Editor’s note: What are the pitfalls when creating security solutions for Internet of Things devices? What are the vulnerabilities for wearable devices in the workplace? In what way will security for IoT devices change over the next two years? Tim Hahn, IBM Distinguished Engineer, IBM Master Inventor, and Chief Architect Internet of Things Security at IBM, shares these and other insights in this interview. SandHill is a sponsor of the upcoming IoT Evolution Expo where Tim will present on the topic of “Security at the Top.”
Q: In your opinion, what are the biggest design pitfalls for software developers in creating secure IoT “things?”
Tim Hahn: I think the first pitfall is failing to consider security in design and thinking that you can test out all security problems. Not designing for security up-front using threat modeling and other techniques is a pitfall.
The second pitfall is thinking that you’ve covered all your bases up-front in creating the device and you won’t have to do more work later on. Inevitably something will come up after you build the device. And you can’t overlook the maintenance, management and deployment of the device as part of securing the device and the whole IoT environment.
Q: When a company develops a new device for the IoT, where do they most need to focus on security?
Tim Hahn: With respect to security in the Internet of Things, there are makers of “things” and there are operators of “things.” At IBM, we sometimes refer to this as upstream development and downstream deployment of the devices and solutions. In creating the device, application, software and firmware, all those interested parties need to address security.
For makers of things, the focus is on secure development of that device – secure by design, deployment and usage – handling security and privacy of the information and data collected while it’s in the device and when the information and data is communicated. Devices must also take care in validating commands sent to them. It’s also important to support continuous delivery for devices, applications and user interfaces. Companies need to supply and maintain compatible levels of software and firmware for their devices and applications.
I feel that devices will be more and more dominated in their capabilities by the software that runs inside of them, and companies will have to churn out updates to that software as usage of the devices changes and vulnerabilities emerge. The usable life span of devices is much longer than a lot of software. There being software in those devices means that the software/firmware will have to be updated on a regular basis. So continuous delivery for devices comes into play.
The makers will also have to ensure integrity in manufacturing and delivery of those devices. It’s like the experience with flash memory cards; producers had to start looking at their supply chain to make sure that they had integrity in the supply chain and didn’t have vulnerabilities for malicious software coming off their assembly line.
Q: What about the operators of the devices?
Tim Hahn: This, again, turns to a question of hardening and securing the devices as they are deployed into the environment. It’s an extension of what we have seen as good practices in the past and applying those just as you would in a distributed network computing environment. It’s also necessary to set up a means for monitoring, auditing, recording and reacting to problems that occur.
Operators should not think they can predict every problem that will happen and prevent it. Problems will happen. They need to understand that they happened, react and report on the situations, and maintain an up-to-date test and production environment for those devices and update them. Furthermore, due to the enormous numbers of devices and events, operators will need assistance from systems that learn to distinguish exceptional events from normal behavior and take action as appropriate.
Maintenance updates will be a continuous process, not something that the device operator deploys once and then can forget about it. That’s a big difference in the things connected in the Internet of Things world compared to a typical device manufacturing world, where companies can deliver a device and then not worry about the device past the warranty period. In the Internet of Things, security extends far beyond the warranty period and updates need to be pushed to that device, if only to avoid a vulnerability that is detected and discovered after the device is delivered and deployed.
Q: What about wearables in the workplace? Are we at a stage like the beginning of employees bringing mobile devices into the workplace and organizations needing to establish BYOD policies? Do you think that wearables are as big a problem security wise as mobile devices were, or are we beyond that stage with wearables because of lessons learned with mobile devices?
Tim Hahn: There are two different aspects about wearables. The first aspect is in the data collection. This is more a question of what are the privacy and appropriate uses of the data being collected or that can be correlated with other pieces of information and collected from a wide variety of sources to impact the wearer or entity using the wearable. It turns into a data security and a data privacy question.
The second aspect of wearables has to do with feedback to the user or providing the wearer some information for taking an action based on information supplied to the wearable device. Think of a wearable medical device, for instance. It might be not just a monitor but also might be an Internet-connected medication delivery system. That device can involve life-threatening situations, so it involves a different level of security characteristics such that you need extra levels of protection for fail-safe operation as well as tamper proofing and resilience to an attack of any type.
