Categories
Artificial Intelligence Deploy360 Improving Technical Security Internet of Things (IoT)

IoT Security is the Heart of the Matter

The Internet Society is raising awareness around the issues and challenges with Internet of Things (IoT) devices, and the OTA IoT Trust Framework is promoting best practices in protection of user security and privacy. The importance of this was brought home with the keynote talk at the recent TNC18 Conference, which was given by Marie Moe (SINTEF) who related her experiences with her network-connected heart pacemaker.

Marie is a security researcher (who also formerly worked for NorCERT, the Norwegian National Cybersecurity Centre) who has an implanted pacemaker to monitor and control her heart, and has used the opportunity to investigate the firmware and security issues that have had detrimental and potentially fatal consequences. Quite aside from uncovering misconfigurations that required tweaking (e.g. the maximum heartbeat setting turned out to be set too low for a younger person), and an adverse event that required a firmware upgrade, she was even more concerned to discover that little consideration had gone into the authentication and access aspects that might allow an attacker to take control of the device.

These devices allow their recipients to lead normal lives, and of course being network-connectable has many practical advantages in terms of monitoring and non-intrusive configuration and firmware updates. However, the medical companies who develop them do not necessarily consider the security implications of this type of very personal critical infrastructures, and is why initiatives such as the OTA IoT Trust Framework are important for raising awareness of the need for good security practices, whilst encouraging vendors to take user security seriously and put it at the forefront of their development processes.

This interesting and inspiring talk can be found at https://tnc18.geant.org/core/presentation/184, and we thank Marie for giving us permission to amplify the issues raised in her talk.

Further Information

Categories
Blockchain Building Trust Deploy360 Improving Technical Security Internet of Things (IoT)

ISOC has goals at TNC18

This week is TNC18, the largest European research and education networking conference, which is being held at the Lerkendal Stadium in Trondheim, Norway – the home of current Norwegian Football Champions Rosenborg BK. Of course we’re actually in a conference centre underneath one of the grandstands and not on the pitch, but this is still a premier event that brings together managers, network engineers, and researchers from R&E networks in Europe and the rest of the world.

The Internet Society is not only one of the conference sponsors, but has a significant role in the programme as well. Our colleague Karen O’Donoghue on Monday spoke about NRENs and IoT Security in the ‘What’s Coming Next In Privacy Innovation‘ session, where she’s discussing the security and privacy challenges of burgeoning numbers of IoT devices and how these will impact R&E communities. ISOC is encouraging the development of best practices through the Online Trust Alliance’s IoT Security & Privacy Trust Framework, and this is a good opportunity to discuss how the NREN community can take the lead in adopting good operational practice.

Karen will also be talking about Time and Security during the ‘Security‘ session on Tuesday. Time synchronisation is critical for many Internet applications, and for many years NTP has worked fine without any real consideration for security. However, in recent years there have been an increasing number of attacks on the time synchronisation system in order to create disruption and cause damage, so there has been ongoing work in both the IETF and IEEE to secure the NTP and PTP protocols.

Our other colleague Steve Olshansky will be presenting on Blockchain and Digital Identity during the lightning talks session on Tuesday. He’ll be discussing whether Blockchain can be used for identity and access management, and what the implications are for user privacy and control over their identity.

I was organising the GLIF session on Monday too, which focused on recent developments in the global lightpath space that are used to support large-scale high-bandwidth research applications such as the Square Kilometre Array and Global Research Platform. In particular, networks are increasingly becoming software driven as more services move into the cloud, and whilst this hides the complexity from users, it makes managing networks more complex and requires more sophisticated measurement and monitoring. R&E networks cannot continue to justify higher bandwidth networks on a handful of big data research projects alone, and need to ensure good access to compute and storage clusters for the smaller research projects as well.

In addition, we’re raising awareness of routing security issues by providing some MANRS information in the conference poster session, as well as having some prominent ‘advertising’ around the venue. By offering four simple but concrete actions – namely filtering, anti-spoofing, improved coordination and global validation –¬†network operators can collectively improve the security and reliability of the Internet.

If you’re unable to make it to TNC18 in person, the sessions are being both streamed and recorded.