IEEE Talks IoT: George Corser
George Corser is assistant professor of computer science and information systems at Saginaw Valley State University. His Ph.D. dissertation focused on securing location privacy for vehicular applications. In this Q&A, he explores some of the key considerations and challenges for security in a variety of IoT applications, including autonomous ones.
Question: What is autonomous IoT?
Corser: It’s networked devices communicating with one another, with no humans in the loop. One example is a self-driving delivery vehicle that goes all day without a human behind the wheel because it interacts with sensors in smart roads to know where it’s going. Another example is a building that automatically adjusts the lighting and thermostats based on sensors that report how many people are in a room or how much sunlight is coming in.
Those are just two examples. There are easily thousands of existing autonomous IoT applications and probably millions of potential ones.
Question: What are some of autonomous IoT’s inherent challenges?
Corser: When humans aren’t monitoring interactions, there’s increased risk of security breaches. For example, sensors could be automatically collecting information about, say, the load in a particular part of an electrical grid, but it’s up to a human to decide whether and how to act on that information. Take the human out of the loop, and it’s much easier for malware to take charge—possibly causing blackouts or surges.
Even when there are humans in the loop, IoT has a host of unique security considerations. One example is side-channel attacks on fitness trackers worn on the wrist. If the person uses that hand to type a password or PIN on another device, a hacker could use the fitness tracker’s movements to recreate that information.
So regardless of whether a particular IoT application is autonomous or not, it’s critical that everyone involved with that application—the vendors, the service providers, the end users—understands those unique considerations and develops strategies for maximizing security. For example, many IoT applications require low-cost modules to make those applications financially viable. One way to minimize cost is to put just enough memory and processing power in those modules to support that application, with little or nothing left over to support security tools. So strategies and polices that are effective with non-IoT technologies—such as installing anti-malware software on servers or laptops—often aren’t applicable to IoT. These kinds of unique factors require a fundamentally different approach to IoT security and privacy.
Low price points also mean slim profit margins for IoT vendors, making it financially difficult for them to justify developing security patches for devices that are several years old or discontinued. This is a major challenge for IoT applications where modules have to remain in service for a decade or longer, such as sensors and controllers in an electrical utility grid.
Question: What’s needed to address those challenges?
Corser: A set of IoT security best practices that any end user, vendor, or service provider can use to develop security policies and strategies for their unique application will help address challenges. In other words, best practices that are broadly applicable and understandable by more than just IT security gurus are needed.
So far, IoT security best practices have been aimed at individual applications or specific verticals. There’s a real, immediate need for best practices that are applicable to every IoT application, regardless of the industry or whether it’s autonomous. These best practices also need to be in lay terms because IT experts aren’t the only people who have a hands-on role with IoT applications. For example, a supply chain manager or a building facility manager could use those best practices to ensure that IoT-enabled efficiencies don’t create security and privacy risks.
That’s why I’m involved with the IEEE Internet Initiative, a community that connects technologists and policymakers to address internet governance, cybersecurity, and privacy issues. Through the Collabratec Internet Technology Policy (ITP) Community, we’re developing a set of best practices that anyone can use to improve the security and privacy of any IoT application.
Question: When will those best practices be available?
Corser: The first step is a white paper, currently in progress, that discusses challenges and proposes options for addressing them. The paper will include IoT and security/privacy terminology and definitions, understandable by the lay public, while still rigorously accurate to technologists. Diagrams of the IoT system will describe the relationships between IoT components and identify threats and risks, so that laypeople and technologists can more effectively collaborate to address threats. The authors will share a set of best practices to secure IoT, which are understandable by laypeople and applicable to security policymaking, but rigorous from a technical perspective.
We’re working to publish that paper early in 2017, and it will be available at http://internetinitiative.ieee.org/resources.