I meet with customers around the globe in all sectors—banks with ATM networks, energy companies with critical infrastructure, natural resource companies with remote automated operations, healthcare organizations with medical devices, manufacturing companies with production environments—and they all have the same concerns. They want to leverage robotics and automation to grow their businesses and drive efficiency, but they are concerned about the potential for Internet of Things (IoT) based attacks, which is only exacerbated by the global scale of the cloud. It’s a good news/bad news problem for companies. Technology has provided them tools for automation at scale, and the cloud is an exceptional delivery vehicle to accelerate digital transformation and growth. Yet, there is a growing concern about security related to the sensors that are critical to this business acceleration.
While news has accelerated related to the proliferation of IoT devices and their impact on network and cloud infrastructures, artificial intelligence (AI) is also becoming a household word. Organizations are building powerful machine learning engines that analyze massive sets of data at global scale, and AI is increasingly used to augment machine learning to allow machines to learn for themselves and improve the capabilities of the machine learning engine. There has been much research on the topic of AI, and the industry is poised for paid growth according to MIT and IDC. I encourage you to read the following two articles about their research:
In my last post in this series, I explained how AI will enhance the predictive capabilities of security information and event management solutions. I also wrote about how we will use AI to protect access. In this blog, I’ll provide insight into how the security community is working to secure IoT devices today, and how AI will enhance those efforts over time.
The IoT security challenge
Much of the noise and commentary related to the proliferation of IoT devices and their impact on network and cloud infrastructures became a priority post the Mirai bot attack in 2016 and the realization that any device that is connected to the internet could be used as a means to attack critical infrastructure to bring down major portions of telecommunications, energy, and other parts of the systems we all rely on daily. The consumerization of IoT attacks was a tipping point for both consumers and organizations. While organizations were already down the path to securing their systems from the potential of IoT vulnerabilities, the pressure from the board and other non-security executives increased in tandem as understanding and awareness rose.
The business potential of IoT is incredible. However, as cybersecurity experts, there are several questions we must address:
- How do organizations secure their environments from the potential of an attack—unknown to them—from an IoT device?
- How do they authenticate what devices are attempting to access their environments?
- How to do they understand the behavior of these devices while they are access the environment?
- How do they quarantine or update these devices to make them safer?
- How do they digitally transform and take advantage of robotics and modernization—rolling out systems at scale that do not have humans to manage them—without the ability to authenticate or monitor the devices that are imbedded in these systems and understand their impact or security threat to their infrastructure?
With this framing, what are the answers? To provide that insight, we need to group IoT devices into two categories: legacy and new. Let’s start with new, as this is the easier problem to solve (at least as easy as any security problem is to solve). Today, there are new IoT devices in market, with security built in via the engineering process. A great example is Azure Sphere. IoT devices powered by Azure Sphere are built with a hardened chip that is embedded with a secure Linux OS. Our Azure IoT team is already conducting work that senses IoT devices. The ability to build in security as part of the manufacturing process of the new IoT devices will definitely assist the industry in the future but doesn’t solve the hardest problem: legacy IoT devices.
Legacy devices and IoT
Whether your legacy sensors are in manufacturing devices, medical equipment, offshore drilling rigs, the electrical grid, your ATMs, or thermostats in your home, there are known and valid concerns about the security of the devices. Now factor in malware or DDoS and the threat cannot be overstated. The attack surface is massive when you consider that there are at least nine billion IoT sensor devices joining the net every year. These devices are largely manufactured without security in mind, and oftentimes even the default password cannot be changed. Defense in depth is the answer here—as with most other things in security—and there are currently some solutions and future solutions that will improve the security posture of IoT devices entering an organizations on-premises network or cloud environment.
