The Limit Does Not Exist: Why Defending the Perimeter Is Not Feasible in the IoT

Perimeter defense technologies can help in blocking external attacks, but often fail to prevent attacks by inside devices or apps.
Published: November 1, 2017

Information technology (IT) teams of the past had a fixed, almost rigid approach toward enterprise security. Organizations focused on a perimeter network security approach, which allowed only a fixed set of machines and devices to operate, only trusted enterprise apps to run and only business tasks to be accomplished. Then came the “cloud era,” which forced enterprise IT teams to abandon this rote security model to make provisions for a multitude of devices (read: BYOD) and digital apps.

Before they could fully draw a foolproof plan to counter this rise, however, the phenomenon known as the Internet of Things (IoT) emerged, which ensured the existence of a perimeter-less world. The IoT has enabled almost any device to turn digital, which means that users can connect to enterprise networks using even their home refrigerators, making them more vulnerable to data breaches than ever before. Since IoT perimeters can be infinite, having perimeter defense technologies like firewalls, intrusion detection systems (IDS), application proxies and VPN servers may not be enough. These methods can help in blocking external attacks but often fail to prevent attacks by inside devices or apps.

Perimeter Security: Key Features
In cybersecurity, the perimeter is a security barrier that defines a trust boundary within which digital assets are stored. There are three implicit constituent concepts:

Trust: The general rule of thumb is that components and logic within the perimeter are trusted, whereas everything external, such as clients, are not. Trust is one’s innate belief that the components, users, etc., will exhibit predictable behavior and collaborate according to mutually agreed law or policy governing the use of assets.

Asset: The perimeter protects digital assets from untrustworthy actors. The general rule of thumb is to store them on centralized secure databases and enforce strict access control. In an information system, the assets are generally information that is either directly generated by users through interactions or by the system as part of business process logic.

Security Barrier: The perimeter is protected by security controls, such as authentication (Password, SAML 2.0, SRP, TLS, etc.), authorization (RBAC, ABAC, DRM, etc.), firewalls, intrusion detection, SIEM, and so forth. These controls are identified by performing an information risk analysis that determines the likelihood of an attack and its impact with respect to an asset’s business value. The likelihood analysis is generally an assessment of vulnerabilities and threats against the assets by predicting attack scenarios. Most of these controls either use whitelisting or blacklisting algorithms to detect malicious access. This is possible because the system defines what input and output information it expects.

Thus, perimeter defense identifies the zone of trust to store the asset, which can be protected through security controls to defend against identified threats. In other words, as the number of unknown vulnerabilities and threats increases, the perimeter strength decreases. Perimeter defense techniques and methodology have served us well up until now, but we find them inadequate in IoT systems.

Unbounded Vulnerabilities
Even a simple IoT system is more complex than a complicated closed cyber system, because:
• It is composed of a number of different and diverse components (software and hardware).
• It is an open system—it can affect the physical environment and be affected by it.
• It consists of multiple feedback loops, e.g. reflexive and deliberative control.
• Most importantly, it exhibits an emergent systemic behavior, which is not an aggregation of the behavior of its constituents.

Security is a negative goal—we design and test for things we don’t want to happen. This, however, is a logically impossible task since we don’t know how much we don’t know. When such test coverage is insufficient, the system will have unknown vulnerabilities. An increase in complexity means more unknown vulnerabilities. As the IoT system complexity is unraveled, its vulnerability is also impacted. This means that the perimeter is harder to defend with preventive security controls.

Unbounded Information
Virtually all the information contained in the physical world can be converted to digital information through the use of the IoT. Now, a perimeter can be built on the IoT cloud: edge- and cloud-based assets can be protected through perimeter defense. However, this perimeter is rendered ineffective, as an IoT system is not a control-driven computing system, but rather a data-driven computing system. Thus, data is active information that causes critical state changes—in other words, the digital representation of physical information.

Therefore, such data can become infected, as the information is not bounded. This can be done even if the edge is secured in such a way that it is undetectable at the perimeter firewall. For example, an IoT system which controls an air-conditioning unit in an art museum can be subverted by manipulating the physical temperature around the critical sensors. This type of manipulated data can only be detected by analyzing the emergent behavior and state of the system. For this, we require prospective deliberation, which evaluates possible outcomes with respect to current system-wide state before an action is taken.

In other words, even if we define the perimeter around the cloud, we cannot trust the behavior of components within the perimeter because they are vulnerable to infected data, which may be impossible to detect at the perimeter. This means we cannot use perimeter defense to protect an IoT system. The only way we can secure such a system using current techniques is to encrypt everything using TLS or similar protocols, authenticate everything using crypto keys and validate every transaction.

Security for the IoT-Driven World
According to most security experts, an IoT system requires immunity and not perimeter security. Our human immune system is the best example of such a system, which trusts neither anything that enters the body through air, water, food, etc., nor anything within the body. If we learn from it, we find that we can develop a robust security solution based on four principles:
• Trust nothing.
• Auto-monitor every transaction according to governing policy.
• Ensure that every component in the system shares common goals and is fully committed to achieving them within governing policy.
• Decouple security functionality into a specialized subsystem, rather than spreading this out to every component in the system.

We have found that it is feasible to build a distributed security system, using generic, trustless transactional platforms, such as distributed ledger technology combined with multi-agent reasoning.

As Albert Einstein famously said, “Once we accept our limits, we go beyond them.” We have to accept the limits of perimeter defense and accept that IoT security requires new thinking. Once we do that, we will see new opportunities and means to meet new challenges.

Chirag Pathak is the senior solution architect at Mobiliya. He is responsible for developing architecture for solutions in the domains of security, the IoT, enterprise cloud services, augmented reality and cloud-based additive manufacturing. Chirag has more than 20 years of experience in embedded systems, telecommunication systems and software engineering. His research activities involve multi-agent systems using blockchain and artificial intelligence for managing IoT systems.