Ensuring cybersecurity resilience in an ultra-connected world
The development of the Internet of Things (IoT), Artificial Intelligence (AI), the cloud and big data have enabled devices that started out as unbelievable concepts to become a reality. From a consumer standpoint, these ever-increasing trends are often taken for granted as people become accustomed to smart devices becoming more commonplace in all aspects of our everyday lives across all industries – a trend that will only continue to grow. According to Cisco IBSG, the number of connected devices will reach 50 billion by 2020, while IDG expects that 89% of enterprises will have plans to adopt or have already adopted digital technologies to create or modify business processes to meet the changing business and market requirements by the same year. This reimagining of business in the digital age is known as digital transformation. On face value, this is an impressive industry development. However, with the freedom to access the Internet comes serious cybersecurity threats. Having a competitive edge in service offering or innovation will not bring much success if there is a cyberattack on the business due to a small IoT device not being secure. It is these devices that are often forgotten but are the easiest for hackers to use to access the whole network. With this in mind, businesses need to learn more about IoT, including both benefits and the concerns, and change the way they protect their data and assets. Leaving the front door wide open is like inviting a criminal into your home – you just wouldn’t do it – yet that is essentially what happens when IoT devices are not secure as hackers are granted access to everything.
Denouncing IoT cybersecurity myths
Advances in the industry and the lack of understanding from businesses have made cybersecurity a much larger threat. Concerns around security are often limited to protecting sensitive information, with a common misconception that only devices that contain the information need to be secure. Many devices that are connected to the Internet are also connected to each other. Any person with control of one or more of these devices can potentially access numerous computers and networks. The amalgamation of these misconceptions is extremely dangerous. IoT devices can be used to reach bigger targets if they don’t have meaningful cybersecurity measures. For example, hackers have previously retrieved the information of ‘high-roller’ players in a casino by gaining access to the network through a connected fish tank thermometer. Similarly, a bank has had its security breached via access to CCTV. This risk is heightened as companies also look to install the most cost-effective equipment, further opening up the possible number of devices to attack. More about the Three Types of Security in IoT
It is important to recognize that all IoT devices, no matter their face value, must be protected. It is not necessary for manufacturers to spend the same on installing security as a Government department would, but it is essential that all IoT devices are individually secured to protect themselves. While we aspire to a connected future, we must also pursue a cyber resilient future. One weak device will create an opportunity for a whole network’s exploitation.
A connected world requires cybersecurity customization
While all devices must be protected, there is no one-size-fits-all approach to cybersecurity. It must be integrated into the IoT device from the beginning of both hardware and software design. Cybersecurity cannot afford to be an after-thought or an additional feature.
All IoT devices are different and individual to each other, and it is important that the security caters to that. The importance of the device’s information and the value of the device determines the intensity of security needed. In the case of a bank versus a fish tank thermometer, for example, the price point of the thermometer means that it would be economically unfeasible to install a similar level of security as a bank would use but that doesn’t make security any less important.
The billions of different device types, sizes, functionalities and uses that the IoT brings further adds to this complexity. It would be nearly impossible for small devices to retain high levels of security since they have limited processing, memory, power capabilities and resources. The technologies used and needed to secure IoT devices are changing very quickly, due to the complexity and increased demand of small devices.
A uniform approach
The technologies to solve this challenge already exist within the concept of Trusted Computing, where a Root of Trust – for example, Roots of Trust for Measurement (RTM), Storage (RTS) and Reporting (RTR) – forms the foundation of the device and meets its specific requirements.
There are a wide range of security options on offer and Trusted Computing provides the building blocks to create secure systems. In the instance of a high-risk industrial system, an industrial-grade discrete Trusted Platform Module (TPM, also known as ISO/IEC 11889) hardware can be built into the plant’s firewall as well as the control system. This enables these systems to be monitored in real-time and for more sophisticated attacks to be prevented. For lower-risk devices, TPM firmware can be created, which encompasses the same set of commands but is less rigorously secured and coincidently more cost-effective. For very tiny IoT devices, where TPM firmware isn’t worthwhile, DICE offers a good alternative.
With the growth of IoT devices, comes the increase in extremely small connected devices, presenting a new challenge of how to secure devices with very minimal space to operate with.
Introducing the ‘world’s tiniest TPM’
These small devices cannot be left without security measures in place as it will create a weak access point for a cyber-attack however, the inclusion of a TPM chip could be impractical due to cost, space and power.
In order to address this challenge, the industry needs defined specifications that allow a tiny TPM to be integrated directly within the host chip. These specifications, alongside other industry specifications and standards including NIST 800-193, will ensure that devices which are too small to integrate a separate TPM chip, will still be able to retain the required RTS/RTR capabilities. The tiniest TPM will enable greater reach of Trusted Computing technologies over a wider set of devices and use cases, developing resilient IoT security and securing our new ultra-connected, automated world.
This article was written by Joerg Borchert, the President of Trusted Computing Group (TCG). He was born in Hamburg, Germany. He studied Mechanical Engineering and Business Administration at the Technical University of Darmstadt, Germany. He achieved his PhD in Economics before he joined Siemens AG in 1988. Initially Joerg was on the staff of the Corporate Board of Directors handling Mergers & Acquisitions in Munich, Germany. In 1992 he joined Siemens Semiconductor which became Infineon Technologies in 1999.