The traditional vulnerability management companies focus on scanning devices and network environments for vulnerabilities. Vulnerability management will continue to be a critical aspect of IoT security, as the devices can be identified, and a small set of data can potentially be gathered from them. However, the traditional vulnerability management companies were purpose-built for traditional systems, not for IoT device sensing, though they are developing capabilities to handle a more universal set of devices. This has created a market for CyberX and others that were formed to largely address IoT security—particularly in the OT space. These are real solutions that need serious consideration from the market as a defense in depth solution is built for IoT. It’s potentially an oversimplification to state that IoT devices are just another device that shouldn’t be inherently trusted, but if you take this approach, you will engineer an environment that improves your all-up device security—inclusive of IoT. This is the approach Microsoft is taking around Zero Trust. Read the first of our blog series on Zero Trust strategy to learn more.
The role of AI
In addition to scanning devices, architecting a Zero Trust network and building new solutions via Azure Sphere and secure hardware/hardened OS, there is a need to go further to protect environments built at global scale. This is where I believe AI has a strong use case.
Machine learning engines can be trained to identify devices based on their hardcoded attributes and behavior. AI can further refine these models by allowing sensing engines to autonomously learn over time what is normal behavior for these devices once they are actually on your network. These sophisticated engines are a brilliant resource to augment other controls that are already in place. Machine learning engines that are built to scale and augmented with AI can evolve and learn in real-time and have the capability to build models that can work in milliseconds, allowing a rules engine to block or quarantine devices that are not behaving as expected before they can potentially damage the environment. They can also work together to identify the devices via algorithms and behavioral modeling, regardless of whether they have seen the specific device previously. The behavior of classes of devices or the models that can be built based on device behavior is much more important than the specific device. As the AI models continue to learn, the specifics of a particular device become less important than the application or use case for the device.
Imagine a scenario where a healthcare organization has cardiology devices that provide anonymized information on overall patient health and outcomes from a particular surgical procedure. This device will be expected to provide a certain set of data in a certain taxonomy, like heart rate, blood pressure, blood oxygen count. This data is predictable for the device and the way the device communicates with the reporting system that is either cloud or network attached is also predictable. It is, thus, very straightforward to understand if the device is not communicating as expected or the data is not in the expected format, a security organization can quickly isolate the device for further forensics to determine if it is somehow corrupted or if the device is simply malfunctioning and then take the appropriate steps to either repair or replace the device.
Take this example further and imagine the same healthcare organization deploys a new class of cardiology devices—perhaps a new manufacturer or an updated device. The machine learning engine will have a “first” experience with the new device; however, it will have been trained to learn the normal communication and behavior of the legacy devices. Based on these learnings, the machine learning engine will already have expectations about how the new device communicates and behaves regardless of the fact the new device is actually unknown to the machine learning engine. AI will model the outcome of the expected behavior and can accelerate the device detection for new devices and new classes of devices because the AI engine is continually learning on its own and does not need human intervention to program. AI can also operate on global, cloud scale and provide information in near real-time so decisioning is in milliseconds, not moments. We have examples of this related to malware detection, which will be my next blog in this series. Also on my mind for an upcoming blog is how agents can be corrupted and how AI can quickly identify these corrupt agents and data itself as a new supply chain threat to AI/machine learning models. But more on that later.
As I continue to think about use cases for AI that are applicable today and can assist us in solving the largest and most complex security problems, the ability to detect IoT devices based on both their identity and behavior is absolutely a place where there is an opportunity for high value industry impact. This includes what I believe is the most interesting and potentially vulnerable piece of this equation: the “data supply chain,” where introducing corrupt data sets into a machine learning/AI model can cause corruption on the output and deliberately weaken the ability for AI/machine learning as a security tool. Learn more about how Microsoft is securing the future of AI and machine learning in this new white paper.
As we learn more about these devices and as organizations increase their use of robotic process automation and IoT sensors for multiple applications, we can increase the overall confidence and ability for organizations to modernize and accelerate their transformation. Given the proliferation of IoT devices, this is one of the core scenarios security professionals must provide solutions for now and in the very near future.