The oft used term "the Internet of Things" (IoT) has expanded to encapsulate practically any device (or "thing") with some modicum of compute power that in turn can connect to another device that may or may not be connected to the Internet. The range of products and technologies falling in to the IoT bucket is immensely broad — ranging from household refrigerators that can order and restock goods via Amazon, through to Smart City traffic flow sensors that feed navigation systems to avoid jams, and even implanted heart monitors that can send emergency updates via the patient's smartphone to a cardiovascular surgeon on vacation in the Maldives.
The information security community — in fact, the InfoSec industry at large — has struggled and mostly failed to secure the "IoT". This does not bode well for the next evolutionary advancement of networked compute technology.
Today's IoT security problems are caused and compounded by some pretty hefty design limitations — ranging from power consumption, physical size and shock resistance, environmental exposure, cost-per-unit, and the manufacturers overall security knowledge and development capability.
The next evolutionary step is already underway — and exposes a different kind of threat and attack surface to IoT.
As each device we use or the components we incorporate in to our products or services become smart, there is a growing need for a "brain of brains". In most technology use cases, it makes no sense to have every smart device independently connecting to the Internet and expecting a cloud-based system to make sense of it all and to control.
It's simply not practical for every device to use the cloud the way smartphones do — sending everything to the cloud to be processed, having their data stored in the cloud, and having the cloud return the processed results back to the phone.
Consider the coming generation of automobiles. Every motor, servo, switch, and meter within the vehicle will be independently smart — monitoring the devices performance, configuration, optimal tuning, and fault status. A self-driving car needs to instantaneously process this huge volume of data from several hundred devices. Passing it to the cloud and back again just isn't viable. Instead the vehicle needs to handle its own processing and storage capabilities — independent of the cloud — yet still be interconnected.
The concepts behind this shift in computing power and intelligence are increasingly referred to as "Fog Computing". In essence, computing nodes closest to the collective of smart devices within a product (e.g. a self-driving car) or environment (e.g. a product assembly line) must be able to handle he high volumes of data and velocity of data generation, and provide services that standardize, correlate, reduce, and control the data elements that will be passed to the cloud. These smart(er) aggregation points are in turn referred to as "Fog Nodes".
Source: Cisco / Click to Enlarge
Evolutionary, this means that computing power is shifting to the edges of the network. Centralization of computing resources and processing within the Cloud revolutionized the Information Technology industry. "Edge Computing" is the next advancement — and it's already underway.
If the InfoSec industry has been so unsuccessful in securing the IoT, what is the probability it will be more successful with Fog Computing and eventually Edge Computing paradigms?
My expectation is that securing Fog and Edge computing environments will actual be simpler, and many of the problems with IoT will likely be overcome as the insecure devices themselves become subsumed in the Fog.
A limitation of securing the IoT has been the processing power of the embedded computing system within the device. As these devices begin to report in and communicate through aggregation nodes, I anticipate those nodes to have substantially more computing power and will be capable of performing securing and validating the communications of all the dumb-smart devices.
As computing power shifts to the edge of the network, so too will security.
Over the years corporate computing needs have shifted from centralized mainframes, to distributed workstations, to centralized and public cloud, and next into decentralized Edge Computing. Security technologies and threat analytics have followed a parallel path. While the InfoSec industry has failed to secure the millions upon millions of IoT devices already deployed, the cure likely lies in the more powerful Fog Nodes and smart edges of the network that do have the compute power necessary to analyze threats and mitigate them.
That all said, Edge Computing also means that there will be an entirely new class of device isolated and exposed to attack. These edge devices will not only have to protect the less-smart devices they proxy control for, but will have to be able to protect themselves too.
Nobody ever said the life of an InfoSec professional was dull.
By Gunter Ollmann, Chief Security Officer at Vectra
|Data Center||Policy & Regulation|
|DNS Security||Regional Registries|
|Domain Names||Registry Services|
|Intellectual Property||Top-Level Domains|
|Internet of Things||Web|
|Internet Protocol||White Space|
Afilias - Mobile & Web Services