According to Professor Dr Mesut Güne, Otto von Guericke University Magdeburg, Germany, the way to secure the Internet of Things is to allow the self-organising migration of services away from a central cloud alone and into local infrastructure ecosystems where they can act independently.
The news from the Magdeburg university suggests that such a local server infrastructure, which could be as granular so as to operate on the computer of the individual user or within a large enterprise, would guarantee full sovereignty over proprietary data. Dr Gune says that "smart devices can then operate with one another independently of the cloud and therefore work autonomously and fault-tolerantly; due to the lack of need to share all data with the cloud, traffic and reaction time are reduced."
The DoRIoT project, funded by the German Federal Ministry of Education and Research to the tune of two million Euros, is based upon the RIOT open source operating system and promises to provide the IoT industry with the tools and concepts it needs to exploit the opportunities of IoT networking while at the same time controlling the risks.
"This means the development of a technology that enables statutory regulations and industry standards on data security, reliability and privacy to be implemented in the Internet of Things," the news release insists. Arguing that previous systems of access control were either centralised, and thus became bottlenecks, or not flexible enough to cope with the dynamism of the access authorisations, the DoRIot project intends to bridge the gap by developing concepts that allow for transparent access to the data.
"For the application it should make no difference whether the specific information requirement is answered by a server or an IoT node," says project partner, Professor Sebastian Zug.
So can a self-organising migration of services such as automation, data management and business logic into a local infrastructure ecosystem which can operate independently of a central cloud while, importantly, guaranteeing full data sovereignty actually work and save the Internet of Things from itself? SC Media UK asked the wider information security industry what it thought.
Ian Thornton-Trump, head of cyber-security at AMTrust International, told SC Media UK that he thinks it will never happen. "The whole economic model of IoT on a mass scale is about the aggregation of that data and the insights ML/AI can make into that data," Thornton-Trump insists, adding "the economic model of IoT is collective and not segregated and needs to be coupled together to be useful."
Sean Wright, the OWASP Scotland chapter leader, agrees that "companies are moving away from segmented networks to more public networks such as the cloud or concepts such as zero trust or beyond corp," as ultimately the data needs to end up at a central server to be processed and possibly stored. "Think of it this way," Thornton-Trump says: "a single IoT flood detector telling me I am flooded does not help a city fight a massive river flooding it’s banks."
Meanwhile, Nilanjan Samajdar, principal cyber-security systems engineer for Altran, thinks the concept of using a decentralised compute network sounds appealing and does make sense. "That's because distributed infrastructure is less susceptible to targeted attacks," says Samajdar. He says a "service-mesh" created by independent devices requires a higher amount of inter-device authorisation, but there are two key problems that still need to be addressed. "the distribution on authorisation information on items like keys and certificates, and the availability and redundancy of the control-plane nodes which coordinate and direct service requests is also a challenge."
Boris Cipot, a senior security engineer at Synopsys, also reckons it's a workable solution nut concedes it will be interesting to see what the drawbacks are of fetching the data directly and not from a central point. "When 1-1 communication would be needed it would work nicely," Cipot points out "but the question is how a 1-n or even n-n would work practically?" Taking the example of old IoT devices, Cipot questions what data they hold or share, is it a light switch or a door lock, do I use an assistant like Amazon Echo or Google? "Here, we need to be careful already where I store the data, how I scatter it, assuring that no node has the complete information at once and so on," he concludes "if I fail to do this then I have again a possible privacy problem, not on a central storage point but scattered in the whole network."
While decentralising and distributing is an inherently good thing as it supports data sovereignty restrictions and can provide good protection for credentials, Kevin McKeogh, director product management at nCipher Security, points out that "what these solutions will rely on is global standards to govern the infrastructure and protocols that enable the systems to communicate, share data and authenticate." These standards would need to be open, controlled and maintained by an appropriate body that is open to scrutiny, he concludes.
I'll leave the last word to Jake Moore, cyber-security specialist at ESET who thinks it might just give IoT a security facelift "albeit possibly a little late to the party." Although local infrastructure sounds like it’s an old-fashioned idea, Moore insists that by addressing the past and the original core of how the Internet used to work so, "in theory and with the right intentions behind it, it does sound like it could work..."