The Role of System Updates in IoT
In the brave new world that the Internet of things (IoT) is shaping, operational technology (OT) and information technology (IT) are quickly converging. Up until now, IT was seen as defining a restricted range of technologies pertaining to information processing, mainly generating and communicating data. OT was the domain of machinery, mainly physical equipment that was doing the heavy lifting on the factory floor. OT and IT are more often managed as a single “platform” in all innovative plans, and that doesn’t come without the challenges of filling in the gaps of making them work smart together.
Let’s start from deep inside the OT domain. In the past, embedded devices rarely supported the ability to install system updates or patches. When the devices were the ”deploy and forget” kind of devices, this was arguably the right strategy. But when those devices started being connected to the internet, it led to a huge IT domain problem: when defects and vulnerabilities are found, fixes cannot be applied in an efficient and cost-effective way. And the ease of getting to those devices over the internet means that they’re available to be used as DDoS slaves and potentially more serious misuse.
Replacing all equipment is not an option either. In fact the majority of the manufacturers are trying to ride the wave of smart devices by leveraging what they already have, retrofitting and upgrading the operating systems on existing devices. Let’s not forget that some of those devices were intended to be used for many years or decades. And replacing them just wasn’t an expense that was anticipated.
Consider the smart power meters that were hacked a few years ago. The hack allowed consumers to reduce their electric bills, in some cases to almost nothing. The power company has two choices: replace the vulnerable meters and take a huge, unbudgeted, one-time expense to do so, or keep them in service and take an unmeasured loss every billing cycle for the foreseeable future.
The answer to all these headaches are system updates. Having an operating system with the capacity of being updated easily when vulnerabilities are discovered by the device owners means that a patch can be deployed to close the vulnerability. System update capability might give the power companies a third choice, which might be cheaper than either of the choices that the power company faced. However, as with so many things in life, it isn’t really that simple.
Time is never on your side, especially if you are part of this connected world. The device owners are unlikely to find the vulnerability first, so many of the devices will already be compromised by the time that a system update is ready. And depending on the details of the vulnerability, the compromise might include the ability to prevent subsequent system updates.
So a good order of security feature priority is:
1) Secure Boot, including measurements at system runtime
2) System Update, using secure transfers and secure installation
3) Intrusion Detection and Network Intrusion Detection
With Secure Boot, there is a possibility that the system might be protected against attacks that prevent subsequent system updates. Without it, the updates might not be installed, or they might be installed only after having additional back doors installed in the new images.
Then, if the system image is being measured, then system update is the second security feature to include. With Secure Boot and System Updates, additional security features can be added later.
Now, remember the maxim that every computer system can be compromised by a sufficiently knowledgeable and dedicated attacker. So the third priority is to include the means to detect whether the system has been compromised. But that and other security features will be the subject of future blog posts. In the meantime, take a look at a whitepaper that talks more about zero-day vulnerabilities.