By Scott Nelson, CEO/CTO, Reuleaux Technology, LLC.
“FTC Warns of Security and Privacy Risks in IoT Devices”
“Just one in 10 IoT devices offer adequate security, warns research”
Internet of Things (IoT) security was the belle of the ball again last week in the tech news feeds. First the FTC decided to get involved in anticipation of more regulations around personal privacy. Then the results of an IOActive security survey once again confirmed that security in connected devices is an important concern and one of which much of the tech community is still uncertain.
None of this is new and I have commented on the confusion created by the constant stream of security call outs before. But there does appear to be a theme on what companies need to do about IoT security. The IOActive CEO stated:
The problem is that security is not considered early enough in the design process so it has to be dealt with later
The message: practice security-by-design. I heard this loud and clear during my discussion of IoT security with security expert Todd Carpenter of Adventium Labs. I also heard it recently during a discussion with the VP and Security Czar of a major controls company. Readers will find security-by-design called out in most every post offering advice on the increasing threat surface of IoT – start with security, don’t try to add it after product launch.
So if security-by-design is so obvious and experienced security practitioners can site best practices for developing security systems, why are IoT solutions still struggling with security? Again, IOActive CEO: “Companies often rush development to get products to market in order to gain competitive edge, and then try to engineer security in after the fact.” Todd Carpenter had a similar point of view regarding IoT products as compared to the avionics and medical products upon which he had worked. I believe that this is an accurate assessment of the situation, but is not root cause. I believe root cause is a lack of clarity — clarity on the value of the offering.
Now some will say, and in many cases correctly, that root cause is motivation, or a lack thereof, due to a lack of consequence to security failure and thus a lack of accountability for producers. But this is a point of view that considers primarily the newsworthy confidentiality/privacy aspect of security, particularly as it relates to financially driven identity theft. But as Todd and I proposed in our post the “CIA” security triad (Confidentiality, Integrity, and Availability) becomes a four sided, multi-surface relationship for IoT adding the liability of both users and producers. Producers of highly reliable systems, e.g. avionics, medical, control systems, have successfully addressed and balanced these components – security with good design process and practices. They have practiced security-by-design and the key to their success has been clarity of purpose for their products in the form of thorough and well researched requirements.
Design is a process and like all processes outcome success is dictated by the quality of the inputs. The leading input is requirements and good requirements come from clarity of purpose. In the context of security this means the requirements for integrity, availability, confidentiality, and liability. This is where IoT is clearly struggling because so much of the discussion is about a technology push rather than a clear application that defines why the offering is needed.
How does one define the requirement for Confidentiality for a cloud platform that is used for monitoring mouse traps AND oil tanks on a North Dakota oil field? Can a single gateway meet the Availability requirements for both public Wi-Fi access and trashcan monitoring in an airport? When the use of an IoT product is not clear, particularly if the product is a horizontal partial-stack solution, the challenge for designing in security becomes intimidating because every requirement becomes worst case. Since over designing a product can be as much a failure as under designing and over designing usually leads to over pricing which in turn leads to lack of adoption, death to any As-A-Service offering, companies have erred to the side of under design or no design for security in the IoT.
However, we must assume that the market is going to become efficient and the consequences of a security failure will be a business failure. The key to taking accountably is to get clarity on the value created — why will customers buy this product. Clarity allows focus and proper assessment of security expectations of users. Expectations become requirements and then known good security design practices can be applied.
Clarity enables security-by-design.