The Connected Effect

The Internet of Secure Things: Vulnerabilities Beware!

Posted by Brittany Calvanese

Jul 8, 2014 10:26:00 AM

By Rob Black, CISSP

I hope you are enjoying the summer as much as I am, and that you have some well-deserved time off ahead of you.  But before you take off, I’d like to play out a security scenario with you. Imagine your company manufactures mission critical machines and a couple of days before you depart on your dream vacation you discover that 10,000 machines deployed across hundreds of customer locations have a software flaw, the result of which could be a serious security problem for your customers and a significant risk to your organization.  The engineers on your team have developed a patch for the vulnerability. Do you: Internet of Secure Things

  • Send out an email advisory of the problem and hope that customers will download the patch while you are on vacation, and there will be no major headaches for customer support during your absence. (If this is the case, you should worry if you will have a job when you return.)
  • Cancel your vacation and start copying the patch to thousands of USB memory sticks to be mailed out to every customer location. (If this is the case, that “well-deserved” vacation doesn’t seem to apply)
  • Something else.

Given that you are reading a blog on an IoT and you are interested in security, I am betting that you picked c) Something else.   

That something else is the IoT.  The ability to connect to a machine is critical to being able to ensure that it is secure. An unconnected machine is one that is likely unpatched and therefore vulnerable.

While connecting to your machines is laudable, it is not enough.  There are many components to a IoT project including the means to update the software, what we at Axeda call Connected Content.

Not only does your solution need to be aware of the version, the right steps to perform, what to do if an error occurs, but also needs to consider what network bandwidth constraints may exist.   Unless your customers have unlimited bandwidth you might want to limit how many are being deployed at a given moment in time.

Now what if the machine is performing a critical operation like for instance “in surgery” literally opening up someone’s chest in an operating room? It might not be a good time to perform a software update. You need the ability to put the device into a mode that prohibits it from doing the update at that time.

Up to this point we have assumed that all machines were the same. What if machines have different configuration, different boards, different chips, different modules, or different software? Can the same patch be applied identically to all your machines? You need software that can differentiate between the various versions and apply the appropriate software.

Now that we have sent out updates to thousands of machines we need the ability to audit, monitor, and report on the results and identify any problematic machines that might need additional intervention. The software has to have the tools to track which machines were updated and which ones had problems that require manual intervention.

It sounds like a tall order for any solution to be able to meet all of these requirements. And it is. The Axeda Connected Content solution was designed for product manufacturers to be able to meet the rigorous requirements outlined above. Our customers that utilize Axeda Connected Content are able to update content on thousands of machines managing vulnerability fixes, other software updates, as well as pushing configuration data. You can learn more about how Axeda Connected Content is solving real world problems with ecoATM from the posted webinar.

With Axeda Connected Content helping to protect your machines you can enjoy your summer!

Topics: Axeda, Internet of Things, IoT security, Internet of Secure Things

The Internet of Secure Things

Posted by Brittany Calvanese

May 19, 2014 11:31:00 AM

By Rob Black, Axeda

Here at Axeda we just finished a very successful Connexion 2014 conference where global thought leaders in the Internet of Things (IoT) gathered in Boston for our multi-day event. IoT securityOne of the themes that I heard again and again from practitioners of IoT is that their security story needed improvement in order to assure customers that their IoT solution could be utilized safely. There is a lot of noise from the entertainment world and popular press about killer pacemakers and spam-sending-refrigerators that has crowded out the less sensational reality that  -- IoT Security is not fundamentally different from network security, and there are a plethora of strong security practices that can be readily applied to IoT.

Many customers who are deploying IoT are frustrated by the resistance that some IT and security departments exert when an IoT solution can clearly help them solve business challenges for their deployed machines. Lack of connectivity is not the solution to a security problem, and that thinking should be turned on its head. If companies are concerned about security and compliance here are the questions that they should ask. These questions are based on real-world events that our customers have observed and not based on theoretical thinking.

  • How can you be certain that machines are being used for their appropriate business purposes and not for gaming or other (worse) personal activities?
  • How can you ensure that the appropriate policies have been applied to the machine? Are policies applied in a consistent manner or does it depend on the technician and date of machine provisioning/servicing?
  • What is your update strategy should a software vulnerability be found on thousands of your machines? Does your plan involve running around with a USB stick to every machine?
  • How do you connect to the machine for remote service support? Do you use web meeting tools? Does that mean that the remote user has an elevated level of access? Are the changes audited?

If your answers to the questions above are unfavorable perhaps you should consider using an IoT solution to help you solve your security and compliance problems. Connectivity and diligent management is the key to successfully managing devices in your enterprise. Axeda has helped many customers to examine and address the challenges listed above. For instance the ability to log every significant action at the device level can help organizations to ensure compliance with regulations and protect against rogue employees utilizing remote desktop applications to perform non-authorized activities on business critical machines.

Once you have decided to pursue an IoT solution, there are a number of steps required to ensure that it is secure. The first and most important step is to get senior management buy-in. While this might not be the most obvious path for technically minded folks, it is the one that can help you to solve a number of problems long term. Senior management needs to be sold on the business value of this project. If there is sufficient business value then they can help you get the appropriate resources to address security or other requirements that might be a part of the project.  They can help to move obstacles that may be in the way of a successful project.

Before getting the buy-in, however, management may ask for an assessment of a particular IoT solution. Since an IoT solution is comprised of so many parts, we break it down into seven key segments to more easily perform analysis for security purposes:

  • Device
  • Inside the firewall software and communications
  • Outside the firewall communications
  • Cloud operations
  • Cloud platform
  • Cloud development
  • Cloud applications

Over the next several blog posts we’ll dig into key security topics utilizing the above framework and provide you with an understanding of what you can and should expect from an IoT vendor, and which challenges are better addressed from within your own organization.  If you can’t wait until the next post, check out our security white paper in the interim. Stay tuned!

Bio:
Rob Black is Director of Platform Product Management at Axeda where he overseas the direction of the Axeda Machine Cloud Platform. In addition to his expertise in Internet of Things (IoT) and Machine-to-Machine (M2M), Rob has extensive experience in security, web services, and cloud solutions. Rob’s product management and product marketing background includes positions at RSA Security, 3Com, and Vertical Communications. Rob received his MBA from the Kellogg School of Management and holds two Bachelor of Science degrees from Washington University in St. Louis in Computer Science and System Science and Engineering. He is the inventor of three security related patents and is also a Certified Information Systems Security Professional (CISSP).

Topics: Axeda, Axeda Connexion, Internet of Things, IoT security

Subscribe to Email Updates