other machines without an app, without the interaction of humans, the technology will become automated and work by itself.
The second ETSI requirement is largely about having vulnerability management under control. You need to design security in of course, but because of the nature of software, it will have vulnerabilities that will most likely become apparent in operation throughout its lifecycle. The important thing, therefore, is to recognise this and have a process in place that when these vulnerabilities are found, you can fix them. Personally, I think vulnerability management is the most important aspect of security in operation because what you then have is trustworthiness. Trust is for one moment in time, but trustworthiness is much more enduring. If you are buying things, you tend to buy from suppliers you trust. You trust them because they demonstrate some behaviours, for example, if something goes wrong, you can trust that it’s in their interest to fix it. Vulnerability management for me is the most important behaviour that I would be looking for in any producer of IoT post the sale. I would go even further to say, if there was a vendor or manufacturer who doesn’t have vulnerability management, they should not be allowed to produce IoT. They are not credible.
This is also the subject of the third requirement as we talk about software security updates. If you have software, you’ve got to have the ability to update it.
In terms of the timeline at IoT SF, we started by looking at manufacturers and their needs, because this is where security gets built in. It’s very hard to bolt it on later and it’s never as good. The next phase that we’re trying to do, is to influence purchases. We’re asking buyers to specify security in their purchasing. If the market doesn’t ask for it, the supply base won’t necessarily see the need to supply it.
We developed a catch phrase to sum up the IoT message: Build secure, buy secure, be secure. Three BSs. Yes, you can quote me as saying that IoT needs more BS, and if that helps people remember it, that’s a good thing.