Anik Bose and Eric Buatois (General Partners at BGV) share their perspective on securing the Internet of Things.
We believe that the intersection of IoT and Security will present a profound opportunity for technology innovation and Venture backed start-ups to create value.
This belief is based on several factors. First the attack area presented by the IoT is immense. The broad surface area is created by the billions of connected devices and the IoT need for Cloning of Things (for example two cloned devices can still be associated and work together) – this opens up backdoors for all kinds of illegal activity. Furthermore the IoT opens up opportunities for malicious substitution of things, eavesdropping attacks, man-in-the-middle attacks, firmware replacement attacks and extraction of security parameters to name a few specific threats. We also know from experience that end points tend to be weak in dealing with security and that IoT devices have constrained resources making the implementation of security at the device level challenging. As a consequence the economic cost of breaches could be staggering.
Securing the IoT presents a unique set of policy challenges since the data and information generated by various IoT applications will be extremely sensitive. Who owns it? How can it be shared? Does it belong to the supplier or the customers? Can the data cross international boundaries (i.e. critical energy grids)? Policies, which do not exist today, will have to be defined, put in place and enforced. As an example, will data have to be encrypted to move from one data center to another one within the same cloud or between different clouds? The cost and availability of security solutions will also shape the policies. These policies will either rely upon open standards or even generate the creation of new standards.
Traditional security is an all IP approach but an all IP approach is unlikely to work because both standards and IoT communications over CoAP are not fully evolved. 802.15.4 defines security procedures but it is still evolving while work within the standards is only focused on end to end security and secure group communications. So standardization will be a key factor enabling the development of effective security solutions versus ineffective “pieced together” solutions with the help of consulting firms. Traditional solutions like Sandboxing, signature based detection will not work in an IoT environment. IoT security solutions will need to manage tradeoffs between performance and security as well as choose between distributed or centralized architectures. Centralized architectures like Trust Center (Zigbee), 6LBR (Border Router for 6LoWPan) and Central key distribution (KDC) are emerging and are likely to be winners against decentralized mechanisms that require strong P2P mechanisms which are very difficult to implement.
While we are still in the early days of IoT adoption there are a few good examples of startup innovation at the intersection of Security and IoT :
– Device Authentication (eg Launchkey)
– RTOS (eg Mocana, Icon Labs and Red Balloon Security), Wireless Sensor Networks (eg Sensalyze acquired by ARM, Dust Networks and Green Pack)
– End to End systems for Key management (eg Dyadic security) and Intrusion detection systems (eg Argus, ScadaFence).
These technology segments can address broad application areas and tend to be industry agnostic. However success in these areas will likely require partnerships with Sensor Vendors in this space.
The winning companies are likely to be the one not only creating and or supporting emerging IOT standards but also understanding the critical policies needed to manage, share and exchange critical IOT information.
BGV is building key partnerships to source innovation and build companies that will secure the IoT. These include relationships with IoT focused accelerators, Corporate Partners and University incubators.