Think like a hacker for IoT security
November 25, 2014
With so many endpoints in the IoT, security can no longer be an afterthought. This requires a built-in approach to security from the ground up, and ne...
Security more often than not has been an afterthought. What are some of the biggest security concerns that you identify.
I’ve had four Mastercards in the last year because of breaches, twice from two of the bigger ones that have gone on. The ability of people infiltrate and corrupt or steal data that’s being transmitted or stored is a substantial and real thing that’s happening. As more of these devices are connected into the Internet, all of those devices can represent a vulnerability if they’re not somehow secured. And if the administrator of that system has chosen to do nothing, which is often the case, anything that hooks into it can be the source that represents a security risk.
So these devices are just as much of a target as a datacenter?
I believe so, but I don’t think that’s the pervasive thought process in the industry right now. When we go into work with customers that are designing “things,” I think the people that are building devices don’t necessarily think that it’s their responsibility to add security into their device, that whoever is managing that cloud or that information is going to have that protection there. So the deeply embedded devices at the edge are the greatest risk, and security lies with everyone that’s attached to this thing, including the OEM making the device, as well as the end user that’s deploying the device.
Everybody needs to be aware of the compliance requirements that are being enacted, and you’d think when guys like Target are in the news it would be at the front of everyone’s mind, but I don’t think it necessarily is.
What are the methodologies or best practices for designing a thing securely?
It’s economically viable to provide a combination of hardware and software encryption to all IoT endpoints – edge, gateway, and network. At the very least, some type of software encryption should be implemented at all IoT endpoints. Companies like McAfee OEM have tools that are easy to embed into a new design. Dynamic white listing software can detect unauthorized devices, such as USB drives, from connecting to a device.
Every engineer for hardware or applications needs to have security in mind when they’re designing. The standard security software that comes with most operating systems (OSs) is not enough, and can be easily breached by a skilled malware writer. There are lots of tools out there that designers can use to take an extra step as they’re putting these devices together.
I was just at a conference yesterday and one of the speakers was talking about security. He suggested that part of the problem is engineers think like engineers and they should start thinking like hackers when they’re designing, so start thinking about someone might attack your car system, your defibrillator, whatever it is that you’re making.
I think that’s really reasonable, because just in the last couple of years we would always be touting the fastest processor, the best access to memory; everything we ever talked about with engineers they always wanted to know what’s the latest and greatest technology. We saw a move with our customers looking from a user interface (UI) point of view, where they don’t really care what’s behind the box now, so much as they want to understand how users were going to interact with their device. This is just another step, asking what the bad users are going to do with the device.
What does Avnet bring to the table in terms of securing the IoT?
We can offer software security solutions for just about every level of the intelligent systems that make up the IoT. Based on the strengths of our partners our solution architects are trusted advisers that make sure every system we develop or build for our customers are safe and secure, and compliant to the highest standards available. What we’re really pushing in our engineers now is that they need to think about security when you’re advocating products or helping customers put the finishing touches on their design.
When I use the term “trusted advisor,” we don’t take that lightly. On the hardware/software side we have a team of system engineers, and the way we deploy them for solutions is so they do not have to be beholden to a certain supplier. Their job is to understand what works together from a hardware design perspective. We also have business development managers in each of our different areas, and we take the same type of approach to help the customer understand what’s out there from multiple vendors.
Because there is so much involved in an Internet of Things (IoT) architecture, what are the implications on ecosystem development?
Most of the underpinnings of the IoT space are technologies that have been around for a number of years. Avnet’s been a leader in supporting these technologies and companies for decades. What we’re seeing now is our customers looking to connect these devices and to collect data and gain insights to the point that they can add value or user expertise, differentiate their business a little bit, and create new revenue streams. We’re looking to actively expand our partner base to help connect these devices and provide greater value to our OEM customers. We’ve added some interesting suppliers to help do that.
If we look at ourselves, we want to be viewed as a storefront for the IoT. Most of the companies we deal with can bring one critical aspect to it, be it hardware, or software, or something like that. All of these things require many different technologies and things hooking up and ecosystems that support this. We’ve brought on air time providers like Verizon and Sprint, and working closely with our existing partners that are trying to grow in this area like Intel, Microsoft, Wind River, and Red Hat, to name a few. We’ve always provided access to key technologies such as the processors, sensors, and OSs, and now we’re starting to go even farther and provide scalability to our base through server products, cloud services, and things like that.
We’ve got anywhere from teams that sell components to people designing devices and things to our Embedded Group that’s really focused in on the server and data storage and tying that all to our Enterprise Group that’s providing the datacenter and cloud services.