This post was previously published on Network World.
Individual, small pieces can give us a strong IoT security fabric
The Internet of Things (IoT) presents a security threat. A key point of my last article is that manufacturers do not have the right incentives. But all is not lost. With a little ingenuity, we can make a quilt of independent pieces that can nevertheless turn out to offer good security coverage.
The term “patchwork quilt” is often used pejoratively to describe something that is made up of an assortment of other parts. Yet it is worth remembering that a well-made quilt is still functional, durable and beautiful. And quilts are often made collaboratively in quilting bees. We need this sort of approach to network security.
Part of the reason that IoT devices represent such a security threat is because we do not treat all networks as though they’re part of the global Internet. When consumer internet access first took off, each computer was effectively part of the ISP’s network, directly connected via modem. By contrast, in homes and small businesses today, there is a small network with multiple devices. But because of the historical service model, those small networks do not operate as though they are part of a network of networks.
In most corporate and service-provision networks, only some systems have access to the Internet. You do not want your company’s personnel database computer sending traffic to a random computer somewhere in the world. Indeed, if you discover such a traffic pattern, it is a good sign there is a problem. Professional network managers look after these networks to ensure traffic flows where it should, and nowhere else.
Home networks are different because they are mostly unmanaged. Most of us just want to be able to use the network and do not want to spend a lot of time maintaining it. That means the facilities of these small networks need to be managed automatically.
We have been in a similar position before. When residential broadband first took off, the gateways had terrible security. Attackers often had no problem taking control, rather like in today’s IoT devices. This problem is not completely solved, but it is far less acute than it used to be because ISPs had an interest in fixing the problem. ISPs started bundling wireless gateways and other similar functionality into the customer premises equipment (CPEs) for their customers. The gateways that people get from their ISPs today are often carefully configured to improve security. ISPs insisted on those improvements as part of their contract to buy the equipment.
A similar thing could happen with IoT. Suppose IoT devices could advertise their capabilities and what traffic they expected to send, using something like the Manufacturer Usage Description Framework. A gateway in the network would be able to tell what sort of traffic could be expected from the device—and could block other kinds of traffic, thereby preventing devices from becoming part of an attack. A device that the gateway did not know would not be able to talk to the rest of the Internet, just like a company’s database server for personnel records.
Devices that do not offer this facility would appear “broken,” and consumers would quickly learn to buy only devices that worked as expected. Vendors would realize they need to make devices that work this way or face customer support costs, dissatisfaction and returns. ISPs could include the functionality in the gateways they ship to customers, since most gateways already include a firewall function anyway.
The challenge of IoT security regulations
Some will argue that there are too many players involved and that it will take too long to get the incentives lined up—that regulation is the only choice. But regulation also takes time, and on the Internet, the regulatory regime will need to include almost every country or else it is unlikely to be effective. It is hard to believe that getting all the governments in the world to cooperate would be easier than using commercial pressure.
A quiltmaker takes many small components and stitches them together into a greater whole that is much more useful than the small scraps of fabric that make it up. By treating small, unmanaged networks as first-class participants in the network of networks, we can reduce the threats that come from millions of mostly unmanaged devices that the IoT provides. Yet we can get the benefits that come from automating our world by connecting more devices to the Internet. By taking lessons from quilters, we can be sure we build better networks.