The world is more and more driven by networked computer systems. They dominate almost all aspects of our lives. These systems are connected to the Internet, resulting in a high threat potential. Marc-Oliver Pahl, chairholder of the cybersecurity chair Cyber CNI at IMT Atlantique, talks about what is at stakes when it comes to IoT security.
What is the importance of securing the Internet of things (IoT)?
Marc-Oliver Pahl: Securing the IoT is one of the, or even the most important challenge I see for computer systems at the moment. The IoT is ubiquitous. Most of us interact with it many times every day – only we are not aware of it as it surrounds us in the background. An example is the water supply system that brings drinking water to our houses. Other examples are the electricity grid, transportation, finance, or health care. The list is long. My examples are critical to our society. They are so-called “critical infrastructures.” If the IoT is not sufficiently protected, critical things can happen, such as water or power outages, or even worse, manipulated processes leading to bacteria in the water, faulty products that cause safety risks such as cars, and many more.
This strong need for security, combined with the fact that IoT devices are often not sufficiently secured, and at the same time connected to the Internet with all its threat potential, illustrates the importance of the subject. The sheer number of devices, with 41.6 billion of connected IoT devices expected by 2025, shows the urgent need for action: the IoT needs the highest security standards possible to protect our society.
Why are IoT networks so vulnerable?
MOP: I want to focus on two aspects here, the “Internet”, and the “Things”. As the name Internet of Things says, IoT devices are often connected to the Internet. This makes them connected to every single user of the Internet, including bad guys. Through the Internet, the bad guys can comfortably attack an IoT system at the other side of the planet without leaving their sofa. If an attacked IoT system is not sufficiently secured, attackers can succeed and compromise the system with potentially severe consequences to security, safety, and privacy.
The term “Thing” implies a broad range of entities and applications. Consequently, IoT systems are heterogeneous. This heterogeneity includes vendors, communication technology, hardware, or software. The IoT is a mash-up of such Things, making the resulting systems complex. Securing the IoT is a big challenge. Together with our partners at the chaire Cyber CNI, in our research we contribute every day to making the IoT more secure. Our upcoming digital PhD school from October 5-9, 2020 is a wonderful opportunity to get more insights.
What would be an example challenge that IoT security needs to address and how could it be addressed?
MOP: Taking the two areas from before, one thing we work on is ensuring that the access to IoT devices over the Internet is strictly limited. This can be done via diverse mechanisms including firewalls for defining and enforcing access policies, and Software Defined Networking for rerouting attackers away from their targets.
Regarding the heterogeneity, we look at how we can enable human operators to see what happens in the ambient IoT systems, how we can support them to express what security properties they want, and how we can build systems “secure-by-design”, so that they enforce the security policies. This is especially challenging as IoT systems are not static.
What makes securing IoT systems so difficult?
MOP: Besides the previously mentioned aspects, connectivity to the Internet and heterogeneity, a third major challenge of the IoT is its dynamicity: IoT systems continuously adapt to their environments. This is part of their job and a reason for their success. From a security-perspective, this dynamicity is a highly demanding challenge. On the one hand, we want to make the systems as restrictive as possible, to protect them as much as possible. On the other hand, we have to give the IoT systems enough room to breathe to fulfill their purpose.
Then, how can you provide security for such continuously changing systems?
MOP: First of all, security-by-design has to be applied properly, resulting in a system that applies all security-mechanisms appropriately, in a non-circumventable way. But this is not enough as we have seen before. The dynamic changes of a system cannot fully be anticipated with security-by-design mechanisms. They require the same dynamics at the defender side.
Therefore, we work on continuous monitoring of IoT systems, automated analysis of the monitoring data, and automated or adaptive defense mechanisms. Artificial Intelligence, or more-precisely Machine Learning can be of great help in this process as it allows the meaningful processing of possibly unexpected data.
More on this topic: What is the industrial internet of things?
If we are talking about AI, does this mean future security systems will be fully autonomous?
MOP: Though algorithms can do much, humans have to be in the loop at some point. This has multiple reasons, including our ability to analyze certain complex situations even better than machines. With the right data and expertise, humans outperform machines. This includes the important aspect of Ethics that is another story but central when building algorithms for autonomous IoT systems.
Another reason for the need of humans in-the-loop is that there is no objective measure for security. By that I mean that the desired security-level for a concrete system has to be defined by humans. Only they know what they want. Afterwards, computer systems can then take-over in what they are best-in, the extremely fast execution of complex tasks: enforcing that the high-level goals given by human operators are implemented in the corresponding IoT systems.
From October 5 to 7, IoT meets security Summer School
“IoT meets Security” is the 3rd edition of the Future IoT PhD school series. It will be 100 % digitalized to comply with current guidelines regarding the covid-19 pandemic. It gives an insight perspective from industry and academia to this hot topic. It will cover a broad range of settings, use cases, applications, techniques, and security philosophies, from humans over Information Technology (IT) to Operational Technology (OT), from research to industry.
- Marc-Oliver Pahl (IMT/TUM) is heading the industrial Chaire for Cybersecurity in Critical Networked Infrastructures (cyber-cni.fr) and the CNRS UMR LAB-STICC/IRIS. Together with his team, he is working on the challenges sketched above.
- Nicolas Montavont (IMT) is heading the IoT research UMR IRISA/OCIF. With his team, he is constantly working on making the IoT more reliable and efficient.