Reinventing Cybersecurity in the Internet of Things

151022_oml_v1p | Public | © Omlis Limited 2015

1151022_oml_reinventing_cybersecurity_IoT_v1p | Public | © Omlis Limited 2015

Reinventing Cybersecurity in the IoTBy 2020 the IDC predict that the IoT will incorporate 200bn sensors – most of which will be communicating over open networks. This mass of connected devices will be doubly susceptible as their physical security parameters will be exposed as well as their software based security mechanisms. It’s further predicted that by 2016, 90% of all IT networks will have experienced a breach stemming from the IoT.1

These figures clearly illustrate that the mass production of IoT (Internet of Things) devices is accelerating beyond the capabilities of traditional security protocols, which have been left floundering in the wake of innovation. A number of security propositions have been mooted to assist in narrowing the gap, with few as compelling as Omlis’ mobile-first core technology.

As the connected world continues to churn out increasing amounts of sensitive data, Omlis’ core technology will grow as a key enabler, neatly bundling the most powerful encryption and authentication qualities which this valuable data demands – as recognized by leading cloud infrastructure and IoT platform provider SoftLayer through our recent collaboration.

The IoT is a media-friendly term which has very little

prescriptive meaning, yet it perfectly captures the notion

of a wild proliferation of non-uniform devices involved in

open networks. Pulling this array of exposed devices into

the safe realms of a secure network was never going to be

an easy task. It would appear that we need to treat such

a diverse ecosystem on a case-by-case basis, classifying

in terms of risk and applying the appropriate security

mechanisms.

It’s implausible for the IoT to adopt some kind of ‘silver

bullet’ security concept such as an evolved version of a PKI

(Public Key Infrastructure) which would act as a panacea

for all security concerns; practicalities will demand a

layered approach, with different devices requiring different

levels of protection according to capability and the value

of the data being transmitted. Separating ‘mission critical’

aspects from sensors which may be involved in low risk

networks with low risk applications seems a logical step.

Encryption algorithms need to retain their basic strength

whilst exhibiting a small software footprint which doesn’t

place too high a demand on the processor; in addition,

robust encryption needs to be supported by strong mutual

authentication techniques for machine registration and

updates.

Methods such as digital certificates will inevitably have

a place in the early stages, before we’re driven to define

more practical methods of machine based authentication.

An adaptable security architecture is the best response

to the threat emerging from a complex mixture of devices

operating over open networks. This in turn requires a

number of solution providers the key enablers will be those

firms which can successfully marry the core characteristics

of their technology with the needs of the IoT. Many of these

pioneers will come from the mobile-first security sector

on the grounds that their core security platform enhances

the offerings of more traditional mobile services; as was

the case with Blackberry and the Good Technology

acquisition.

The idea of a collective response is becoming clear.

VMWare enhanced their mobile base with the acquisition

of AirWatch in recognition that the mobile would become

the ‘remote control’ for the connected world2, and similarly,

companies such as Hitachi are also looking to harness the

synergies of complimentary industries to enhance their

IoT offering; they recently acquired Pentaho Corp for their

ability to analyze collated IoT data.

As more and more data becomes ‘sensorized’ Omlis’

mobile-first design principles and core technology will

increasingly represent an excellent fit for high value,

mission critical IoT applications.

2151022_oml_reinventing_cybersecurity_IoT_v1p | Public | © Omlis Limited 2015

Problems With Securing the IoT and the Shortcomings of Traditional MethodsMany of the sensors in the IoT don’t have the computational

capacity to implement any form of complex cryptography

with interpretation and encryption of data duties falling

on the smartphone or web-based device in front of the

sensor. Of the sensors which do, traditional encryption

delivered through protocols like SSL / TLS is often too

much of a burden on low processing power.

Traditional security mechanisms such as PKI are trying

to adapt and frantically rediscover themselves with new

methodologies such as elliptic curve cryptography using

reduced key lengths. Omlis on the other hand offers

an entirely new solution which isn’t conditioned by the

demands of outdated architectures and is suited to the

emerging practicalities of IoT security.

PKI is buckling under the weight of heavily manual

processes already, and its methodology will be further

tested by the IoT, for which it was never designed.

If PKI is to be used in the IoT, it will represent a shift from

a near universal human user base, to tens of billions of

additional interconnected non-human devices. The design

remit for PKI was very much for public consumption and

how we secure what effectively represents a seismic

population growth is a question which cybersecurity

vendors need to answer.

Whereas a few years ago, certificates were the domain

of servers, laptops and personal computers, they’re

now commonplace in everything from TVs to medical

equipment.

