Like industrial control system (ICS) networks used for critical infrastructures such as electrical power grids, the Internet of Things (IoT) is creating a huge, convoluted sprawl of loosely connected devices with varying levels of sophistication and security. And just as the country's safety relies on defending key infrastructure such as utilities, protecting IoT is fast becoming an issue of national security.
Cars, medical equipment and manufacturing devices increasingly rely on IoT. And this reliance places both an obligation and opportunity on telecommunications service providers which deliver the New IP that connects this array of disparately different devices, Raheem Beyah, associate professor in the School of Electrical and Computer Engineering at Georgia Institute of Technology, tells The New IP.
Beyah and a team from Georgia Tech developed a device fingerprinting technique that identifies equipment on electrical grid control networks. The approach uses the unique electronic "voices" or fingerprints that each device creates via its physical characteristics to figure out which are legitimate and which may come from potentially malicious forces. Initially designed for networked industrial systems such as oil and gas, manufacturing, water treatment and utilities, this solution could be adapted for IoT, Beyah says.
"There's tremendous overlap between cyber physical systems and IoT. My Nest thermostat, is that IoT or CPS?" he says.
Like some IoT devices, older networked systems operating the electrical grid often cannot run encryption, anti-virus or other basic security tools. Given their distributed nature, these older systems are challenging to upgrade. Georgia Tech researchers created computer models of devices on the utility grid, watching the data that flowed in and out of the system, as well as the schematics and physical access to systems. Since it incorporates devices that have measurable physical qualities, this security approach will apply to IoT where devices have their own signatures too, says Beyah.
"The issue with IoT is the smaller devices are often embedded systems and it's really hard to add security to those because of resource constraints – no storage, no anti-virus. If you think of using 2G or 3G, if these devices are compromised -- and it's a given, since they don't have security -- now they can easily saturate these low-band links," says Beyah.
The Georgia Tech team tested its hypothesis -- which was partly supported by the National Science Foundation (NSF) -- at two electrical substations. The team has patented one technique, has another patent pending and is exploring ways to commercialize its work, Beyah says.
Plugged Into the Infrastructure
Researchers tested their approach at two electrical substations.
(Source: Fitrah Hamid, Georgia Tech)
Telecommunications service providers are target partners or customers given the industry's large, growing role in IoT, especially IoT security, he says.
"I would almost think of another product offering that's there to protect this home automation that they're providing -- home-automation monitoring, for example," says Beyah. "I would have another component that's actually there to secure IoT itself. That should be part of the solution itself. It should be part of every solution. I'm not one for regulation for the sake of regulation, but I do think pretty soon when we start thinking how loss of life could happen as a result of a couple of packets being sent from across the world, about these systems being pretty secure, it might be something where you need carriers to incentivize that. It's a slippery slope but I think we need a more concerted effort to make sure we secure the networks."
— Alison Diana, editor, The New IP. Follow her on Twitter @alisoncdiana or @The_New_IP.