The IoT has enabled rapid digital transformation across industries. A 2019 report from International Data Corporation (IDC) predicts that the number of IoT devices around the world will increase to 41.6 billion by 2025 and generate 79.4 zettabytes (ZB) of data. These estimates reflect the critical role that IoT will play in the future as organizations strive for competitive advantage and strive to meet customer requirements.
The marketplace has become hypercompetitive. Organizations must be able to harness rapid technological advancements to create new solutions. IoT platform vendors have entered the market to meet this challenge by putting the power to design and deploy systems directly into the hands of business users. Traditional Information Technology (IT) staff are strained as they struggle to meet demanding timelines associated with IoT deployment schedules. At the same time, IT Security (ITS) personnel are being stressed as they attempt to understand the threats associated with ever new and unfamiliar IoT technologies.
Today’s IoT platforms provide business users the ability to use no-code and low-code tools to quickly design and deploy IoT solutions that meet their needs. These platforms offer easy-to-use visual tools, drag-and-drop interfaces and model-based design methods. These are powerful tools for business users, but that can result in business-facing departments bypassing their IT departments to deploy their own shadow-IoT systems, leaving ITS with limited or no visibility.
Microsoft’s IoT Plug and Play ecosystem for example is beginning to introduce embedded devices that can be connected to the cloud with no coding. Instead of developing new interfaces and using software development kits (SDKs) to develop new IoT applications, business users can simply create JSON configurations that take advantage of standardized features enabled by device manufacturers for the Azure platform.
Platforms and ecosystems such as this are valuable for business users that require agile tools to meet their demanding market requirements. However, the target users are not typically trained security professionals. They may lack the expertise required to identify the best cyber security controls to mitigate the unique risks to their systems. As business users attempt to take full ownership of the application development role, this opens a potential gap that may introduce new security weaknesses into an organization’s infrastructure. To resolve this gap, a new way of thinking about how security is defined and implemented for these easy-to-deploy systems is required.
What is needed?
Now more than ever, collaboration across the IoT ecosystem is required in order to effectively identify and mitigate the cyber security risks within an IoT system architecture. IoT product vendors have the greatest responsibility – they must do their part to secure their products prior to release. Vendors should also work on methods to effectively communicate the risk profile of their offerings to integrators and customers.
No-code and low-code platform developers also carry a heavy responsibility. These platforms already make it simple to create new features. This same level of simplicity should be provided to help users to securely configure their systems and to help users deploy the appropriate security tools for their risk environment.
End-user organizations of course have responsibilities as well. Policies and procedures should be drafted that dictate the proper approvals required for a no-code/low-code IoT deployment. And business users and executives must receive proper training to understand and accept the risks associated with deployment of IoT solutions. Traditional ITS departments must do their part as well, constantly scanning for vulnerabilities across their business’s known and unknown deployments.
No code and low code platforms such as Pega for IoT, ThingLogix and Temboo allow business users to easily create data visualization features, remotely monitor machinery and processes, and even integrate machine learning through drag and drop interfaces. These systems may also enable a data virtualization layer that makes it easy to deploy IoT systems without re-engineering legacy datastores. The rich sets of capabilities enabled by these platforms will benefit from automated security features.
At the most basic level, cyber security for no-code and low-code deployments should be made as simple as the click-to-deploy process. This requires an elevated level of coordination between device vendors, no-code platform developers, and organizational ITS departments. If properly coordinated, ITS departments can integrate with platform security features such as asset management, firmware management, and authentication already being provided by these platforms in order to enforce enterprise-wide security architectures and enable automation.
Automated Security Begins with the Product Vendor
ITS departments must be able to have confidence that all of their IoT systems are being developed using well-secured products, that product and system configurations are locked down appropriately and that compliance mandates are continuously met. Given the scale of the IoT, automation is essential to achieving this goal.
Today, product vendors use tools such as VDOO Vision to scan their products for weaknesses and vulnerabilities. This can provide the vendor with a good indication of the security posture of their product. Organizations such as the Internet Engineering Task Force (IETF) however are developing standardized protocols such as Automated Security Configuration (PASC) that allow for the machine-readable communication of that security posture to end-customers. Having a machine-readable description of device security posture and capabilities will allow end-customers and no-code/low-code platform developers to integrate automated security controls within their systems based on the unique device composition of any given solution. A trustworthy method for enabling this security state communication is through third-party security assessments.
