PODCAST NOTES: (This premium content first appeared in the Sept. 10 issue of Inside Security.)
Every Thursday, I summarize a podcast about cybersecurity so you can read it in about five minutes or less. This week features Jack Ogawa, with AWS and formerly with Cypress Semiconductor, who spoke with Brian Santo of the EETimes On Air podcast (#85) about Internet of Things (IoT) security. [Note: Questions and answers were edited for brevity and clarity.]
Brian Santo: Tell me what the security situation is with the IoT today.
Jack Ogawa responded that organizations are coming forward with the intent to secure and protect end-user privacy. In the U.S., California led the way with their Senate Bill 327 that protects end-user privacy. Europe has GDPR as a higher level guiding principle on how to handle user data, but Europe is looking at more specific IoT-oriented legislation. So far, there hasn't been much activity out of Japan or China, but at some point, they are likely to follow suit and address that as well.
Santo: So when you say “data privacy,” are you also including issues that are involved with data security?
Ogawa said that privacy is about access to data. That is foundational to the concept of privacy. When you think about that from an IoT perspective, a connected washing machine doesn’t have its own identity. So the critical element of enabling an IoT device is deciding what kind of data it can or can’t access.
IoT security will be the marriage of authenticating a user, conferring proper privileges on the user, identifying an actual device, and then conferring similar privileges on that device in terms of data access.
Santo: I scanned the NIST document talking about IoT security. I noticed that they seemed to be fairly good at identifying what they mean by security and leaving it up to the people who make the devices to implement security measures. Is that a reasonable evaluation of what’s going on?
Ogawa agreed that NIST and others are trying to focus on end results rather than how to achieve those end results. He said the NIST document is robust in terms of that orientation. They talk about the concept of risk mitigation areas and device capabilities, rather than prescribing security measures.
The legislation and NIST guidance are trying to focus on device identification in the context of device configuration, making sure that the integrity of the device has been maintained. In addition, they focus on data protection, such as encryption and how to protect data both sitting in the device as well as being transmitted over a network. In addition, they look at logical access to interfaces, such as preventing somebody remotely from coming into hardware and modifying its capabilities or its functionality. As the state of the art evolves, they want to make sure that these devices can be updated with the latest security patches.
Santo: How much coverage can you provide when your chips have to work in the context of a product and system, and those systems have to work in a network?
Ogawa said there are two contexts. There’s a technical dimension. There are many different ways to achieve a given end result that might be proposed by a piece of legislation or an industry standard. In that regard, it’s not about the technical superiority of one solution over another. If you’re able to protect the data, you’ve accomplished the goal.
So the real question is about the cost of ownership of a solution. Encryption is a well-known technology. It’s been around forever. In fact, you can look at payment transactions today as the epitome of a secure system.
When you look at payments, the deployment of that technology is framed around the cost of ownership. How much does it cost to put a smart chip into a credit card? What capabilities are in a payment terminal that are commensurate with the risk of that transaction? A company could spend millions of dollars making that little swipe terminal at a store very secure, but at the end of the day, maybe you are protecting maybe $100 worth of transactions. There’s a business frame around how much security you really want to implement.
Bringing that over into IoT, the legislation that we were talking about earlier actually is triggering an interesting dynamic within companies. It’s not a technology-driven conversation per se. Their lawyers are coming to them saying, in order to achieve compliance in California, we need to do these things, and they need to be defensible--not from the standpoint of, is it absolutely secure, but if somebody brings a lawsuit against us in California, is it defensible relative to the law that’s been enacted there.
FOR ACCESS TO MY PODCAST NOTES EVERY WEEK, PLEASE SUBSCRIBER TO OUR PREMIUM CONTENT BY CLICKING HERE!