Beware the fog of IoT

Over the years, the depth of IT security has increased massively. First, we moved from local systems that exchanged data - and malware - via floppies and optical discs to networked computers that made the process much faster and more efficient.

Then came cloud computing, where your applications live in “someone else’s computer” along with the data they process.

But this paradigm creates a whole new kettle of security fish that’s more complicated, and which has to scale to match virtual machines and containers spun up at the other end of network connections, accessing data that you don’t have physical access to.

Cloud computing isn’t a static concept, either, from hybrid solutions that are partly on-premise to multiple clouds joined together, making keeping up with risks and threat modelling in those scenarios challenging.

That’s complex enough, but IT evolves and now the internet of things is gathering pace and will need to be taken into account.

Last week, Telstra said it had flicked the switch for IoT support on its LTE network. 

From a business opportunity point of view, this is great news. IoT is in its infancy, and nobody really knows for sure where smart grids and homes, connected vehicles, wearables, networked actuators, you name it, will take us.

The cost of building and deploying an IoT platform is dropping, and it’ll be an exciting ride for sure, not the least from a security perspective.

So far, the main concern have been with IoT devices themselves. They’ll be cheap and plentiful and networked, which means they’ll be addressable and accessible.

But will they be secure, updated, or upgraded? Because it’s guaranteed that IoT devices will be attacked sooner rather than later.

Let’s complicate things even further and throw another concept into the ring: fog computing.

Fog computing sounds a bit silly, but it describes a layer of two-way nebulous data connectivity and processing ability closer to the user, on the network edge. Rather than being in the sky like clouds, fogs are close to the ground, geddit?

The point to fog computing is to get around the issue of latency. For IoT to succeed, it needs to respond fast in many human-interfacing applications or the user experience will suck.

Think connected vehicles, light switches, air conditioning, and medical and fitness gear. A cloud that’s hundreds of milliseconds away from a comparatively slow IoT device isn’t the way to do it, hence the fog. Fog devices can be access points, gateways, wired and wireless systems that react to input, and provide processing and data storage and forwarding.

Fog computing’s been talked about for a few years, and some blame Cisco for the term. Others call it edge computing, and yes, there is an element of confusing marketing behind fog computing.

Now that IoT is getting closer to reality, fog or edge computing serves as a useful focal point to conceptualise an area of IT solutions that’ll be battered by digital miscreants, as it’s a natural attack vector.

Having computing services at the edge of the network means fog computing will become a juicy target for man in the middle attacks, using things like bogus access points, to capture data from IoT devices or to subvert it in both directions, to and from the cloud and end-users.

If you're working on IoT initiatives, consider what might happen if someone decides to attack not just the data-collecting and user-interfacing devices, but the systems on the network edge they connect to.

Intrusion detection systems, verification of the data gathered and processed, and hardened security for the edge as well as the devices themselves must form part of that IoT project, or you’ll be fogged in a different sense of the word.