Welcome to the Acumen Security Blog

Archives for May 2016

Common Criteria and Internet of Things (Iot)

 

The Internet of Things (IoT) is a system of interrelated computing devices, mechanical and digital machines, objects, animals or people that are provided with unique identifiers and the ability to transfer data over a network without requiring human-to-human or human-to-computer interaction. A thing, in the Internet of Things, can be a person with a heart monitor implant, a farm animal with a biochip transponder, an automobile that has built-in sensors to alert the driver when tire pressure is low, a military drone — or any other natural or man-made object that can be assigned an IP address and provided with the ability to transfer data over a network.

The IoT world may be exciting, but there are serious technical challenges that need a lot of consideration before they can be deployed. If we think in terms of cybersecurity, a few things immediately jump out as concerns. First since they are deployed over a wider geographical area (in most cases), the increase in the cyberattack surface area substantially increases. We will be adding on average over 2000 IoT devices a second in another 10-15 years — many with little or no security built in. Each one of those IoT devices may be acting up as a potential bot on a botnet. The major concern about their deployment is that it is harder and more costly to protect, defend and maintain 100 doors than one door. Next think of how the data is transferred. Most of the communication in the Internet of things is based on either TCP or UDP which can easily be sniffed. Stop and think of the value of some of that data and the impact if it is stolen or captured during transmission.

If we think about the commercial solutions or private sector, there is a huge demand to incorporate these devices for communication and hence improve the overall infrastructure. On the other hand Defense Department has identified the “Internet of Things” as a key component for the military’s modernization strategy. But as one of the cyber security experts stated “the Pentagon is behind the curve due to security concerns and other impediments”. So what is in it for the vendors who are good at making these advanced devices (IOT) and want to sell them in the Defense sector or even in the private sector? Though everyone is interested in deploying these IoT devices, but it all stands still when we think about IoT and cyber security. Are they safe? Are they certified as per the best security practices?

An aggressive testing , good security practices and a flexible infrastructure methodology  is what these IoT devices are lacking and we sincerely believe that the common criteria certification can be answer to a lot of these concerns. We absolutely believe creating a new standard, as proposed here (http://industries.ul.com/software-and-security/product-security-services/product-testing-and-validation) isn’t the answer. We already have too many standards and one more will not help other than create more headache without any real value addition.