Internet of Things. One can’t help but imagine the discussion where such an awkward moniker emerged as the winning entry: Internet of Devices? (Too specific.) Internet of Systems? (Too general.) Internet of Embedded Components? (No way.) The logic of this progression led to the wildcard compromise: Things. And such naming challenge is useful hint that identifying security solutions for IoT is similarly difficult.
The first cyber protection instinct might be to transpose PC security solutions to IoT devices and systems. But many IoT devices are constrained in their memory and power footprint, which makes heavy endpoint software impractical. An additional instinct might be to create IoT perimeters, but many of the applicable devices and systems reside in environments that do not lend well to virtual or even physical perimeters.
Instead, what is needed are cyber protections that fit the unique characteristics of emerging IoT systems: Embedded. Accessible. Constrained in terms of computing and power. And they must also recognize that IoT ecosystems and infrastructure can have high consequence in the event of an attack. Many IoT systems in industrial settings, if compromised, could lead to serious loss of safety or even life.
Enter Mocana – offering its comprehensive suite of practical cyber solutions to this growing IoT security challenge. We recently connected with Bill Diotte, CEO of Mocana to ask him about this important trend toward improved protections, reduced risk, and embedded security solutions for the plethora of IoT devices, systems, and infrastructure emerging across the world today. Here is a synopsis of our conversation:
EA: Is it correct to view IoT security as different from traditional PC endpoint security?
BD: Yes, IoT security follows a different process than PC endpoint security. IT systems rely on endpoint security and virus protection software complemented by layered network defenses. These approaches are not as effective in protecting IoT devices because the embedded devices may not sit within a firewall and cannot support a heavyweight software implementation. Rather, IoT devices themselves must rely on strong authentication, encryption, and cryptographic controls to ensure the devices are trustworthy and tamper-resistant.
EA: What is unique about security for IoT devices and systems?
BD: One thing that is unique about IoT devices is that they are typically deployed in environments that are not easy to secure. In IT, the key servers may be located in a data center or within a physically protected room or cabinet. In IoT, the devices are deployed in areas that have poor physical security, making the devices easy to physically compromise. For example, wireless access points, home set top boxes, home surveillance systems can all be physically attacked easily. If the embedded systems aren’t tamper-resistant, a sophisticated hacker could compromise the device and steal data or take control.
EA: How does the Mocana platform work?
BD: Mocana provides a system of cyber security that is comprised of Mocana TrustPoint™, an IoT endpoint security software, and Mocana TrustCenter™, a services platform to manage the IoT device security lifecycle. The Mocana TrustPoint and TrustCenter work together to ensure supply chain integrity and simplify and secure IoT security management. They were designed to provide complementary support for teams concerned with growing IoT security risk, and they specifically fit with the unique footprint of modern IoT devices and systems. This includes support for scalable enrollment and on-boarding of devices, which is a huge issue in IoT. It also requires support for activation of devices in the field. And as you would imagine, this requires support for over-the-air (OTA) updates and management, given the unique deployment footprint for many IoT devices and systems.
EA: Are threats to IoT different than other aspects of computing?
BD: Yes, IoT cyber threats are different than threats to enterprise and computing systems. Typically, hackers targeting enterprise systems are trying to steal private data, such as passwords, emails, intellectual property or credit card data. In the IoT world, however, the most capable hackers want to take control of systems that compromise safety, production uptime or the environment. The consequences of successfully hacking into an IoT device may cause more physical harm than an average computer system. As a result, the risk to these systems is enormous, and begs the need for advanced cyber security protections.
EA: What are some trends you’re seeing in your customer base?
BD: Our customers are being driven by the business advantages that IoT provides, such as improved performance visibility, lower maintenance, and reduced support costs. At the same time, they are concerned about the rise in cyber attacks. Finally, they are concerned about compliance with industry cybersecurity standards such as IEC 62443, NIST US 800-53 and NERC CIP 003.