Intelligent connected devices enable technological advances that, in theory, give us greater control over our environment and lives. Yet, with that increased connectivity comes an element of risk. As more of our devices connect with each other, the ability to secure this exchange of information becomes more complicated. The problem is the Internet of Things (IoT) will make use of devices based on older architectures — as well as advanced versions in use today — in products such as smartphones that are purpose-built for connectivity.
“Industries who want or need to connect don’t know, or care to know, about security,” said Ian Ferguson, vice president of Arm. “Yet, by ignoring security, organizations put their data at greater risk of compromise or theft. We’ve had a glimpse at how vulnerable IoT devices are able to disrupt websites and services, when machines infected with the Mirai malware launched botnet attacks last fall. Most security experts believe this is only the beginning, that hackers will increasingly use IoT devices as a launching point.”
The security manifesto
“Connectivity creates new channels in which data can flow and be intercepted by threat actors in cyber contexts — for example, organized cybercriminals who are launching increasingly complex and hard-to-detect attacks,” explained Dr. Mary Aiken, cyberpsychologist, who is supporting the Arm IoT Security Manifesto. “That means exploring and investing in advanced security architectures and new threat detection technologies.”
Arm has a vested interest in encouraging companies to build security into a device’s network infrastructure. For nearly three decades, the company has provided the “brains” for much of the technology we use. Our smartphones, for example, rely on Arm’s technology to run the compute functionality, graphics and security. Other products, such as air bags, televisions and lighting systems, also rely on Arm technologies.
However, as the list of IoT technologies grows, we see more devices being used for tasks they weren’t intended for. A refrigerator that can send a grocery list to an app on your phone may be convenient, but Ferguson pointed out that it also opens a new avenue for hackers. Your kitchen appliances might not have a lot of data, but it can let intruders inside your network and dig around for valuable information.
Securing IoT must be a collaborative effort between industries, manufacturers, and tech companies.
“The technology industry needs to accept that there is a social contract between companies creating technology and those people and businesses using it,” said Aiken. “This places a duty of care on all companies which can be an excellent basis for building trust.”
The risk as the world becomes increasingly connected, she added, is that cybercriminal and/or malicious activity will undermine trust, which will slow down progress on creating an Internet of Things at scale. “Considering the benefit the IoT can bring to areas like health, the economy and global sustainability, we cannot allow criminal enterprise to gain the upper hand and undermine the vitality of the technology industry in cyberspace.”
Treating cyber viruses like human viruses
As it lays out a vision for IoT security, along with a call for industry to rally behind the social contract, the Arm IoT Security Manifesto presents this need with an analogy that gives security a human touch in comparing the human immune system to the defensive network policing IoT.
“The ‘technological immune system’ is based on detecting ‘illness’ in edge devices through sensors looking for unusual behavior,” said Aiken. “The system first watches activity and performance and learns what a healthy system looks like and then uses that as a basis for comparison. The system would have the ability to quarantine devices that appear to be unhealthy, and, just like a human defense system, respond appropriately. In the case of a cyber infection, triggering automatic treatment through upgrades or rehabilitation.”
The security horizon
With the IoT Security Manifesto, Arm and its partners aim to establish a strong set of security principles, with collaboration across the Arm ecosystem and across industries.
Arm Mbed IoT Device Platform is a starting place for improved IoT security by delivering both protection against violations and mitigation of their consequences. Additionally, Cisco is joining forces with Arm and introducing its Platform Security Architecture, which standardizes best security practices across multiple IoT devices and systems.
“But there’s a lot more work to do,” said Ferguson. “We need to raise the bar as hackers find new attack vectors.”