If you would like to read the other parts in this article series please go to:
- IoT: the Threats Keep on Coming (Part 1)
- IoT: the Threats Keep on Coming (Part 2)
- IoT: the Threats Keep on Coming (Part 3)
Introduction
In Part 1 of this series, we discussed why the Internet of Things presents such a security challenge as it grows and evolves to include so many of the formerly “dumb” but now increasingly “smart” devices, machines and appliances that litter the landscape of our lives. In Part 2, we took a look at some examples of some of the specific vulnerabilities that plague IoT and explored some possible ways to mitigate the threats that so many people don’t even realize exist. In Part 3, we talked about many of the specific security measures that are applicable and how they can be combined in a multi-layered approach that will take some of the vulnerability “bite” out of IoT.
Now here, in Part 4, we’ll dig a little deeper into that and look at some particular examples.
Can we do it right this time?
When the Internet of mostly government and academic computers first came into being, security was barely even given a second thought. The focus was on connectivity – getting systems to talk to each other across the globe was a big challenge and accomplishing that was an exciting achievement. Besides, these were educators and government personnel; they were trustworthy, right?
Then the next wave came along: the commercialization of the Internet. As businesses rushed to get online in this brand new marketplace, their primary concern was reaching existing and potential customers. The issues of safety and security weren’t at the forefront. As for the individuals who were flocking to Internet Service Providers to take advantage of this fun – and once the initial phase passed and ISPs flourished, cheap in comparison to many other methods – new communications mechanism, most didn’t even know there were security issues. Thus today’s Internet just sort of “grew that way.”
By the time we recognized that criminals could and did take advantage of the technology to further their own agendas, the Internet was already dependent on devices, operating systems, applications and protocols that had not been designed to be secure. Security got tacked on as an afterthought – and such after-the-fact additions could never be as effective as if security had been designed into the components from the beginning.
Fast forward to the current era, where we are in the process of plunging headlong into a new iteration of the Internet: IoT. We had the opportunity to learn from past mistakes and incorporate security by design – but as we’ve seen in previous discussions in earlier installments of this series, in many cases that hasn’t happened.
In Part 3, we provided some general guidelines for making the IoT more secure. Now this time we’ll get more specific.
The embedded devices dilemma
Most of the “things” that connect to the Internet to perform dedicated, limited tasks have not been running the operating systems with which the typical IT professional is acquainted and experienced, and this makes it more of a challenge to configure them securely or to even know whether or not they are secure in the first place. Some common embedded operating systems include MQX, VxWorks, INTEGRITY, QNX, Wombat OS, various minimalist versions of Linux, and others.
This presents an obvious problem when it comes to security. Lack of familiarity isn’t the only problem; lack of standardization also means each OS (and in some cases, each version of the same OS) will need to have its own security applications and they won’t be able to be used across platforms.
Most of the devices running these common embedded operating systems don’t have firewalls and often use simple (and not very secure) authentication methods. They may or may not support encryption; since encrypting and decrypting information and applying other security mechanisms requires more resources and many of the embedded devices are very limited in processor power, memory and storage, device makers opt to put performance above security, hoping that the devices won’t be targeted for attack since they aren’t as commonplace (yet) as PCs and phones. This, however, is basically just a form of security through obscurity and as the IoT booms in the near future, remaining obscure is no longer going to be feasible.
Microsoft is one company that’s trying to provide a solution and position itself at the front of the IoT charge.
“One Windows” and the IoT
One of the embedded operating systems that you might have encountered is Windows Embedded, which includes a whole line of products: Windows Embedded Industry, Windows Embedded Pro, Windows Embedded Standard and Windows Embedded Handheld in Windows 8/8.1, Windows Embedded Compact 2013 and Compact 7, Windows Embedded Automotive 7, and special releases of Windows Server 2012 R2 and SQL Server 2014 that are designed specifically for embedded systems. You can read more about these products here.
Now, with Windows 10, Microsoft has adopted the “One Windows” philosophy that is based on the concept of universal apps and drivers that are capable of running on all Windows 10 based devices from industrial automation systems to point of sale devices. The intent is to make it easy for admins to manage embedded devices with the same management tools – and security solutions – that are used for Windows 10 computers and tablets.
This means devices that are built on Windows 10 can utilize the familiar security technologies such as BitLocker, Device Guard and Secure Boot (and others) to protect the devices themselves and more important, the data that is stored on them, processed by them and/or transferred to and from them. Windows IoT devices integrate with Microsoft Azure IoT services, for a full-featured and secure IoT solution. More about that momentarily.
Of course, this common operating system across devices has many ramifications, both in respect to security and otherwise. Certainly it makes for better interoperability between different device types and simplifies troubleshooting. Some might argue that it actually creates security risks of its own, in that Windows 10 based IoT devices will be vulnerable to the same malware and exploits that work on Windows PCs. However, the counter to that is that security through obscurity is not an effective strategy anyway.
And it’s important to note that while Windows 10 is “one big happy family” of which Windows 10 IoT is a part, the IoT editions are targeted at specific IoT device types. Windows 10 IoT Enterprise can run universal and classic Windows applications, but they also can be protected with the whole gamut of built-in security features and third party security products that run on Windows 10 PCs.
However, many – possibly most – dedicated specialized purpose devices don’t need that full Windows capability. Windows 10 IoT Mobile Enterprise runs mobile apps, but also includes built-in security mechanisms designed specifically for the way mobile devices are used, and supports enterprise grade security baked into the OS, with advanced lockdown capabilities to protect the devices and data even if they are lost or stolen.
Then there is Windows 10 IoT Core edition, which is a minimalized version of the OS that runs on less powerful/less expensive devices that are meant to run just a single line of business application. It runs universal apps and because the code is stripped down, doesn’t contain many of those components that are targeted by attackers who aim to exploit vulnerabilities in Windows PCs. There is also a special edition called Windows 10 IoT Core Pro. The only difference between this and the regular “Core” edition is that with the Pro version, you have more control over the updating process and can defer updates to a more convenient time.
Microsoft is trying to make it easy and cost-effective for device manufacturers to use Windows 10 IoT for their devices. Device makers can get the Core edition free of charge, downloadable on the web along with the Windows 10 IoT Dashboard tool for configuring Windows 10 IoT Core devices. Windows 10 IoT Core is available for Raspberry Pi 2, MinnowBoard Max and DragonBoard 410c.
The Azure IoT Suite that we mentioned earlier helps you to create a remote monitoring system to connect sensors and systems and get real time data from the devices. The dashboard that can be accessed from both PCs and mobile devices lets you view key performance indicators as the information is collected, leveraging the power of Azure cloud services to keep your Internet of Things under control.
The competition
Of course, Microsoft isn’t the only company that’s hoping to get in on the ground floor of the IoT explosion. This past year, Google introduced its Brillo OS, which is an embedded OS for devices that aren’t powerful enough to run Android, and its kit – which contains the OS, core services, the developer kit and developer console – is currently in testing by invitation only. It supports ARM, Intel x86 and MIPS hardware. Google says Brillo’s security limits exposure to attacks and data can be encrypted. If a device is compromised, the update service makes it quick and easy to recover.
Summary
There is much more to be said about the Internet of Things and its security issues and solutions than we’ve been able to touch upon in this four-part article. The IoT is still in its infancy and will be evolving rapidly over the next few years. Security will continue to be a major concern, and most likely will grow in importance as IoT devices proliferate and begin to draw more attention from attackers. It’s likely to be a wild and wooly ride, but for IT security pros, the IoT just might be your key to job security in the coming decade.
If you would like to read the other parts in this article series please go to:
