Jon Geater, Chief Technology Officer at Thales e-Security shares his expertise on the Internet of Things (IoT) security on a city-wide scale and how this integrates the digital world
One major impediment to the creation of smart cities is the lack of trustworthy communication between devices. The vast technical challenges and the high cost of interoperability between the many makers and operators of internet-enabled devices are putting a brake on our digital society. Blockchain and smart contracts technology have the potential to unpick much of this Gordian Knot.
In these times of heightened tensions and tales of fake news dominating the popular headlines, Russia might be an unexpected place from which to draw inspiration for the security of our future smart cities and connected infrastructure. But there’s an old Russian proverb that is already well known to us as a model for ensuring national security interests. It’s Доверяй, но проверяй: “Trust, but verify”.
Most famously used by Ronald Reagan during the nuclear debates of the 1980s, this phrase has enjoyed popularity in any number of fields of society and politics since, most recently being adopted (and variously adapted and immortalised in t-shirt form) by the bitcoin and blockchain communities.
To see why this philosophy is important to guide our future connected infrastructure designs, one needs to look to the recent past for examples of where things have gone wrong. Possibly the simplest example and a favourite of the cyber-physical security community is Stuxnet. Pulling off Stuxnet was incredibly sophisticated, there is no question about it. Stealing the signing keys that were essential to the attack wasn’t quite as easy a simply ‘finding them under the mat’. But still, once inside the Stuxnet code was trusted to do whatever it wanted.
Because the code was signed the Siemens PLCs simply accepted it and because the Siemens PLC issued the instructions the centrifuges simply followed them. Then because the feedback systems said everything was okay the safety infrastructure simply believed it.
Again, Stuxnet wasn’t quite that simple but it does teach a clear lesson about the way we should build secure industrial systems. Blind faith in central authorities and once-trusted certificates is very fragile. To see why, we can take another very familiar example: Transport Layer Security (TLS), the technology behind the ‘browser padlock’.
There is little wrong with TLS in principle. The idea of extending trust by having someone you know to introduce you to someone you don’t know makes sound logical sense and after all, TLS on the internet does work. But the problems begin when the concept is stretched too far. Browser TLS essentially has just one job to do: that is to ensure that the information you exchange with a website is only going to or coming from that intended site.
Even with such a limited mission, we have problems in any number of dimensions of scale: a proliferation of certificate authorities with different areas of focus or qualities of Know Your Customer (KYC) processes; ill-advised reuse of this ‘almost right’ technology for adjacent use cases that are just a bit too different from websites to really work; a vast array of options that are theoretically strong but lead to insecure defaults and lazy configurations; and a trust model that more-or-less assumes that one end of the communication is significantly more trusted than the other, with an all-knowing central authority that is more powerful still and where a compromise is catastrophic for everyone. The result is a ‘weakest link’ problem where an attacker only needs to find one way in to be all in. They are trusted, but not very well verified.
To counter these problems, some early entrants to the IoT space have had a rather extreme reaction, locking things down into end-to-end walled gardens where everything is fully under central and vertical control with the agent on the ‘thing’ and the servers in the cloud – all under control of a single operator. Unfortunately, though, nice though it is to have end-to-end, chip-to-cloud security locked into devices, there’s a clear interoperability problem looming, which leads inexorably to a brake on progress in deploying city-scale IoT.
And then there’s maintenance. Deploying a system is one thing, but once it is in place how do we manage it? How do we keep the system patched and up-to-date and trustworthy within city budgets and capabilities? How do we monitor and enforce good practice in software-defined civil infrastructure to keep ourselves safe while enjoying the benefits of connected living? It’s all very well deploying a device that was built secure in the factory with strong control systems and a nice reliable digital birth certificate. That part is essential. But from the second it’s out in the field, trust in that device begins to degrade as software gets out of date and attacks start to mount. After a year in the field, can you really trust what that ‘thing’ is telling you? Or what it’s telling the power grid to do? Or a convoy of vehicles? Again, blind trust in a device that was trustworthy once is not good enough: it needs constant verification.
We need a way to make trust in things cheaper and easier than it is in today’s all-PKI or fragmented walled garden approaches. We need an architecture that enables a wide variety of devices to connect and communicate and trust what they’re telling each other to do. We need an architecture that enables device makers, owners and operators to see what’s going on and react rapidly to threats and maintenance issues before they become a problem. We need security services and city officials to be able to see this happening and to verify that companies are operating within the bounds of best practice.
Enterprise blockchain offers an answer to this by knocking out some of the crucial features of internet security that are so threatening to IoT. Just like in TLS, the security of cryptographic keys and the quality of digital identity technology are vitally important, but unlike TLS, most of the responsibility for that security is explicitly pushed to the edges of the network, closer to the real risk owner and to the knowledge of the use case and spreading the risks of compromise.
Just like the normal internet, we need back-end servers and databases that hold and process and protect most of the long-term data but unlike current cloud-borne systems, everyone gets a verifiable record of the interactions that have taken place. And just like the alternatives, the ultimate power of any IoT system lies in the size and diversity of the ecosystem that supports it and here the low costs and low friction of joining a blockchain network again provide an advantage, especially when it comes to attracting smaller players to the club.
We cannot let the security of the internet become the security of the IoT. By combining the best historic lessons of strong cryptography and identity management with new models of low-friction access and communications brokerage, blockchain offers an answer for trustworthy, verified, connected cities.
Chief Technology Officer