Wearable devices are an interesting area in and of themselves because, in most cases right now, we think of wearable devices as a personal device and there is a tendency to consider them as “BYOD” devices. But I foresee something of a change in the world, especially in the business world for everybody except knowledge workers. For employees who need to remain focused on their tasks and focus on single-tasking rather than multi-tasking work, I actually expect to see that mobile devices and wearable devices will become dedicated to the work task rather than personal devices being used as a part of the work task.
My expectation is that we’ll still use mobile devices for work. But for those workers who have a task to do and have to remain focused on the task, the mobile and/or wearable device will be a task-assistive device for that task and will be restricted from having Twitter, Facebook, email and other things that would detract from the concentration on that task.
Q: Do you think these task-specific wearables will enter the workplace widespread in two years, or sooner?
Tim Hahn: In some sense, they are already coming into use. If you look at package delivery personnel, for instance, they use mobile devices in a very different way than they used to. A mobile device with a built-in camera can become a bar-code reader instead of the worker needing a separate device for that task. They now use an Android or other device with a business-specific application that performs a function that can be reprogrammed in a much different way to adjust to changes in the company’s processes and practices.
Some task-assistive devices are emerging in the marketplace already. Companies are realizing that by deploying these devices, they can have more productive employees and have better control over how the device is used. With these devices, companies have the same security issues as exist in mobile and distributed computing environments.
Q: Recently companies seem to be placing a bigger focus on security in the IoT than in the past couple of years. Do you think that the security aspects of IoT devices will have improved very much two years from now? In what way will the security solutions evolve?
Tim Hahn: I believe that security of devices across a wide range of industries will improve. What we’ll see is sort of a continuum device capability that encompasses the level of attention to security, the deployment situation and usage of the device.
At the same time, the phrase ‘you get what you pay for’ applies. There will always be devices that will be seemingly inexpensive that come with a level of engineering and attention to detail and attention to security that will leave them in some sense vulnerable at certain levels. Those will be appropriate for certain applications but not appropriate for other applications.
Consumers have come to expect and have come to know what level of security they can rely on in the devices that they own. I think that mobile devices are probably a good bellwether, as the security built into mobile devices has risen dramatically since the devices were first introduced. And even with that improvement, when applied to certain environments, additional security controls that are paid for or have additional cost added in can further secure the device.
Q: How can IBM help software developers create their products for security and cost-effectiveness?
Tim Hahn: We have a wide range of capabilities and practices that can be applied. We’re really growing from our knowledge in security in developing and securing IT and applying those techniques and capabilities. It’s everything from data security to networking security, the security characteristics available in the IoT Foundation, using a cloud application environment and security characteristics around those things and the ability to develop and deploy changes to code running in distributed devices using a continuous delivery model.
Q: Can they access these services and expertise as point solutions, or is there a platform that incorporates everything?
Tim Hahn: A good place for an IoT device or application developer to start is IBM’s Bluemix environment, which includes DevOps services; the IoT Foundation capabilities are also associated with Bluemix. Also check out a recently published paper on IoT Security.
Click here to register or learn more about the IoT Evolution Conference & Expo, August 17-20, in Las Vegas. SandHill.com is proud to be a sponsor of the event; use the discount code “SANDHILL” for a 20% discount. The conference draws an international audience of IoT software companies, large enterprises, SMBs, network service providers, platform providers and device manufacturers.
Tim Hahn is an IBM Distinguished Engineer and has been with IBM since 1990. He is the chief architect for Internet of Things Security within the IBM Analytics organization. He is responsible for strategy, architecture and design for IBM’s IoT offerings, which enable customers to design, build, experiment, run, manage and operate solutions involving diverse sensor data from connected devices. Tim also has experience with connected vehicles and connected products, those devices that formulate the “things” in the Internet of Things. Follow him on Twitter and LinkedIn or email him at firstname.lastname@example.org.