Machine-readable communication of the security capabilities and risk profiles of any particular IoT device is a great first start to addressing cyber security for no-code/low-code deployments. To make this even more useful though, a third-party cyber security certification can add trust and integrity to the attestations made by an IoT vendor. A digitally signed third-party certification can reduce the need for business users to perform their own security assessment of products being considered for use in their systems.
There is no existing standard for security certification of most IoT device types. Organizations such as the European Union Agency for Cybersecurity (ENISA) and the Internet of Things Security Foundation (IoTSF) have been working towards an approach to device certification, however these certification schemes are not yet available. In the absence of government-mandated certification frameworks, third-party schemes such as CertIoT can provide a good measuring tool to for business-users to understand the security state of products. From an automation perspective, digitally signed certification results can be signaled in-line to automated security management protocols to inform risk calculations.
The PASC protocol mentioned above is currently being defined to support these automated risk calculations. The results of a PASC risk calculation can be used to automatically configure the security properties of not only the embedded devices but also the surrounding infrastructure. Imagine a deployed security infrastructure being locked down more extensively to compensate for a non-certified IoT device vs a certified device.
PASC takes inputs from organizational security policies, device manufacturer usage descriptions (MUD), threat intelligence sources, and other sources to automatically calculate a risk score for new and existing IoT products. The optimal security configuration for the device and its environment is then determined based on that risk calculation. One can envision how powerful this approach would be if integrated directly into a no-code deployment platform to automatically deploy an accompanying security architecture with the IoT solution deployment.
A second protocol being defined by the same IETF working group is the Protocol for Automated Vulnerability Assessment (PAVA). PAVA is tightly associated with PASC, charged with performing continuous vulnerability assessments of IoT deployments and monitoring for changes that might impact the risk calculation of the deployment. PAVA provides a messaging framework but relies on commercial tools to capture this data which is reported back to the PASC configuration component to maintain a continuous feedback loop. Tools such as VDOO Vision can be used today to effectively scan and identify weaknesses in deployments. Figure 1 below describes an envisioned relationship between these automation-enabling capabilities.
click for larger image
Figure 1: Simple no-code deployment platform security features must enable policy-driven updates to IoT system security infrastructure (SOURCE: VDOO)
PAVA and PASC are two approaches that can begin to enable click-to-deploy security configurations for IoT solutions. The concept of PASC helps to move the risk analysis process to the business user. This is useful since the business user is aware of the context of the threats that will be faced by the deployment. Both IoT device and platform vendors should begin reviewing requirements for enabling these features in their solutions, ensuring that business users trigger these processes whenever a new IoT product is added to the infrastructure. Tools such as PASC and PAVA can support automated configuration of security policies based on the known risk metrics of the IoT devices in the system. At the same time, device vendors should consider obtaining third-party IoT security certifications that can communicate to prospective buyers that a specified amount of security rigor was achieved by the device.
Automating the Bootstrap Process
Cyber security for no-code/low-code IoT deployments requires that devices be securely connected to networks in the first place. This bootstrap process can also be aided by automation. For example, the zero-touch secure provisioning model enabled by partnerships between chip developers and cloud service providers (CSPs) allows chip manufacturers to register lists of Electronic Serial Numbers (ESNs) with a CSP. Device ESNs are unique and stored along with required trust anchors in device read only memory or within cryptographic co-processors. Since the list of ESNs is registered with the chosen CSP, device bootstrapping can occur automatically and securely in-bulk based on the trusted relationship enabled by the anchors stored in ROM. One of the first implementations of zero-touch provisioning was enabled by a partnership between microchip and AWS.
Automation for a secure IoT
The zero-touch and automation tools described here can be used to help business users rapidly deploy secure IoT systems using no-code and low-code tools. Ideally, platform providers will integrate these approaches directly into their platforms to make security as close to one-click as possible in the hopes of keeping up with the rapid expansion of IoT solutions directly by business users.
Brian Russell is a Security Advisor for VDOO and Chair of the Cloud Security Alliance (CSA) Internet of Things (IoT) Working Group. He is also a Chief Engineer for Cyber Security Solutions at Leidos – a Fortune 500 Government Contractor where he has led Research and Development (R&D) for secure cloud systems, autonomous vehicles, permissioned blockchain networks, and cryptographic key management systems. Brian is an adjunct professor with the University of San Diego (USD) in the graduate Cyber Security Operations and Leadership Program and co-author of the book Practical Internet of Things Security. He is also a SANS Analyst.