The Internet of Things (IoT) has long been a game of rush-to-market, with production speed trumping security in the stampede. Now, with a swarm of devices – often under-defended – the RSA show floor is rife with vendors aiming to help secure it all.
Securing millions of non-standard devices as disparate as home thermometers, smart TVs and cars is no trivial task. It is somewhat simpler if they have simple stripped down embedded processors, but often they contain full-fledged and powerful network-connected operating systems, with all the security problems those present.
In years past, it was non-obvious whether vendors were attempting to create security solutions without a corresponding real world threat. But as we see Android-related malware numbers steadily climb, it is no longer rare to spot scams, or worse, on the platform. Additionally, as the importance and placement of IoT devices in more critical applications increases (think: "cars"), keeping rogue processes contained – regardless of their origin – seems wise.
One approach is to make each operating process mutually suspicious, containerized and separate from each other. But development is slower than just bolting on a standard OS like Android and shipping the product.
The good news is that Android security vendors here are implementing increasingly secure environments, but the rate of adoption is still far outpaced by the number of new devices hitting the market with unknown and unproven security chops.
Back to the mutually suspicious, or trusted computing platforms. While more difficult to develop against, they are typically far more resistant to attack. This has garnered the attention specifically of the automotive, government, and critical infrastructure market segments.
Luckily, companies like Lynx Software Technologies have been at it for some time now, and offer unique ways to approach the problem, with everything isolated – cores, memory, application, system and other resources – to form a very breach-resistant constellation of digital barriers that would curb the spread of nasty things. This sort of “paranoia” is most welcome in applications like avionics or medical devices, where no one wants to see “bad things” happen. Prevention is better than detection.
Also, the network security folks have focused squarely on defending against rogue threats found on networks you might not think to look at, like CAN bus on automotive, or even ICS-related protocols like Modbus, which have been lightly defended (if at all) for decades. Whether in the hands-on labs where you can dive into specific IoT applications here at RSA, or more widely in the security community, IoT is in full focus.
As the importance and popularity of IoT continues to escalate and people place more valuable information thereupon, scammers — and more hardened cybercriminals — will continue to look for new ways of attacking and compromising the swarm of devices which now surround us. And as that happens, RSA will continue to teem with IoT security defenses.