According to the contents of the white paper on the Internet of things (2020) published by China Academy of information and communications, there are several security problems of the Internet of things at present:
First, China’s Internet of things security policy layout is still insufficient, the Internet of things security standard system has not been released, the security standard scene is not targeted, the safety protection awareness of all links of the industrial chain is not unified, the security protection system is not perfect, the Internet of things security industry is not reasonable, and it is in a decentralized state at present.
Second, China’s Internet of things security industry is still in its infancy, there are many links in the design of the Internet of things industrial chain, and the security construction needs to be jointly promoted by multiple parties. At present, there is a lack of security solutions and benchmarking enterprises in typical scenarios. The demand side is price sensitive and has poor acceptance of the increase in the security cost of the Internet of things.
Third, the industrial maturity of the Internet of things security core terminal is not highAt present, terminal security is the top priority of Internet of things security. Once it is destroyed, controlled or attacked, it will not only affect the security and stability of application services, lead to privacy data leakage and damage to the safety of life and property, but also endanger the key infrastructure of the network and threaten national security.
In addition, the integration of new technologies increases the security risk of the Internet of things
The large-scale application has accelerated the integration of the Internet of things with new technologies such as artificial intelligence, edge computing, IPv6, container and micro service. These new technologies not only improve the functionality of the development of the Internet of things, but also bring new challenges to the traditional security protection measures. Typical manifestations are:
IPv6 will bring potential exposed security risks.In the IPv4 era, due to the limited number of addresses, relevant technicians mostly use network address translation (NAT) to solve the problem of insufficient network addresses. Nat assigns users an intranet address instead of a public address, so as to “hide” devices using NAT technology. The intranet address of the device cannot be seen by the outside world, so the security policy of allowing only outgoing communication is enforced. With the use of IPv6, IPv6 exposes IOT devices to the network, and the nat only allowed outgoing communication filtering strategy will also disappear, which means that the communication between internal and external systems will no longer be managed by the network. Unless effective control measures are taken, the deployment and use of IPv6 may cause all internal nodes of the network to be directly accessed from the Internet, and Internet of things devices will be more vulnerable to network attacks.
The improvement of the agility of the Internet of things brings related security risks.The IOT platform generally introduces technologies such as containers and microservices to ensure the consistency and agility of application development environment. Container, microservice and other technologies break the original boundary security strategy and bring new security risks. Container technology makes the deployment of the Internet of things platform from “hard” isolation to “soft” isolation. Microservices disassemble single applications into multiple services. The ports of interaction between applications increase exponentially, which increases the risk of data leakage and associated attacks, resulting in a significant increase in the attack surface.
Internet of things edge computing will amplify distributed security risks.Edge computing promotes the computing model from centralized cloud computing to more distributed deployment, and also introduces the threat of network attack to the network edge. First, there are a large number of edge computing nodes, including edge cloud, edge gateway, edge controller and other edge terminals. The complexity and heterogeneity of terminals are prominent, and the coverage of security protection strategies is difficult. Second, due to the limited resources and capabilities of edge facilities, it is difficult to provide security capabilities consistent with the cloud data center. Edge node data is easy to be damaged, and infrastructure software protection is also difficult. Third, edge computing will adopt open API, open network function virtualization and other technologies. The introduction of openness is easy to expose edge nodes to external attackers.
Internet of things open source will enhance security to the infrastructure level.According to the 2020 open source security and risk analysis (ossra) report released by Synopsys, the proportion of code base in the field of Internet of things is as high as 82%. According to whitesource’s annual report on open source security, the number of open source security vulnerabilities publicly disclosed in 2019 reached a new high, with a total of 6100. Compared with 2018, open source software has become the most basic “brick and tile” raw material of Internet of things application software and the core infrastructure of applications in all walks of life. Internet of things security has gone deep into the national basic security level.