A Poor Fit For Legacy IT Security Designs
Sensor networks are not born of the Internet. They are not intended to exist on the Internet and they possess unique security requirements compared to systems and service found on the Internet. For instance, sensor networks will frequently be composed of “constrained” devices: low power, low processing, low memory, and as a by-product of the first 3, low security capabilities. Therefore, sensors will posses vulnerabilities that “regular” internet denizen-devices will not: sensitivity to malicious traffic of all types, and even to sensitivity to merely unexpected or unscheduled data traffic.
As a result, the security of sensor network will often be a matter of applying mitigating security controls in places other than the end-point sensor-device itself.
What are the options? A new control point for sensor networks. Historically, IT architecture could be divided into 3 main parts: end-point devices (desktops/laptops – even phones), network (LAN, WAN, Internet) and Data Centre / Cloud (central applications servers and data stores).
In the emerging Internet of Things (IoT) which in many ways is combining sensor and industrial networks with the Internet, and new architectural element is being promoted from a mere detail to a significant and important security asset – the “gateway”.
For our purposes, a “gateway” is a device that sits on the border between one domain on control and another, or between one physical network an another. A gateway can either transparent to traffic, or it might perform some sort of translation function – like network address translation or protocol translation.
Gateways can be a variety of different devices in a sensor or IoT network, especially carrier networks. Figure 1 illustrates the placement of diversity of devices that are essentially gateways in a large carrier network. By convention, the router at the edge of an Enterprise network might be broadly called a “gateway” by IT and security staff alike; however, there are many other devices which perform gateway functions. Internet service providers put gateways into homes. Wireless service providers have gateways which allow data to flow from radio networks to fixed line network to support mobile data. Many existing sensor and machine networks use gateways to convert from backhaul network-technology to “last hop” protocols which the sensors and machine understand. Increasing, enterprises are installing their own wireless gateways which connect mobile phones to small, localized “base stations” called femtocells or picocells, to offload data traffic (and tariffs) to local networks.
Typically, most gateways are “dumb”. They route or switch data without any form of treatment; but, that was how they were designed. This condition will not be good enough for sensor networks in the future, or the IoT.
Assuming the sensor device is constrained, and the DC/cloud is too remote to provide mitigating controls, then system designers and risk managers alike will start looking at the first relatively powerful element in the sensor network after the sensor itself: the gateway.
One approach is represented by the concept of “white networks”; white as in “clean and pure”.
White networks will be a matter of allowing only very prescribed sensor traffic to and from a sensor or IoT device. A white network is like application whitelisting (where only specifically allowed software may start and stop on desktops, devices and servers), but for networking: only explicitly allowed ports, protocols, sources, destinations, frequencies, volumes and possibly even application payloads and time-of-day, are allowed. (This list could even be extended to empirical criteria like environmental conditions, for instance, rain versus sun). Everything else is denied and sets off alarms.
The most effective place to apply white networking principles is at the point closest to the sensor device: the gateway. The gateway because it can monitor and control not only the traffic coming from the larger network to the end point device (sensor), but also from other surrounding sensors that may need to communicate directly due to latency restrictions.
In contrast to a “white network”, we could assess the regular Internet as “black” - filthy, full of attacks and threats and no place for a small, simple, cheap sensor device which were never engineered for the open ocean of the internet. Most home and small business networks are probably dark grey – unhygienic at best and usually poorly protected; enterprise networks are “ash” – not clean but run as a balance of risk and cost; and perhaps the best military-grade networks are off-white: because there really is no such thing as pure networks. This illustrates the conditions of today’s network environments that sensors will need to be capable of surviving in. The assumption is that even with good resources it is very difficult to segregate a sensor network and keep it “clean”, and if the sensors are going into domestic or small business environments, all bets are off.
It is a hallmark of many type of sensor and industrial device and that they are fragile: they do not respond well to “internet-like” conditions such as regular or occasional network probes and scans by adjacent devices, or seemingly random increases or decreased in traffic volumes, latency and packet loss. Many sensor systems will see degraded network services as a service failure – a very different situation from what most users and applications expect from the internet. Many industrial services will fail or become unpredictable in performance if subjected to even mild forms of reconnaissance or attack over the network.
Similarly, the exploding range of sensors coming onto the IoT will mean likely that the incidence of defective and poorly engineered sensors and devices will increase are manufacturers strive to create the best and cheapest products: expect the result to be defective or poorly made devices entering sensors networks and generating excess or malformed network traffic to the point of making the network unusable. Another affect of large numbers of devices coming on the sensor network will be that some will not be properly secured physically, and will become platforms for unauthorized access my the curiously and malicious. They will become back doors and side doors into the sensors networks and applications. In other cases, administrative errors in network management will see logically differentiated and segregated networks accidentally combined, or linked – with traffic from one “polluting” the other, with uncertain impacts on these fragile networks.
Another aspect of sensor networks in the IoT is that they will increasing support critically sensitive, cyber-physical, logical-kinetic interfaces: information collected from sensors will be used to manage the real world. In these instances, the potential for an IT security issue to manifest as physical harm and damage becomes very real. Already we are seeing instances of the potential criticality of the logical-kinetic interface and the hard that can result from insecure and fragile networks and devices. (See the story about failed in-home, IP-based security systems, or IP-based utilities).
In this piece we focused on growing important of gateways in sensor network security design, and the concept of white networking as a technique that is both effective and efficient.
White networks are highly antiseptic, and a value-added service which might be offered by carriers or service providers. They will need to be configured for the IoT services in question – so they will not be a commodity. And they will need to be established and managed carefully. But, once established they should run and provide substantial assurance in an automated manner.
Security-enabled gateways will also play a role beyond white networking. Aside from the concept of white network, expect that gateways will be required to assume a wide range of security functions that might normally be supported by more powerful devices themselves:
- The gateway will be important for access control, identification and “bootstrapping” of sensors and other devices as they are deployed and provisioned directly into the field from manufacturers.
- The gateway will support cryptographic functions on behalf of sensors and other devices too constrained to apply confidentiality safeguards.
For a deep discussion related to security and risk of sensors and the IoT, see an up-coming book called “RIOT Control” where we list several dozen examples of IoT use-cases, and security implications.
Tyson Macaulay is VP Global Telecommunications Strategy at McAfee, Part of Intel Security.
© FrontLine Security 2015