IoT security breaches are expected to reach an all-time high, according to ChainLink’s annual predictions. It’s important to differentiate between indirect attacks, using IoT devices to conduct cyberattacks against another target, and direct attacks, where the end goal is to compromise and access the IoT device itself.
A high-profile example of an indirect attack was last year’s DDoS attack against Dyn that exploited security weaknesses in tens of millions of IoT devices to overwhelm Dyn’s DNS servers, making dozens of major internet sites like Amazon, Twitter, and Netflix unavailable.
Unfortunately, the market rewards time-to-market and lower prices over robust security for many classes of IoT devices, especially low-end devices that are commonly (and often unknowingly) hijacked to create a cyber-attack, such as IP cameras, home automation systems, home gateways, connected printers, baby monitors, and so forth. Some high-profile cases may garner negative media attention, but usually with little impact on the consumer’s ultimate decision to buy.
With direct attacks, the goal is access to the IoT device – and by extension the sensors, machines, and environment that the device is connected to. As such, this type has the potential to be even more disruptive and destructive. Criminals, terrorists, and malicious foreign governments may use connected devices to cause havoc or harm, such as hacking into a home security system to rob or kidnap someone or holding a city hostage by taking control of its traffic light or power system. In theory, this should create more motivation to secure these devices; however, too often a lack of resources or attention is given, even for high-value targets, making cyberattacks still very common.
The IoT Security Imperative asserts that manufacturers and deployers of IoT devices and systems (especially potential targets for direct attacks) have a moral obligation to vigorously and comprehensively address security. The following principles can serve as guideposts to enable stronger IoT security.
- Use a multi-layered approach —A central tenet is to have multiple layers of security, so if one layer is compromised, the intruder confronts additional layers. In an end-to-end IoT system, each component should be designed to assume that the communication channel and other components have been compromised. Further within each component, there should be multiple layers of security to the extent that resources allow it. A multi-layered approach also includes physical security on devices and for facilities.
- Design in security from the start —Rather than a ‘bolt-on’ afterthought approach, security should be designed into every component and process from the start using secure by design principles, such as hardening, using secure defaults, and failing securely. Security should be built into the entire product lifecycle, including security reviews during concept, design, development, testing, deployment, maintenance, and EOL.
- Security for legacy and limited resource devices —Many environments do not have the luxury of start-from-scratch greenfield designs. This is true both on the device side (equipment in existing factories, buildings, ships, aircraft, etc.), as well as existing enterprise software systems. Also, some devices don’t have the memory or processing power to implement encryption, let alone multi-layered security. These devices can be isolated using secure gateways and readers that support segmenting the network, quarantining compromised devices or segments, wiping and reloading, and isolating insecure devices and networks, potentially using a ‘virtual private LAN’ overlay.
- Implement granular and scalable security —Complex IoT systems can have many different types of users, devices, and data. This creates several access scenarios with implications for the IoT platform’s built-in security. Highly granular and flexible access control and authentication will help support potentially hundreds of types of users and devices, and thousands of access scenarios and use cases. Bear in mind the fluidity of IoT systems and networks, which constantly provision and deprovision users, devices, and data sources, often with ever-changing use cases, system connections, and even changes to the underlying architecture.
- Protect against social engineering and insider malfeasance —Don’t forget the people, which is usually the weakest link in a security strategy. This includes proper vetting of employees and contractors, strong security training programs (including auditing and testing), and a broader set of insider crime prevention and anti-collusion measures, such as separation of duties, rotation of duties, regular audits, surveillance, monitoring, reporting hotline, etc.
- Encourage robust, independent security testing —For starters, make it easy for anyone to report problems, and set up mechanisms and escalation to ensure that you’re highly responsive to them. It can also pay to hire white hat hackers to do penetration testing, or consider starting a bug bounty program to incentivize people to report vulnerabilities.
- Prioritize security investments —Often security loses the battle for limited resources that could instead be used to serve customers better, grow the company, get the product out sooner, and meet other strategic goals. A strong business case needs to be made for security, and investments need to be ranked by priority since not all will be funded. Higher value targets require more robust security, but at the same time, the biggest vulnerabilities may be the most mundane. Piggybacking on other investments and looking for low-cost wins should be done whenever possible.
Security tends to be an incident-driven priority, meaning it doesn’t get much attention until after a major incident. It takes good ‘marketing skills’ (i.e. selling internally) to get the executive team to invest in it before the fact. And a certain kind of person who can find satisfaction in being the unsung hero who prevented the disaster from happening in the first place.
There are some good existing resources on securing different components of an IoT system. For cloud-based components, the Cloud Security Alliance offers Security Guidance for Critical Areas of Focus in Cloud Computing. For devices, in addition to the IoT Security Compliance Framework (from ISF), the Trusted Computing Group has their Architect’s Guide: IoT Security and Guidance for Securing IoT Using TCG Technology Reference Document. For more, also see IoT Security Foundation’s Vulnerability Disclosure Best Practice Guidelines.