The Business Insider recently announced that there are about 10 billion connected IoT devices in 2018 and predicted that there will be 64 billion of these devices in use by 2026. The vast majority of these devices are or will be connected to the edge computing networks. But how secure it is?
Computing on the edge
Traditional technologies are no longer addressing the growing needs of modern business. The applications that power the Internet of Things (IoT) often require response times that cannot be fulfilled using traditional models of data transmission and processing.
Increasing speed and cutting on latency lye at the heart of the model of moving data processing closer to the IoT devices, also referred to as ‘the edge computing’. The latency issue in this type of computing is solved by repositioning the task of initial data processing to the connected devices and using local (edge) data centres instead of central cloud computing servers.
We are nowadays witnessing an increasing number of proponents popularising edge computing. The GP Bullhound’s Technology Predictions 2020 report, for example, points out that many start-ups and middle-sized companies that provide computing, networks, infrastructure and cybersecurity for the edge will increase in 2020. Big companies, such as Amazon Web Services and Verizon, are also teaming up to provide connections to nearby edge gateways (local cloud data centres) accessible via 5G network.
The Wall Street Journal recently published a story about Walmart intending to set up specialised computers at their stores, which will be used to help self-driving cars to utilise the edge computing capabilities. The merit of this approach is seen in the fact that the Walmart stores are spread throughout the US and that about 90% of Americans live within 10 miles of these stores.
Being still novel, however, the concept of edge computing is not familiar to the wider business community. The similarity to the concept of the ‘fog computing’ somehow adds to the confusion. In essence, fog computing is the standard, created by Cisco in 2014, and edge computing is the concept. However, both fog and edge computing bring intelligence and processing closer to the creation of data – the IoT devices in our case.
The main difference between edge and fog computing lies in the place where data processing occurs. While the fog computing uses the local area networks (LANs) to transmit data from endpoints to a gateway and the sources for processing, the edge computing data processing usually occurs directly on the devices to which the sensors are attached or a gateway device that is physically closest to the sensors.
Although the security risk concerns are similar, this article is about cybersecurity issues related to the rapidly growing milieu of edge computing. For example, two months ago the Microsoft Threat Intelligence Center announced they found attempts by a known adversary to compromise popular IoT devices across multiple customer locations. Furthermore, a survey of 625 risk management and governance experts by Ponemon Institute found 26% of respondents in 2018 suffered an IoT-related data breach, compared to 15% in 2017.
How is then secure edge computing?
Security issues on the edge
Since the edge computing is largely associated with the IoT, it inevitably inherits (still) disreputable security of these devices. Although IoT applications expect strong security protection, severe resource constraints and insufficient security design are two major causes of many security problems in current IoT applications, claims a recent research report.
Many existing security mechanisms, including advanced security algorithms such as Attribute-based Access Control, Group-signature based authentication, homomorphic encryption and Public-key based solutions, demand the device to have a high level of computation power and memory space to run it, which the IoT devices such smart meters, smart lockers, smart cameras and alike – do not have.
Moreover, the devices used at the local cloud data centres are not either designed or made with appropriate cybersecurity in mind. Also, these devices are not diligently updated like those in large data centres. Hence, each of these devices embodies potentially vulnerable endpoint, which enables access to the main networks and big data centres.
The security vulnerabilities of IoT devices should, hence, be addressed by incorporating cybersecurity into the device design. As we have accentuated in our earlier article, security requirements are often seen as obstacles or burden in the system design but ignoring them, in the beginning, is not cost-efficient in the long run. Adding security features afterwards is less effective and often more costly than including proper mechanisms from the beginning.
Paradoxically, wider spreading of the edge computing device may offer greater security by reducing the distance of the data transmission to the major data centres – thus offering fewer opportunities for the data interception. However, by more data residing at the edges of the networks makes central cloud storages less attractive for hacking but increases the appeal of the local (edge) cloud storages.
The edge computing also improves security by encrypting data closer to the network core, while optimising data laying further from the core for performance. However, the vast majority of edge devices do not perform authentication for the third-party Application Programming Interfaces (APIs) and do not encrypt data by default. This makes these devices rather vulnerable as cybercriminals can easily take data from the IoT devices or infect them.
The vulnerability of the IoT devices used in the edge computing, furthermore, allows for the distributed denial-of-service (DDoS) attacks, which are becoming larger and more common than ever. The expanding artificial intelligence (AI) and 5G networks can allow attackers to perform these attacks with far greater speed and effectiveness.
To combat these and other types of attacks, ‘security agents’, which are installed near IoT devices, can be deployed. These technology agents are designed to monitor behavioural properties of IoT devices such as bandwidth, sensitivity latency, data transfer, resource usage, or types of connection. The agents roam the edge computing networks searching for known intrusion parameters and unknown anomalous symptoms. They can also provide cryptographic security as a robust defence against cybersecurity attacks.
However, the ‘human agents’, i.e. cybersecurity professional can positively or negatively impact on the edge computing security. The worsening of a talent gap in 2020 will certainly negatively impact on both general cybersecurity and the security of the edge computing. Without finding cybersecurity talent in non-traditional specialisations – as we recently suggested – the talent gap will worsen in and even beyond 2020. In this regard, we agree with the recent Cybereason’s statement that “There’s only one way to get to the future we hope for: continuing our education and making bold moves”.
And not to be forgotten: one of the most obvious concerns should be the physical security of the edge computing devices such as the edge-related IoT devices or micro data centres, which are often mounted at the base of cell towers. These apparatuses are more vulnerable than typical office equipment and technology securely held within organisational perimeters.
Generally, the responsibility for implementing an integrated security approach to the edge computing cybersecurity squarely falls on organisations, not end-users. The edge computing networks should be secured by appropriate policies, protocols and procedures, compulsory data encryption and regular updates of all devices. Minding a number of the edge computing devices, the use of AI seems not just helpful but rather compulsory.
It is, however, the common opinion of academics and professionals that the edge-based IoT security research and practice are still in their early stages. There still needs to be a continuous search for more sophisticated and effective edge-based security designs. Hence, the measures for securing edge computing that we presented here are not exhaustive at all.
We at VM Advisory believe that the potential security benefits and disadvantages of edge computing must be considered by each individual organisation. We particularly caution the custodians of the national critical infrastructure, which is dotted by IoT devices, to be extra vigilant as cyber-attacks on this infrastructure are predicted to grow in 2020. In an already very volatile South African electricity supply environment, cyber-related blackouts are a looming possibility.