In two short years, there could be nearly 30 billion autonomous Internet of Things devices on our networks. Unlike computers and smartphones, these sensors, appliances, controllers and other devices talk to each other without requiring human interaction.
All of this new technology presents a major security risk. Recently, at the University of Kansas, we won a research grant from the National Security Agency to study how we can make IoT devices safer from cyberattacks.
We put together a multidisciplinary team of computer scientists, electrical and computer engineers, psychologists, sociologists and philosophers to provide unique perspectives and find solutions to the problem.
The Critical Issue of IoT Security
Here are a few reasons why we need solid research on how to provide security solutions for IoT:
- Autonomous IoT devices are usually small, inexpensive and don’t have much computing power. That also means they have little capability to protect themselves from being hacked.
- Almost every IoT system is cloud-based. Even if most cloud-based applications are secure, the cloud is another point of entry that could be a security risk.
- We don’t completely trust IoT devices or systems. For example, if we’re riding in a futuristic self-driving car, how do we know that car hasn’t been compromised in some way?
- Imagine that your house is an IoT device. Things go in and out through windows and doors, but squirrels find a hole in the attic and get in via a path you didn’t intend. This happens in computing, and can happen to IoT devices. We don’t yet know all the side channels that can be used for attacks.
Why an Interdisciplinary Approach to Security Works
Although IoT security may seem like an IT-only problem, it helps to think about it from nontraditional perspectives. For instance, consider the concept of resilience. Most computer networks aren’t particularly resilient. Removing a small piece of software can bring a whole network down.
Photo: Sherry Hammonds
Perry Alexander, Director of the Information and Telecommunication Technology Center at the University of Kansas
But when a multidisciplinary team looks at resilience, they look outside of the computer world. For example, skin is resilient. When you cut your finger, you don’t die.
Not only that, your body isolates the damage and has a way of repairing itself that makes it seem as if the damage never occurred. That gets us thinking about new ways to create and build computer systems that can isolate problems and heal themselves.
Adopt Interdisciplinary Thinking for Campus IoT Security
I’m a researcher, not an enterprise computing expert, but I do see that managing technology within a university environment is a difficult security problem. Higher education is an open environment.
Our goal is to teach and share information, and providing constant access to the internet helps us achieve that. But at the same time, we are responsible for the traffic we generate and the data we share.
In addition, universities deal with a massive number of students, teachers and visitors using their own devices. If you limit and secure BYODs to the extent of limiting functionality, people will find ways around those barriers, and potentially compromise the network.
A multidisciplinary approach helps to solve many of these issues. For example, sociologists and healthcare professionals are always trying to change people’s behavior — trying to get them to stop smoking or to take medicine regularly.
We’re coming up with ways to apply this knowledge to help change people’s behavior around computer security, such as creating stronger passwords or not clicking on suspicious links. There are technical solutions to these things, but by looking at human behavior we’re helping to solve a larger, more complex problem.
It’s a unique path of discovery, but by working across disciplines and applying well-tested findings and research to computer security, we have a much better chance of creating a technology-enriched campus that is both functional and secure.