This proposed mindset encourages securing IoT at the device level and watching network aggregation points to ensure attacks don’t target millions of devices.
When you think about the rising bandwidth consumption across the globe, it’s pretty easy to imagine that IoT is going to be a major contributor. With potentially billions or trillions of devices suddenly connected to the Internet, it’s almost inconceivable that bandwidth requirements will not change.
But even with all those sensors streaming information to clouds or remote data stores, the primary role of the network with regards to IoT could very well be security.
The real threat posed by million of IoT devices was probably most visible with the Mirai botnet that hit in 2016. If you thought the threat of DDoS was bad before, putting millions of smart devices out, most of which have not been adequately secured, grows the problem by several orders of magnitude.
Every connected device represents an additional attack surface that can be exploited. So as IoT becomes more and more commercially attractive, there will be more and more devices. These devices will obviously range from industrial and military grade to consumer grade. And therein lies the problem.
When Mirai hit, there were calls from all across the industry to demand that the companies manufacturing and selling these devices secure them. It’s hard to argue with people making declarations that things should be more secure. But these kinds of demands are actually not likely to bear much fruit.
The general thinking goes something like this: there should be basic security measures that are an agreed upon as a reasonable lowest bar. Companies failing to meet these requirements should be held at least partially culpable should their devices be exploited in any future attacks. The cost of said attacks would then be at least partially offset by culpable parties. And to dissuade future bad behavior, there would be potential punitive damages.
But these demands, even if reasonable, are unlikely to have much success.
First, the market is nascent. There is no consensus on what security means in this context. And some of the things that people somewhat universally agree on (encrypting traffic to protect user privacy) don’ t actually solve all of the problems. Second, there is a cost of security. We would have to believe that companies will absorb this cost, or pass it on to the consumer. Now, before I get attacked, I know that there is a cost of not securing things. But in practice, that cost is shared by everyone. So a company making a device that might sell for a few pennies is likely to choose keeping their prices low so that they can sell in volume. This might not be what we want to happen, but this is likely what is going to happen.
The logical response to that is to make punitive damages that can be assessed by the government. This effectively allows governments to dictate where these companies can sell. For the most part, this move works in countries that are willing to take such legislative action, which leaves a lot of countries out of play (and notably, this would include China) .
And the problem is that security measures for IoT are predominantly envisioned as a way of preventing compromise. Once they are compromised, they are just rogue actors that can attack anyone, regardless of where they are or what laws are enacted to ensure security.
So I am all for driving better practices. But if we think that means we can declare success and ignore the threat, we are kidding ourselves.
It is also not going to be the case that anyone is going to manage policy on these devices. If there are millions of sensors in a city, it’s silly to think that someone is going to be sitting atop all of those and pushing policy downward. We already know that we manage connectivity through natural aggregation points. This is why the IoT gateway market has emerged.
And in a distributed IoT environment, there will be multiple gateways. Those gateways will eventually be wired up to what looks like an IoT backhaul solution. We have architecturally solved this problem already in both the wired access and the mobile wireless markets.
When you have natural aggregation points, they become the natural points of policy distribution.
And this leads to what should be a fairly obvious conclusion. The real role networking will play in the IoT world is at these aggregation points. And the role isn’ t as a bandwidth provider. The bandwidth problem has also already been solved. Even if you connect millions of these state propagators, it’s not like the bandwidth issue is the big one to be addressed.
Sitting at these aggregation points, networking will essentially play the role of policy enforcer. If you have a rogue sensor, you might want to isolate that sensor. But more likely, if that sensor has been compromised, you might want to isolate all similar sensors. The gateway devices become an easy point of containment.
If you think about those devices like other gateway devices, it also means that you can preserve local switching so that expected behavior within an area can continue, essentially creating a walled garden around an uncontaminated space.
When you combine this behavior with something like multi-access edge computing (MEC) , you can actually keep distributed compute and storage resources active at the gateway, which gives you access to your cloud app (or a distributed instance of one) . This takes some of the sting out of quarantine actions, especially when they are preventative more than reactive to some specific breach.
People should absolutely be thinking about security with IoT, but that thinking needs to expand to the aggregation points. It’s not an either/or proposition—you’ re going to need both for any real commercial-scale deployments.
So you should be looking at ways to aggregate telemetry from the underlying devices so that you can surface threat intelligence as quickly as is practical. And then you should be integrating automated remediation and policy distribution centrally, using the gateways and network aggregation points as logical enforcement points.