There’s a fundamental difference between PKI setup for

public usage and PKI in a closed or M2M (Machine-to-

Machine) sense in the fact that humans can’t interfere

as easily. This could be construed as a good thing or

also as something which could be disastrous in terms of

device registration, authentication, cloning and malicious

substitution.3

High volume issuance of certificates on the mass production

lines of IoT devices would represent an extremely awkward

process and the ongoing management of these certificates

would be particularly difficult, especially with regards to

revocation. Providing lifetime certificates is an option but

is wholly inappropriate due to increasing calls for lifecycle

management.

PKI might be suited to many low value IoT communications

if it can be repackaged for devices which have low

processing power and thus limited ability to continually

generate keys, but for data that demands complete

integrity it’s far from ideal.

This question of how to provide a unique identifier for

each IoT object is therefore very much open and as yet

unanswered. Solutions such as DNSSec have been

touted as a method of securing crowded networks and

guaranteeing communications between client and server

but is hugely susceptible to eavesdropping. This leaves

the door open for more targeted solutions such as those

offered by Omlis, which can wrap robust encryption of

data with mutual authentication and lifecycle management.

Omlis’ software defined core technology can be tailored

in such a manner that it can perform state of the art key

management and authentication from low power devices

using robust encryption. This facilitates the safe transfer

of remote software updates and enhanced mobile device

access, whilst at the same time negating the threats we

associate with open networks and malware.

3151022_oml_reinventing_cybersecurity_IoT_v1p | Public | © Omlis Limited 2015

Industry Specific IoT Security Issues

Automotive: Remote Software UpdatesThe automotive industry is often cited as one of the

emerging areas for connectivity, with ‘Autonomous Cars’

assuming the pinnacle of the Gartner 2015 ‘Hype Cycle’4,

but security issues are beginning to overshadow this

sense of opportunity. Quite pertinently, SDS (Software

Defined Security) follows on the heels of Autonomous

Cars, highlighting how security has lagged behind product

innovation.

As cars become increasingly connected, clear security

gaps have appeared, particularly in terms of remote

software updates, digital rights management and highly

publicized cyber-physical attack vectors.

Tesla’s connected cars provide an active example of how

vehicle infotainment and telematics have fully incorporated

mobile technology, with the Model S regularly receiving

software updates over-the-air in a near identical manner

to the updates you’d receive on your smartphone. When

updates impinge on cyber-physical features such as

steering, autopilot and collision avoidance, it’s clear that

strong authentication and encryption need to be high

priority.

The need for wireless patching and remote updates will

become ever more pressing as cars and IoT devices in

general acquire increasing amounts of complex software.

Because this software is attached to high value / high

liability products, mass car recalls have sometimes been

the only option in terms of securing a mission critical

update. The growth of these recalls in recent years exhibits

the manufacturer’s inability to update remotely through

wireless patches.

BMW recently updated its wireless patch distribution

system to use https, which shows that despite taking an

industry lead, even the most conscientious manufacturers

are still behind the times in terms of actually applying

security in the first place. A recent HP research project

pointed out that 60% of the IoT devices they studied didn’t

use any form of encryption on software updates.6

Omlis’ core technology can provide the levels of strong

mutual authentication which is required for secure software

updates, guaranteeing that products are communicating

with the intended source and encrypting communications

throughout the entire product lifecycle.

4151022_oml_reinventing_cybersecurity_IoT_v1p | Public | © Omlis Limited 2015

Healthcare: Mobile Device Access and AuthenticationAccording to MarketResearch.com there will be a $117bn

market for IoT in the healthcare sector by 2020, but this

kind of growth is fully dependent on security as the great

enabler.

As well as the latent privacy issues associated with such

personal information, health records are estimated to be

worth ten to twenty times more than credit card details,

with criminals using stolen records to file fake insurance

claims or illicitly buy drugs or equipment.

At present, many of the leading wearables issued by

commercial firms such as Fitbit don’t tend to fall under

the scope of global data protection acts. These wearables

transmit to server databases which aren’t used by health

practitioners so the information has very few compliance

issues. However, if this information is redistributed to

professional health practitioners, then the data becomes

sensitive.

Many of these wearables are known as ‘headless devices’

with little or no user interface and an inability to exchange

credentials6. They rely on beaconing out to a smartphone

(or similar device) via Bluetooth in order to enroll into a

network, which then places the primary security demands

on the phone. According to Symantec’s ‘Insecurity in the

Internet of Things’ whitepaper, 84% of analyzed IoT devices

offered a smartphone application7, bringing us back to the

idea of the smartphone as the ultimate remote control.

Connected healthcare is an emerging industry where

mobile-first security vendors such as Omlis are ideally

positioned to help guide what equate to fairly scant data

security standards in terms of mobile device access and

authentication.

