The future is fast approaching in the form of smart cities. But at the same time, a global horde of hackers are close behind, ready to exploit the weakest links.
Smart cities can reduce resource consumption, using IoT devices to optimize the use of electricity and water; reduce traffic congestion and air pollution through smart coordination of traffic lights, parking availability, and public transportation; and harness the power of big data and ubiquitous IoT devices to enhance the efficiency and livability of the urban environment. Technology research firm Gartner estimates there were already some 2.3 billion connected devices within cities around the world by the end of 2017, more than a 40 percent increase over the year before.
But the more IoT sensors that are deployed, the greater is a city’s attack surface for hackers and other bad actors. And so far, cities — and the rest of the IoT industry — haven’t done a very good job of implementing security.
The threats could lead to lethal chaos — a hacker maliciously tampering with traffic lights; industrial mayhem through hacking of municipal power, water, or sewage systems; financial loss, for example through theft of electrical power; and a spectrum of other vulnerabilities.
This increased attention to IoT security is a welcome sign. For years, it was all but ignored for two closely related reasons: on one hand, IoT devices are so small, many think, why bother? On the other hand, IoT devices have proven to be extremely difficult to secure simply because they are so small — especially when it comes to the size of RAM and storage.
Traditionally, security teams have had enough problems in securing full-stack servers sitting behind firewalls. Now that the world is waking to the immense threatscape posed by billions of unsecured and poorly secured IoT devices — hanging from power poles, mounted on buildings, bolted to heavy equipment — we face the daunting challenge of protecting devices with RAM and storage that are measured in kilobytes — not megabytes and gigabytes.
Traditional security stacks — which are comprised of multiple layers of cybersecurity infrastructure — simply won’t fit onto IoT devices. In fact, while we refer to devices as being part of the internet of things, few actually have room for the most fundamental layer, otherwise known as the IP stack, which allows them to directly connect to the internet, hence the reliance on wireless connectivity.
Using blockchain, which is the secure, decentralized mechanism behind cryptocurrency, we have an opportunity to bring connectivity to scale without compromising security in the process. While IoT devices themselves lack the resources to host a blockchain, the immutability of the system coupled with cryptographic keys can be used to establish root identity for devices. Devices can present credentials to participate within an IoT environment, with these credentials stored to — and later validated from — a public blockchain such as Ethereum.
Add some machine learning algorithms, and you can track device reputation and behavioral variations that can signal departure from pre-set attributes and norms. Identity and reputation are foundational to securing the IoT. In this manner devices can engage in secure autonomous transactions within a sphere of trust. And to really be safe, all data collected by an IoT device should be encrypted to remove reliance on transport-layer protection.
Blockchain also offers powerful ledgering and audit capabilities through its inherent timestamp function. Whether opening a water valve or dispensing medication through an IV drip, whenever blockchain is involved you have a precise, and immutable, record of the event.
In addition to blockchain, we need precision coding. In the early days of coin-operated video games, developers worked in machine code as they sometimes had only 6k of ROM storage. Similar skill is required to craft an efficient IoT security stack today that must fit within perhaps a 256kB ROM chip and operate with as little as 128kB of RAM — while also leaving room for the device’s operating system and application code.
This combination of blockchain technology and precision coding can go a long ways toward providing the heavyweight security required to protect the lightweight IoT devices that will enable smart cities.
Vaughan Emery is the founder and CEO of Atonomi, a blockchain-based arm of CENTRI technology, a firm that provides security for the internet of things.
Assess-IoT introduces new CENTRI practice to help businesses design and implement layered security capabilities reaching the most...
CENTRI Technology, a leading provider of Internet of Things (IoT) data security software, and its blockchain-based subsidiary Atonomi...
Well, 2018 is certainly off to a fast start, at least within the world of IoT security. Last week I wrote about my one one-word advice...
The high demand at the time the whitelist sign-up was initially opened caused the systems to become overloaded. Not all requests...
Automation is flowing into our lives so persistently and quietly that we hardly notice. Gone are the folded maps Now it’s click on your...