Making edge computing safe means applying sound security principles to the unique edge environment.
The problem of edge security isn’t unique – many of the issues being dealt with are the same ones that have been facing the general IT sector for decades.
But the edge adds its own wrinkles to those problems, making them, in many cases, more difficult to address. Yet, by applying basic information security precautions, most edge deployments can be substantially safer.
The most common IoT vulnerability occurs because many sensors and edge computing devices are running some kind of built-in web server to allow for remote access and management. This is an issue because many end-users don’t – or, in some cases, can’t – change default login and password information, nor are they able to seal them off from the Internet at large. There are dedicated gray-market search sites out there to help bad actors find these unsecured web servers, and they can even be found with a little creative Googling, although Joan Pepin, CISO at security and authentication vendor Auth0, said that the search giant has taken steps recently to make that process more difficult.
“There’s definitely a market opportunity for a company to do better at the device management level, not having thousands of little web servers with the default username and password,” she said.
One issue with solving that problem is the heterodox nature of the IIoT and edge computing worlds – any given deployment might use one company’s silicon, running in another company’s boxes, which are running another company’s software, connecting to several other companies’ sensors. Full-stack solutions – which would include edge devices, sensors, and all the various types of software and connectivity solutions required – are not common.
“Given existing platforms, there’s a lot of viable attack vectors and increased exposure of both the endpoint and the edge devices,” said Yaniv Karta, CTO of app security and penetration-testing vendor SEWORKS.
Worse, some of the methods currently used to secure all or part of an edge deployment can increase the exposure of the IoT network. VPNs, used to secure traffic while in transit, can be vulnerable to man-in-the-middle attacks under certain circumstances. Older industrial protocols like CANbus simply weren’t designed to protect against modern infosec threats, and even LP-WAN protocols used to connect sensors to the edge can be vulnerable if encryption keys are compromised.
The industry currently considers this fragmentation something of an advantage, said Karta, mostly from a flexibility standpoint. The ability to use equipment and software from a wide array of different vendors without too much difficulty in tying those systems together is attractive to some customers. The fact that companies generally have to use a middleware layer of some type to tie all the disparate elements of their deployments together, however, makes for yet another attack surface.
What’s to be done?
It’s not rocket science, according to Pepin. Most of the same fundamental principles that apply to securing cloud or data center or userland environments apply to the edge as well.
“For example, you should not be running any unnecessary services on your devices, whether that’s a server, a laptop, an IoT device.” She joked that the industrial IoT, in a way, is a dream situation for IT pros – potentially hundreds of thousands of endpoints, but no users at the end of them to mess things up.
Tortuga Logic CEO Jason Oberg agreed that better fundamentals are needed to help secure the edge, as well as authentication and encryption for the code that edge devices are running. One way to promote better security will be new industry standards.
“I think there will be some working groups around best practices,” he said. “I do think there will be a large initiative to build security into the hardware, and that’s already happening, because I think people realize it’s a heavily hardware/software-driven issue.”
End-to-end encryption is another technique that could prove useful against edge attackers, argued Pepin. While there’s a performance cost to encryption, there are standards and software out there that are designed to make that cost a minimal one, even on smaller and less capable devices.
“If all these devices are encrypting data over the wire … everything is running over secure protocols like TLS, and you’re not running random listening ports and whatnot, it’s the same security model,” she said, also citing the Blowfish cipher as well-suited for edge and IIoT deployments. “If [a smartphone], which fits easily in my hand, can do that type of encryption and not impact my user experience, then, certainly, an IoT device can perform the same types of encryption and not affect the user experience.”
This article originally appeared on NetworkWorld.