Secure first, then connect: The future of IoT security

In January, my company exhibited at “Automotive World 2017,” a three-day expo in Tokyo, Japan dedicated to the latest in automotive technology. Looking through the expo arena, it was clear that cars have evolved and are continuing to evolve. Whether it’s the research and development, the materials and weight of the parts, or even the sleek lines in modern automotive designーit’s remarkable progress.     

However, among the changes, I have to say that IT within cars has seen the biggest change. The word “connected car” is now more widely used than ever, and most people understand at minimum the idea of cars as an IoT device when mentioned in conversation or in the news. No longer a simple mode of transportation that takes you from point A to point B, a “connected car” is a car that utilizes IT devices to connect to other cars and other infrastructure. This is no Back to the Future, it’s the present.     

It’s my opinion that with this now-present phenomenon, it only follows to think of security. By now, everyone knows that back in 2015, a Jeep Cherokee was hacked remotely, taking over the brakes and the transmission, all from a flaw in the entertainment system. But it’s reassuring to see that connected car security is starting to be discussed in the industry.   

The Need for IoT Security over Traditional Methods 

The connected car is one of the heroes of the Internet of Things (or IoT) movement, but having led a security company for 20 years, my first thought of any new technology is its security. Many people ask why development of security in connected cars and IoT is necessary when there is already a myriad of solutions available for web security and data security. That’s a great question to ask, and an important one. 

The crucial difference between IoT and IT security is the intervention of a human being, which is why I often like to refer to IT security as IoP securityーthe Internet of People. Computers provide high computing power, sure, but people are the ones that provide the course of action: something good or bad, useful or just fun. With IoP, Internet Service Providers (ISPs) can’t restrict connectivity much because connectivity stands as the core emphasis of the Internet. Due to its wide application, it must remain open, even if the risks are high.   

On the other hand, when we look at IoT, it’s no longer a person at the center. In the case of the connected car, it’s the vehicle and its system that will interact with other vehicles, infrastructure, and devices within the car itself.     

IoT makes it possible for the predefined “thing” to achieve a specific task without having to be run through a person. While your car is speeding down the highway, a connection to a nearby road-side unit (RSU) can let it know that there’s an accident ahead and to take a different route, all without the driver having to act.

The Dangers of Connecting Before Securing 

All the while, you must remember that it’s dangerous for “things” to malfunction (think machines, robots taking over the earthーbasically any zombie post-apocalyptic film ever made), so it must be designed to operate only for the purpose given to it in advance. If it malfunctions, absurd situations could occur like receiving ten bottles of laundry detergent when you ordered ten gallons of engine oil for your car. Even worse, malfunction could cause threat to human life. If it could go that far, doesn’t it make sense that before you connect it to any kind of risky system, you would make sure that your device gives no wiggle room for failure?   

That’s why for IoT security, my philosophy is “Secure First, then Connect”ーsecurity measures should always come before the connection. The mistake that most people are making now is to apply IoP security (connect first) to IoT devices and connected cars. Most recently, IoP security has been focusing on application security, which is largely based on Web Application Firewalls (WAFs). Most WAFs on the market now utilize the signature method, where different vulnerabilities will be marked in “signatures” that IT-managers and administrators can provide as updates for their security devices. While an effective way to block larger, well-known attacks, this method takes consistent updating after initial connection, and carries an elevated risk for being unable to block variations of attacks.   

Let’s say an automobile maker develops a connected car and then asks a security company for a security risk test. The security company carries out vulnerability tests utilizing the signatures currently available and then submits a report according to conventional security methodology. Automakers then add security patches and new signatures to prevent the vulnerabilities from the report, stamp it with the “safety standards passed” patch, and send it on its way to be sold. But the “stamp of approval” is only valid until the next threat arises. The car will constantly need updates with the newest signatures to keep “secure.” And even then, not all threats may be blocked.     

The world has already seen what hacking into systems can do in the tests done on Fiat or Tesla automobiles and this scares people, as it should. It’s no longer just a connection, it’s people’s lives. 

The Logical Way to Secure IoT 

I’m a firm proponent of logic-based detection, which I’d describe as a step forward from signature-based detection. An engine that’s signature-free allows for logical analysis of the attack in its distinct characteristics. The benefits of this are that variations are caught through the algorithm, and we end up with extremely low false positives (when traffic is falsely labeled as an attack).   

This method is optimal to securing IoT as it’s more effective and comprehensive than signatures. There’s much more confidence in a logic-based system than one that requires constant updates, especially when dealing with vehicles, infrastructure, and most importantly, human lives.   

I’m confident that “Secure First, Then Connect” is the direction that security needs to move to continue progressing further into the IoT era from the Internet of People. My hope is that the changes in technology and IT that I saw at the expo in Tokyo are only the beginning to something both great and secure.

Seokwoo Gregory Lee, CEO and founder of Penta Security Systems

Image Credit: Chesky / Shutterstock