I recently came across a report about the Internet of Things (IoT) submitted to the United States President by his National Security Telecommunications Advisory Committee. It examines the challenges of securing IoT devices in depth. The report’s conclusion is summarized in this quote: “There is a small—and rapidly closing—window to ensure that IoT is adopted in a way that maximizes security and minimizes risk. If the country fails to do so, it will be coping with the consequences for generations.”
This alarming forecast is even more frightening given this report was submitted to President Obama in November 2014. Eight years later, the window of opportunity continues to close. Cyber and IoT industry leaders haven't significantly changed how this market is evolving or improved the level of security in the IoT space. There are now over 20 billion connected devices, and a very complex and comprehensive ecosystem which supports their activity.
IoT Weaknesses Come Into Focus
In October 2016 the Mirai botnet used hundreds of thousands of compromised IoT devices to execute a DDoS attack on DNS provider Dyn, shutting down major services like Netflix and PayPal. This illustrated to decision makers and executives in the public and private sector the perils of securing IoT devices. Since then, many new threats and security events have occurred, targeting different aspects and components of the IoT ecosystem.
All this is happening while IoT technology adoption is exploding in applications and use cases, from home appliances to remote medicine, factory automation, and smart cities. But there's still been no breakthrough in how the different components of this technology are developed, manufactured, integrated, used, and decommissioned. So the inherent barriers to a secure IoT-reliant world largely remain.
The Security Challenges
Trying to set a security framework for the IoT ecosystem involves unique challenges inherent to the technology and how it’s evolving. The industry is highly fragmented, with an enormous variety of products, standards, protocols, vendors, and use cases. This makes it difficult to set common measures relevant to all stakeholders. Ideally, we could introduce sophisticated security mechanisms that have been proven useful in higher-end IT environments. But the need to supply low-cost solutions and the necessary minimization of products' footprint in terms of size, power consumption, and complexity makes this challenging.
IoT technology is tightly connected to the physical world, affecting physical objects in real time, such as in personal medical devices. So a security framework must handle threats in real time to avoid life-threatening or damage-inflicting consequences. The sheer number of connected devices makes it hard to control and manage every component. Many of these devices are in the field where they aren’t constantly supervised but can be accessed by hostile entities, making it even more difficult to maintain their integrity and avoid malicious interference.
When we think of IoT we usually think about sensors and actuators, but the platform using these devices is much more complex. Many players have an impact on the security of the overall outcome. They include, among others, the device manufacturers, the application developers, the cloud suppliers which host the backend of these applications, the implementers who integrate and install the systems in the field, and obviously—the end-users.
Who is Responsible?
If a security event occurs, it’s unclear which of these parties is responsible for preventing it and is liable for any damage inflicted. As things stand, none of the parties has an interest in trying to fix issues they don’t control. They arguably prefer to ignore the problem and expect someone else to fix it instead. Think of vulnerability patching. Who is in charge of ensuring a component's software is up to date? Is it the device manufacturer? The software provider? The local integrator? The end user? Nobody is accountable for it. So this vital process just doesn’t usually happen. Devices stay out there with obsolete, vulnerable firmware and software exposing them to many types of attacks.
The chain of responsibility and governance for securing IoT devices is broken. You can’t rely on updates, patches, or peripheral defenses of IoT devices to be properly managed and maintained. This leaves the option of protecting a device in runtime. However, the challenges to this are even greater.
IoT devices have much less memory and CPU power than an EDR needs—or even a lowly anti-virus (AV) for that matter. Even if you could install an AV program, to get the signatures and updates needed for its effective operation requires an internet connection, which isn't constantly available in many use cases. Protecting IoT devices requires a very small footprint solution, that doesn't rely on prior knowledge of the attack indicators of compromise (IOCs), and can work effectively in isolated environments to offer real time deterministic prevention.
Securing IoT Devices at Runtime
Until recently, no such solution was available. But Morphisec now offers Knight, which has all the features of the desired runtime protection solution mentioned above. Knight uses Morphisec’s revolutionary and field-proven Moving Target Defense (MTD) technology. This is a deterministic blocking mechanism that doesn't require prior knowledge of attack characteristics (IOCs). And unlike most EDRs, it doesn’t require laborious back-end analysis and processing. MTD enables Morphisec Knight to work effectively in a totally isolated environment with no internet connection for years.
MTD randomizes underlaying operating system components, frequently used services, and library APIs. Trusted applications are made aware of the modified runtime environment, while any software component oblivious to the traps left behind is blocked. When MTD is properly used, no two machines (or devices) look precisely alike, and even a single system keeps changing over time.
Periodic in-memory randomized changes make it incredibly difficult for an adversary to train in one place and then reuse the training results to exploit other machines, or even the same machine later in time. This disables an attacker’s ability to propagate malware to other devices in an IoT network. And it prevents a massive number of devices being harnessed to serve a perpetrator’s goals, as in the previously mentioned Mirai attack.
IoT technology is developing and expanding, but the security gaps threatening its viability remain, despite major efforts recently taken by organizations and governments. We need unconventional thinking and courageous steps to help overcome the inherent barriers to progress and enable us all to safely and securely enjoy the benefits of this technology. Among all other measures, there is a need for runtime protection solutions to secure the IoT platform against supply chain attacks and other sophisticated exploits. Morphisec Knight is a first-of its-kind product that effectively mitigates this problem. It significantly enhances the security level of any IoT platform against sophisticated perpetrators threatening to use this important, benevolent technology to achieve malicious goals. Learn more about Morphisec Knight—read the white paper: How To Defend The New Attack Frontier.