In this unusually lengthy blog post I discuss how model-driven security is (and has always been) a perfect match for the Internet of Things. We are just wrapping up an embedded systems security consulting project, and are working hard in another large project to bundle our OpenPMF model-driven security policy automation product for easy adoption for IoT. OpenPMF has also supported industrial IoT middleware platforms such as DDS for many years. Furthermore we are working on some privacy by design opportunities with various partners. In this post you will see how all this comes together beautifully 🙂 If you already know IoT and IoT security well, feel free to skip the next two paragraphs.

Internet of Things (IoT)

The IT industry is currently at a significant pivotal point: The miniaturization and commoditization of hardware (with sensors and actuators), together with “always-on” network connectivity, and software everywhere. A current buzzword for this trend is the “Internet of Things” (IoT), the network of physical objects that contain embedded technology to communicate and sense or interact with their internal states or the external environment.”

IoT is about embedded interconnected systems and applications, with mostly “machine-to-machine” (M2M) interactions (the traditional internet has many more user-to-machine interactions). Excluding PCs, tablets and smartphones, IoT is forecasted to grow to 26 billion units installed in 2020 (representing almost 30x from 0.9 billion in 2009,  IoT product & service suppliers incremental revenue exceeding $300 billion, resulting in $1.9 trillion in global economic value-add through sales into diverse end markets).

IoT blurs the line between traditional electronic devices and software-driven computers. IoT includes many safety-critical and mission-critical industries, such as smart grid, smart cities, smart homes/home automation, security systems, “wearables” (a very fast-growing 78.4% CAGR market segment that includes e.g. smart watches, health monitors etc.), just to name a few.

Analysts predict that much of the IoT will be built from software running on standardized, network-connected hardware platforms (not too different from the PC world of the 80s/90s). Costs for such embedded hardware devices is so low that standard hardware (essentially a very small, fully functional computer) is often more cost-efficient and faster-to-market than purpose-built hardware. As a consequence, there is now software in consumer electronics such as internet-enabled power plug adapters, internet-enabled light bulbs (e.g. Philips Hue), internet-enabled sprinkler systems (e.g. Cyber Rain Smart Irrigation Controllers), internet-enabled home security systems (e.g. ADT Pulse), just to name a few. More traditional applications for embedded systems (e.g. cars) also see an increasing focus on software to drive functionality.

IoT Security:

IoT security is currently mostly poor, remains a significant technical challenge and a significant, mostly untapped market opportunity. To showcase just one example of poor/failed IoT security, authorities in several U.S. states are reporting that a hacker has once again broken into and defaced electronic road signs over highways in several U.S. states. June 2014, news media in North Carolina reported that at least three highway signs there had apparently been compromised and re-worded to read “Hack by Sun Hacker.”

Similar incidents were reported between May 27 and June 2, 2014 in two other states, which spotted variations on that message left by the perpetrator, (including an invitation to chat with him on Twitter). “A variety of network-controlled home automation devices lack basic security controls, making it possible for attackers to access their sensitive functions, often from the Internet. Some of these devices are used to control door locks, surveillance cameras, alarm systems, lights and other sensitive systems. Home automation systems are often connected to security devices, so they are part of the overall security of a home.

Because of this, they should have security controls built into them. Companies that manufacture these systems are trying to get their products to market as fast as possible, and they often overlook security testing because it impedes that process” (source). An analyst states that  “engineering staff at embedded device OEMs rate security as the single most common obstacle to their organizations developing connected products”, “two-thirds of embedded engineers say that security is very important or extremely important to their customers”, “fewer than half of engineering firms conduct penetration testing of their embedded devices”, “security related software and hardware represent 5% or less of Bill of Materials costs for most embedded engineering projects, but that proportion is expected to nearly double over the next three years”, and “although security requirements add to development time and costs, OEMs are successfully able to raise prices in response”. A good paper on the lack of cyber security (and what needs to be done to fix it) for power grids has been written by RAD.

Another good paper about the implication of the evident lack of security in enterprise-connected mobile and embedded devices is here. “Due to the low cost of adding IoT capability to consumer products, Gartner expects that “ghost” devices with unused connectivity will be common. This will be a combination of products that have the capability built in but require software to “activate” it and products with IoT functionality that customers do not actively leverage. In addition, enterprises will make extensive use of IoT technology, and there will be a wide range of products sold into various markets, such as advanced medical devices; factory automation sensors and applications in industrial robotics; sensor motes for increased agricultural yield; and automotive sensors and infrastructure integrity monitoring systems for diverse areas, such as road and railway transportation, water distribution and electrical transmission.  “By 2020, component costs will have come down to the point that connectivity will become a standard feature, even for processors costing less than $1.

This opens up the possibility of connecting just about anything, from the very simple to the very complex, to offer remote control, monitoring and sensing,” said Mr. Middleton. “The fact is, that today, many categories of connected things in 2020 don’t yet exist. As product designers dream up ways to exploit the inherent connectivity that will be offered in intelligent products, we expect the variety of devices offered to explode.” Another question is what will happen to all the aging and increasingly insecure IoT devices, considering that frequent, automated software patching may not be practical, but new attacks will emerge continuously.

One solution would be to design these devices with an expiration date, i.e. they are programmed to stop working at the end of a specified lifetime. As with embedded devices, an industry analyst (on a phone call I had with Gartner) predicts that consumers will pressure vendors to provide better security because of the criticality of some of the IoT infrastructure and their impact on our physical world. An immediate market where consumer pressure will be strong is embedded systems for healthcare: Healthcare device companies are currently panicking and looking for solutions. In the mid-term, manufacturing is a market where consumer pressure will be strong is manufacturing, because of the use of robots, IoT etc.

Model-driven security: The perfect match

Turns out that we have implemented model-driven security (MDS) for IoT for over a decade, without using the terms IoT or M2M, esp. for air traffic management, intelligent transport systems, telecoms network management systems, utilities. This is because M2M environments are highly favorable for implementing MDS: For MDS to work well, a “system description” of some sort needs to be fed into the MDS model transformation process. While parts of this system description can be automatically detected, MDS is most effective if there is a repository that holds information about systems and their well-defined interconnections (as is the case for IoT/M2M). This differs from traditional office environments with general purpose desktops and servers, where interactions are made ad-hoc by users (e.g. emailing documents, retrieving documents from a network drive etc.).

So if you are wondering about what to do about the much talked about IoT security challenges, maybe it’s time to consider model-driven security (MDS). Our IoT ready OpenPMF MDS product is an ideal candidate to implement effective IoT security. 

security professionals why conventional policy management is not enough and what new approaches are out there.