Page 4

EDNE DEC 2014

edn. comment Security in the IoT era Are you weary of hearing about the Internet of Things? If so, I fear have bad news; it’s not going to ease up any time soon. If 2014 has been the year in which the IoT emerged as a major topic, then 2015 will see yet more frenetic activity as vendors at all stages in the product pipeline seek to establish their presence, and to carve out a foothold in whatever market eventually emerges. I could say; if it’s becoming tiresome from where you sit, you should see the inbox at edn-editor@eetimes.be – but that would be quite rightly dismissed as special pleading. There is a fairly well-understood curve associated with such phenomena; the anticipation of a lucrative market drives an initial phase of over-enthusiastic promotion; after a time, some sense of reality emerges about what types of products will actually work in the market; some first-generation products fall by the wayside, some begin the long ascent to volume, to market share and to profitability. Right now, we’re firmly in phase one. There are some general areas in which a consensus is emerging, however. There will be very large numbers of connected things; this has become a statement of the obvious. Some will seek to exploit their connectedness by acquiring, consolidating and ‘mining’ data culled from activity across many nodes. This we can class as the, “it’s all about big-data” faction. For other devices the convenience of connection is an end in itself – “we could have built our own links but communicating over the Internet has become the default, so we’ll use that.” Or in other words, “it’s not about big data.” There’s a third sub-division, possibly the most interesting; “it’s not all about big data.” With the emphasis on “all”. One area in which there is general agreement is that security is key; over and over again we are told, “if we can’t get the security right, the IoT is not going to happen.” At the higher end of IoT system complexity, there will be data streams of great intrinsic value that will have to be protected; but with universal connectivity, every connected device is a potential portal, not only at its own level, but to every system that accesses it, and that uses data abstracted from it. Security means not only protecting a device’s intrinsic function, but preventing it being misappropriated to gain access elsewhere. It is well understood that there is no such thing as absolute security. At one level, the guideline applies that if you make the cost of breaking your security much greater than the benefit that will accrue to anyone who does so, that will be sufficient. The IoT will offer targets to the potential hacker that in terms of technical challenge and peer-group prestige will render that rule-of-thumb irrelevant. You may, or may not, consider the self-driving car as an IoT device. It will have to communicate with others like itself, and with infrastructure: and it will be Internet-connected. To that extent it qualifies and it is also a handy high-profile example of a target that would irresistible to hackers. So it was that in recent weeks, and at more or less the same time, we had Elon Musk (of Tesla electric cars) telling us that the self-driving car was only five or six years away: and a report from the UK’s Institution of Engineering and Technology opining that the same prospect might be many more years away, exactly because of the security threat. At the component level, every technology that has ever been applied to ensuring security is being offered as a route to building-in safe operation to IoT devices from the outset. Encryption and authentication engines that until recently would have required a PCB to themselves are now a basic requirement on the lowliest microcontroller offered as a IoT-capable part. And it scales upwards from that point. As I noted above, I hear presentation after presentation that declares, “If we don’t get security right, then; no IoT bonanza.” The subtext is, of course, “...but we have the tools, the products and the concepts to ensure that it will all be OK.” Which prompts me to ask of those doing the presentations; what if the technology at our disposal is not, in fact, up to the task? If we can’t make the IoT both intrinsically reliable (robust against internal failure) and proof against intrusion? Most answers take the general form, “It will be OK, we can do this.” With, possibly, some nervous shuffling of feet and crossing of fingers behind backs. I received a more considered response from Freescale’s Tim Summers; he is primarily a network and datacomms guru, as well as speaking for a company that is offering silicon at every level, for the expected IoT tsunami. He too, let me make it clear, thinks it (security) can be done, that the technology resources that are, and will be, at our disposal will guard out interests. But he offers this further thought, “As a society, we have already made that choice; we all carry for example bank cards knowing that there is a certain failure rate of the systems that support them.” We know, he argues, that the technology is imperfect but we choose to use it nevertheless, for the convenience and benefits it brings. And our approach to IoT devices will be no different. I appreciate the candour of the answer; but when you set it against the scale and pervasiveness of the systems we are proposing to construct in the name of the Internet of Things, I’m not sure I’m greatly reassured. What do you think? 4 EDN Europe | DECEMBER 2014 www.edn-europe.com


EDNE DEC 2014
To see the actual publication please follow the link above