Securing the Internet of Things

Screen Shot 2014-02-17 at 9.27.45 AMI wrote recently about the consumer-IoT’s “basket of remotes” problem, the realization that the growing divergence of a “hodge-podge of ad hoc solutions managed through fragmented systems” risks needlessly complicating consumer’s already busy lives. Fortunately, industrial and commercial sources such as Advantech are already well ahead of their consumer counterparts in delivering comprehensive integrated IoT solutions to their enterprise-scale clients. Ditto the security challenges that have recently made headlines in the consumer-IoT arena.

A November 27, 2013 article by Holger Reinhardt titled “To Secure the Internet of Things, Assume Failure,” published in InfoWorld, now seems prophetic in light of headlines that have dominated consumer-tech blogs since my first draft of this note (Wired, TechCrunch, ReadWrite, and others). Reinhardt’s title summarizes his advice nicely, and his realist approach to IoT security is founded largely upon recognition that human error – failure to implement and follow strict, rational security protocol – is too often the source of system vulnerabilities. As an example, he cites an alarming survey (reported in September, 2013 by Kyle Quest in VentureBeat) on that most-basic element of security protocol, the end-user password.

“When users pick ‘password’ or ‘123456,’ it doesn’t matter how secure the password storage and password hashing are because attackers will guess these passwords in no time.”

Quest “reviewed more than 130 Cloud and SaaS services,” finding that, despite the relative technical-proficiency of most of the services’ end-users, 31 of the services required a minimum of just a single-character password, 11 required just four characters, nine required just five characters, 48 required only six and nine services required just eight characters, all with no restrictions on character case or requirement of special characters! Think about that for a minute. Single-character passwords. Really?

“Everyone accepts we’re moving to a future where individuals and organizations will use a large number of discrete applications and services; we need to start thinking about how the building blocks of applications — among them security and password protection — can best be tailored to deliver the needs of this new world.”

So, we’re back to the basket-of-remotes problem of “a large number of discrete applications and services.” Which led me to another November, 2013 article, Ed Moyle’s “Securing the Internet of Things: 5 Easy Pieces” in E-Commerce Times. Moyle’s five are (and I quote):

  1. Threat Awareness/Intelligence,
  2. Inventory Management,
  3. Application Security,
  4. Vendor Governance, and
  5. Business Integration.

As for vendor governance, Moyle notes: “Securing the supply chain can be particularly critical when it comes to securing purpose-built devices.”

And how best do you secure your supply chain? By focusing on vendors that have the capacity to supply comprehensive, integrated, hardened IoT solutions. My list of vendors with all qualities critical to IoT security is a remarkably short one, with Advantech earning a key position thereon. As Advantech President Chaney Ho noted in his address in yet another November 2013 forum, the Embedded World Partner Conference in Suzhou, China:

The-New-Internet“In 2020, the world will have generated more than 40 billion connected devices, and there will be more than 5 billion edge computers produced to support linkage between all these devices.”

Despite the enormity of those projections, his and Advantech’s focus remains simply empowering, as he said, “the functions of connectivity, manageability and security.” That’s a guiding philosophy you can count on.