As aviation accompanies other industries into the age of the Internet Of Things, security concerns will change and intensify. According to Brian Geisel, CEO of Geisel Software, a recent survey shows security is the number one blocker of adoption of IoT. More than half of respondents said security concerns are worse than a year ago, and only 9% are confident of what is happening to their IoT data.
Geisel told attendees at PTC’s LiveWorx conference that the problem is IoT is still changing and innovating, and it is fundamentally different from internet connections among consumers and people. “Things can be infected without anyone knowing it,” Geisel stressed. “For people, passwords are in your head, but for devices, there must be different keys on all devices. People would notice if their operating system is replaced. Things won’t notice.”
Geisel said the solution is putting several layers of protections on devices and keeping these protections up to date on threats.
The first layer is physical hardware security, which must be different for each device. “No one size fits all,” Geisel said.
Layer two is a firewall and password. The aim is to prevent a man-in-the-middle attack, where a hacker gets between the IoT server and the end device. “Sooner or later you will get hacked,” Geisel warned. “But you must limit what they can do.”
That is especially important as IoT increasingly connects not just sensors providing information, but devices like robots that act in the physical world. Losing control of these physically acting devices can do major damage to assets and even people.
Level three security is securely hashed passwords. Hashes are one-way ciphers that cannot be easily broken because there is no one-to-one relationship between passwords and hashes. But attackers now use rainbow tables, generated by programs like RainbowCrack, to find billions of passwords and the hashes they yield. “They cannot get all the passwords,” Geisel advised. “But they can get a lot.”
One defense against rainbow tables is to add ‘salt’ to the password, that is additional characters that make it much harder for the rainbow table to find a hash-password match.
Level four security includes signature verification and restrictions on use of IoT access. But Geisel said there is no permanent solution to IoT security, except a readiness to evolve new defenses as new threats materialize. Thus the ability to update firmware on IoT devices is critical, because it allows coders to go back and fix security vulnerabilities that are discovered long after original installations.