Take a moment and try to mentally picture every insect on the planet. Go ahead – really take a moment, close your eyes, and get a vivid image of just how many bugs there are. Have it? Good. Now connect them all to the internet. That’s basically what we’re talking about. Maybe not quite insects-of-the-earth numbers (that’s over 10 quintillion, by the way), but the Internet of Things (IoT) devices are predicted to pass the 20 billion mark by 2020. Now that I set you up with a number in the quintillions, 20 billion doesn’t seem so bad, does it?
If we were to split IoT devices into 3 tiers, the highest would consist of well-protected devices, like laptops, that are complex machines with plenty of security software. The middle tier would be made of occasional use, moderate-complexity devices like thermostats, TVs, and refrigerators. Then we have the lowest tier. These devices include HVAC, badges, implantables, and electronic locks. None of these tiers seem to be a problem by themselves, but when you connect such disparate technologies to one network, there’s no way to provide a one-size-fits-all solution to security.
Consider how hard it is for many companies to keep their own IT infrastructure secure – now make that network 100 or 1,000 (or 10 quintillion, if you’re looking for a thought exercise) times bigger. Now make it formed almost entirely of devices those companies may never see. Now make all those devices collect critical or personal data, and split them into 3 tiers of differing complexity. Tough, right? And for many, security is an afterthought – let’s take a moment to get you nice and paranoid.
IoT Security Risks
All I have to do is think about Shodan for a minute and there I am – paranoid. If you don’t know, Shodan is an IoT search engine that, among other things, lets users access vulnerable webcams. You can find feeds from ski slopes, baby cams, cash register security cameras, and marijuana plantations. Thinking about it is enough for me to put a post-it right over my laptop’s webcam. At this point it’s probably not a shock for me to claim that the biggest immediate risk has to do with privacy.
But for businesses the risks are a bit less personal – each new IoT device is a potential conduit leading right into their networks, and hackers will look to exploit the access, potentially even taking control of physical systems, where they could do real, tangible damage. But these businesses aren’t currently allocating budget for IoT security, so security vendors are struggling to provide IoT security features with the limited resources they have.
Maybe the biggest issue is that, while vendors of laptops, tablets, and phones see those high-tier devices as having a life cycle, they don’t see low-tier devices the same way. These companies invest resources in creating and shipping updates for high-tier devices that add functionality and resolve security issues, but low-tier devices are sold and forgotten. This lack of consideration for the life cycle of low-tier devices means they’re shipped without the same security expectations. These low-tier, end devices need to be secured in the manufacturing stage, or by the consumer, if there’s any hope of rebuffing security attacks.
So how can software-defined networking (SDN) help manage IoT security? In some ways, unfortunately, it can’t. At least at the device level, but even if end devices are a hot mess of no-security access points, SDN can help control the network itself, and the segmentation it provides can mitigate invasive forays into the network. IoT security is taking a cloud-based approach, which means that SDN can also help route, optimize, and automate security services.
SDN Visibility, Adaptability, and Programmability
I’m tempted to do another visualization exercise – imagine you’re outside and snow begins to fall. It’s one of those humid, barely-over-freezing evenings, so each snowflake is big and falling slowly. Each snowflake, at this stage, is countable, even as the number of flakes falling simultaneously begins to increase. Eventually, though, as the night gets colder, the flakes get smaller. Add to this the blizzard that’s ramping up and, pretty soon, it’s impossible to count the number of snowflakes in the air at one moment, and new flakes are being formed all the time. In order to accurately visualize the environment, you’d need automated assistance, which is exactly what SDN provides. It can note devices as they’re added to the network, and you can program the network to react differently depending on the nature of the device, its potential for maliciousness, and the resources it requires.
SDN allows you to provision and deprovision the network automatically, so it’s not a stretch to program the network to look out for suspicious activity and divert it to a honeynet until it’s cleared for access. There aren’t enough resources to protect the entire network at one time, so we’ll have to find ways to automate adaptive responses to the increasingly complex network. As artificial intelligence and machine learning improve how they handle massive loads of data, and the responses to such data, this strategy will be more viable, but right now our best bet is a kind of nesting-doll approach to IoT security. What I mean by that is, instead of having one firewall at the edge of the network, we can use SDN to create a series of firewalls at different network distances in order to respond to various attacks.
The point is that by virtualizing network components and services, you can program automatic, adaptive responses to network devices, rerouting traffic and applying access rules. This should help secure data delivery, even from end devices. You can segregate network paths where a security breach is detected and investigate it from a centralized point, seriously reducing the amount of time and effort needed to look at each potential security issue.
SDN is hardly an elixir for IoT security, but it is a helping hand. It won’t block access to the many under-secured end devices out there (and on the way), but it can prevent those access points from being highways into more potentially dangerous information. Again, there isn’t any one-stop cure-all for IoT security, but there are steps we can take to mitigate the risks that come from the extreme proliferation of IoT devices, and SDN is the key to managing it.