Industry and Infrastructure: Securing and Encrypting Data over Wi-Fi

It’s telling that Dell Security gave special attention to the

concept known as SCADA (Supervisory Control and Data

Acquisition) in their 2015 Annual Threat Report, noting

that attacks on systems increased from 163,228 incidents

in 2013 to 675,186 in 2014. Buffer overflows, cross-site

scripting and cryptographic issues all featured prominently

amongst the most common attack methods.8

SCADA formed the early foundations of the IoT in both

industry and infrastructure. The vision and scope of this

concept has grown exponentially with the incorporation of

connected devices and the lines between SCADA and the

IoT are increasingly beginning to blur.

SCADA was traditionally used over Local Area Networks

and Wide Area Networks, with appliances being wired

up to a central control system, as in traditional M2M

communications. Since then there’s been a clear move

to more distributed architectures which has meant that

SCADA is encountering increased usage over Wi-Fi

networks.

Connections to Wi-Fi are obviously more dangerous and

less reliable, with many advising against it entirely for

industrial applications. Nevertheless, Wi-Fi’s growing role

in SCADA applications is acknowledged as an inevitable

consequence of the IoT, particularly in those sectors which

are slightly less critical than heavy industry or military.

Once again, Omlis’ core technology can provide reassuring

levels of machine-based mutual authentication, whilst

securing and encrypting data over Wi-Fi; all of which can

empower the advancement of the IIoT (Industrial Internet

of Things).

5151022_oml_reinventing_cybersecurity_IoT_v1p | Public | © Omlis Limited 2015

“ One of the main challenges the IoT faces is the reduced footprint on which a secure solution must run whilst providing security and protecting privacy. Wearables and other embedded electronic devices have cost constraints that limit the size of the CPU and the memory. In these conditions, only tailored solutions can be effective. Omlis is the only provider bringing a fully secure solution bundling key management, mutual authentication and encryption to the IoT. Omlis offers a dedicated answer to a very specific need of security and compactness.”Stéphane Roule, Senior Technical Manager

How Omlis Addresses the IoT’s InsecuritiesOmlis’ core technology has already showcased its ability

to secure the channel between client and server via the

cloud with the recent release of SEM (Secure Enterprise

Messenger) on the IBM Bluemix platform.

The true value Omlis brings to the IoT is our software-

defined capability to wrap the strongest cybersecurity

traits into one tailored solution with the lowest imprint on

memory and processing power.

For example, strong mutual M2M authentication is a

discipline which the Omlis core technology can potentially

satisfy to a greater degree than any current solution

provider using our innovative authentication protocols.

The security of the Wi-Fi network is less critical because

of our innovative key management and key exchange

protocols. Unique keys are generated at the point of

transaction and due to the design of our distributed

architecture, actual keys are never sent over the network

and are never stored on the client or server side; so even

if a MitM (Man-in-the-Middle) attack takes place on a

relatively unguarded device, the hacker will fail to retrieve

any meaningful information.

This method of generating keys at both ends of the

communications channel, means that Omlis never

transmits sensitive data in plaintext and information related

to transaction keys can be erased from memory as soon as

it becomes redundant. Furthermore, Omlis’ high integrity

design principles and embedded software make security

less dependent on the increasingly vulnerable Operating

System thus increasing resistance to malware.

The Omlis core technology can package its powerful

characteristics into the IoT architecture in a manner which

older legacy solutions will struggle to achieve.

6151022_oml_reinventing_cybersecurity_IoT_v1p | Public | © Omlis Limited 2015

1. https://www.idc.com/getdoc.

jsp?containerId=prUS25291514

2. http://blogs.air-watch.com/2014/10/airwatch-

vmware-signs-enable-iot-enterprise/#.

ViEHS36rSUk

3. http://www.researchgate.net/

publication/279063057_Enforcing_Security_

Mechanisms_in_the_IP-Based_Internet_of_

Things_An_Algorithmic_Overview

4. http://www.gartner.com/newsroom/id/3114217

5. http://www8.hp.com/h20195/V2/GetPDF.

aspx/4AA5-4759ENW.pdf

6. http://www.copperhorse.co.uk/the-quandaries-

of-headless-iot-device-provisioning/

7. https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/insecurity-in-the-internet-of-things.pdf

8. https://software.dell.com/docs/2015-dell-security-annual-threat-report-white-paper-15657.pdf

References

ContributorsThe following individuals contributed to this report:

Stéphane Roule

Senior Technical Manager

Nirmal Misra

Senior Technical Manager

Paul Holland

Analyst

Jack Stuart

Assistant Analyst

OmlisThird FloorTyne House

Newcastle upon TyneUnited Kingdom

NE1 3JD

+44 (0) 845 838 1308info@omlis.comwww.omlis.com

© Omlis Limited 2015