In the IoT, like in the defence industry, one attack could be fatal. Security thinking needs to be turned on its head, and IoT endpoints and routers need to be designed to resist the next attack rather than patched to prevent the last one.
If the right technology is applied when the network is being designed (rather than as an afterthought), it could dramatically reduce the chance of an attack, or its impact when it occurs. Much of this technology already exists and was evolved to meet the security needs of the defence industry, which has been operating secure remote networks for decades, and where a compromise in any part of the network could be fatal to national security and hence not an option.
Operating systems are often the key attack point as they are typically the highest privileged software in any given system, and if compromised offer keys to the control and data kingdoms. So there needs to be a better way to protect these operating systems than the traditional anti-virus or OS patch mechanisms that are normally used. Operating systems are used in both the devices and the routers, and we need to look at the challenges facing each part separately.
First, the “things.” These things are connected embedded systems, often not using large operating systems, but using hard real-time OSs (RTOSs) that are helping to support the networking function and the data extraction or control function of the physical item they are connected to. These RTOSs have been traditionally more secure than desktop OSs, often because of their proprietary interfaces, but also due to the fact that they haven’t been as connected to the outside world as they are becoming with the IoT. So, adding wireless network connectivity makes these “things” a lot more vulnerable, and their proprietary interfaces will not stop a determined attacker who has gained entry via the wireless network. However, if an RTOS is used that has built-in security functionality, especially one that was designed to meet the exacting security needs of DoD tactical systems, then it could offer enough security protection to stop the most determined attacker.
Secondly, the router. This is a bit more challenging to protect as we are now dealing with a much more complex system that has to support multiple networks (including wireless), needs to connect securely to the untrusted Internet, and at the same time is passing and processing a large amount of data. The prevailing thoughts and technology for true domain separation call for something known as a separation kernel. This is at a higher level of privilege than the OS (i.e., it sits between the OS and the hardware), and its primary function (as the name suggests) is to separate the resources in the system, such that an attack in one domain cannot reach or compromise the other domain. In order to still offer the functionality required from an OS, the separation kernel also contains virtualization functionality that allows the “guest” OS (or OSs) to reside above it in separated secure virtual domains. This separation kernel approach gives some very interesting benefits when designing these highly intricate cornerstones of the IoT.
The small separation kernel is the only software item at the highest privilege level, and if designed properly it will not contain untrusted elements such as device drivers or software stacks, as they can now reside in the lower privilege guest OSs. This substantially reduces the “attack surface” of the highest privileged software. Any attacks made on the guest operating systems will be contained in their own secure domain, without compromising the rest of the system, which essentially stops the attack from spreading and likely reaching its intended target, the proprietary network and the “things.”
By having multiple guest operating systems in their own secure domains, we can now also choose which OS best suits which domain. Instead of being confined to a single OS to control all tasks a general purpose OS can be used to connect to the Internet side of the router, and an RTOS can be connected to the proprietary side. The two sides communicate through the separation kernel, which can be carefully moderated, controlled and in some instances made to be unidirectional.
Since the challenges faced by commercial infrastructure providers are similar to those faced by the defence and aerospace industries, it is no surprise that the same technologies are being applied: real time operating systems with built in security and secure hypervisors to isolate vulnerable parts of the system. It is clear that the Internet of Things needs to be secure by design, and based on technologies like these that are inherently locked down against attack.