[Editors Note: See FreshThinking ]
This post is based on work underway at the IoTForum ( www.IoTForIndia.org) . The position advocated is not yet a accepted position of the IoT Security Task Force. The policy approach is radically different from current expert advise and probably needs a much wider airing and discussion. Please share this widely and add your opinions and views to a very important issue that needs a pragmatic and workable response not a politically correct but failed policy.
Abstract
Securing IoT should not be about billions of end nodes. Cities are more secure because the roads, alleys are patrolled and CCTV etc help in forensics. CyberCity should focus more on securing the public networks with a cyber CCTV rather then asking each house to be built like a Fort Knox.
Criminals are getting away scot-free
The recent WannaCry ransom ware episode reinforces the issue that we are losing the battle and maybe have the wrong approach to handling IoT Security. Despite all the chest beating and talk of imposing product quality liability driven requirements on millions of low cost IoT devices ( FTC in USA advisory) the simple fact is this is absolutely the wrong way to approach pervasive criminal attacks. Wannacry perpetrators were content with a mere 300USD? Is this not mass theft or robbery and should consumers suffer this ?
The Emperor is naked: Cyberspace need to learn from Physical world
There a many standards organization with specific advice around IoT. There is a group think and all focus on securing end devices, crypto of high strength and frequent updates for vulnerability ( Desktop OS model). This approach is not working even for well-funded and well-resourced sites like banks , E-tailers and the Military . See some of the largest breaches in this excellent interactive infographic https://goo.gl/0xA0Cx . It is time we realize the shiny new standard which everyone is touting is the emperor with no clothes. It does not protect….
Imagine a city of 7 million homes. One day we wake up to learn that criminals can cut thru 6 inch cement walls like butter and can enter homes and take stuff away in 10 minutes while you went to the Starbucks at the corner. You no longer have the luxury of knowing that it will take criminals better part of a day and high probability of being alerted. Now you are given expert advice to upgrade or patch your home to 12 inch walls. Imagine if 7 million homes have to upgrade in a ziffy. There may be a logjam in cement supply, trucks and construction workers tearing down millions of homes and rebuilding homes. ( Imagine the contention in low bandwidth last mi
le of IOT networks updating billions of devices for the latest patch…have fun?) .
Some smart-alec folks will want to sue architects and developers for building poor quality houses and for not providing ability to patch the walls to the current recommended strength.
That is the group think . We think of enterprise IT Data centres ( the Fort Knoxes ) and want to convert every house in a city to a Fort Knox. To add insult to injury despite high cost and skill for digital Fort Knox they don’t stop the criminals. Ask JP Morgan, Yahoo, and the ex head of CIA .
If criminals are not given chase, are not punished it is an asymmetric war. The criminals can try thousands of times and even a mere 1% success will wreak havoc. Faced with general breakdown of law and order successful policing adopts a different way. Most stress is placed on policing the roads and alleys and fixing the broken glass. Chasing criminals and imposing costs even for small infractions goes a great way to make the community safer.
The broken windows theory is a criminological theory of the norm-setting and signaling effect of urban disorder and vandalism on additional crime and anti-social behavior. The theory states that maintaining and monitoring urban environments to prevent small crimes such as vandalism, public drinking, and toll-jumping helps to create an atmosphere of order and lawfulness, thereby preventing more serious crimes from happening
https://en.wikipedia.org/wiki/Broken_windows_theory
Is CCTV in cyberspace not an option? Should not crime be less profitable and cost be higher. Are car or house manufacturers liable for selling products which are not Fort Knox’s?
IoT hacks are life threatening
We propose an alternative which can supplement the current approaches. Our approach is more suitable for IoT as hacks of IoT devices can be life threatening. A overheated geyser or a industrial valve or a connected car can cause death if deliberately interfered with. It is not just about some money and reputations
Mass attacks need open surveillance
The reason large scale thievery or robbery does not happen so easily in physical world is because more pervasive and open surveillance. If a stranger tries to scale the walls of my garden it is likely some neighbour may see and call me. Similarly, if robbers try to cart away truck loads of stuff from an office at night it is likely to be noticed by many folks and an alarm raised. It is not just the owner of the asset who is doing surveillance but society at large. Same concepts apply to other crimes like rape, mugging etc. The victim is not the only person involved in stopping or catching criminals . others also have a role.
So in IOT the network must be patrolled and secured. The patrolling should be by police and community watch. The houses need much less care and can be less expensive then Fort Knox. This requires network level logging , audit and event detection and correlation –a veritable cyber CCTV at all nooks and corners.
Physical security as a model for Cyberspace
High security facility like a nuclear plant or Parliament building do not allow open access. You may not be able to drive in a van with dark windshield towards these areas. You are likely to be pulled over by the police. Similarly in countries like Singapore you may not be able to assemble in large numbers and the police may take preventive steps to break a mob. Similarly for the IoT network we should prioritize Safety and security over anonymous user and privacy rights.
In the physical world we can see a continuum from private to public places. So a retail mall is a semi public space and a multi tenanted office complex or gated community is a semi private space. Semi semi-public places like a Wimbledon event or a concert may not allow free unrestricted access. Frisking, identification and tactics to keep cars and suitcases far away are deployed.
Proposal: Segment the net into semi private, semi public secure space
Imagine a part of the internet that is deemed to be a high security place. In IPV4 that can be Class E networks with IP addresses like 250.0.0.0 . In IPV6 we may reserve a top level segment per major country as a secure semi public net say FF64 to FFFF . This is a semi private space like a industrial township, a gated community and does not allow unrestricted in or out traffic.
This may mean one or more of the following
1 Surveillance of IoT networks(250.X.X.X) even outside the enterprise by community and police. Thus ISP and nominated community nodes are mandated to log and traffic and routinely inspect for suspicious behaviour. The logs can be cross correlated and function like CCTV in cyberspace.
2 Preventive actions for excessive activity or suspicious activity. Restrictive approach of private spaces rather than permissive policies of public spaces. Anonymous users, connections from or too all over the world or untrusted ISP are walled out . DDOS attacks are cut off much before any real swarm can start. Deception websites for high security and Honeypot should be standard practise . More attention to outgoing traffic. Malware that takes over a device should be prevented from talking to “strange” websites.
3 Community based surveillance or neighbourhood watch. This goes beyond the inside of a private space and extends to the semi public IoT network as a whole.
4 Right to self defence . Technical ability and legal basis to pursue potential suspicious behaviour or attacker by pooling resources and intelligence. The standard of reasonable evidence to take offensive steps should be much lower for secure IoT networks. Prevention is better then cure.
5 We favour nation state based segmented IoT network as criminal prosecution is simpler in such cases. The nation segment of the IoTnetwork should not allow access from ISP not providing the secure guarantee and states not supporting legal action against attacker. The protocol for taking action can be simpler and have teeth in terms of speed and conviction since the network can be instrumented at all routers and endpoints to provide a military level of assurance. Thus if a service provider in state A wants to service a customer IOT assets in state B the two states must have ISP who adhere to a higher security protocol and states agree to swift and decisive action against suspected criminal activity.
