Internet of Things (IoT) Security – What is it, and how can I keep my devices secure?

What is IoT?

The Internet of Things (IoT) refers to the billions of physical devices (“things”) that are embedded with sensors, software and are connected to the internet. Besides the everyday objects like kitchen appliances, thermostats, baby monitors, IoT devices also include sophisticated autonomous cars and industrial tools. At an even larger scale think of connected defence equipment, medical devices, and entire smart city infrastructure. 

This internet connectivity makes the devices digitally intelligent enabling them to exchange data with other devices and systems over the internet without human intervention. 

The IoT fabric is becoming smarter, growing exponentially and rapidly merging the digital and physical worlds. IoT enhances the way we live and improves the quality of life. 

I believe IoT is an opportunity, and it will be significantly instrumental in saving the planet and help the humanity

Why does IoT need to be Secure?

The Internet of Things (IoT) solves important business concerns while also posing significant risks. IoT is also being used in the critical infrastructures that contribute highly on the economy, it makes security measures for IoT systems very critical mainly due to its increasing connectivity. Security is one of the biggest concerns with IoT as the devices expose both consumers and enterprises to IoT-targeted cyber threats and privacy issues.

As per McKinsey projections, by 2023, there will be 43 billion IoT devices connected to the internet. Most of the IoT devices (98% source: IoT business news) are not designed with the “security first” principal. IoT device traffic is unencrypted and exposes confidential information to the attackers. Around 51% of IoT devices have security vulnerabilities that are like open doors for the attackers. Legacy IoT devices like medical imaging devices and industrial automation equipment runs on obsolete and unsupported software and are not frequently updated. This declines the overall security posture of the environment and make IoT a low hanging fruit for the attackers. 

Attackers easily get a foothold on the IoT device compromising a vulnerability like a weak password. Once a cybercriminal gets access to one device, they can use lateral movement techniques to find other vulnerable devices in the network and do severe attacks like ransomware, crypto-mining, password stuffing and remote code execution.

Some of the companies also collect data from the sensors in IoT devices and monetize it. This may include PII data. Cyber criminals may use this information and combine with other data fragments to compromise privacy.

These attack trends have made users wary of the consequences of the security breaches reducing the adaption of IoT.  For any transformation, it is essential to build the consumer trust and ensuring security is in-built from design.

Understanding IoT Security Challenges 

The security of critical infrastructure networks has conventionally been ensured by isolating the networks from the outside. However, these networks are becoming integrated with information networks to enable business innovation, and recently there have been demands to connect them to external networks to enable coordination with IoT-driven remote maintenance and other services.

Several IoT appliances/devices cannot be patched with security fixes as a result almost all devices will be at risk. Hackers are now actively aiming IoT devices such as routers and webcams because their inherent lack of security makes them vulnerable and easy to compromise.

These IoT security challenges are partly due to the technical nature of IoT ecosystem as well as due to the unique security requirements.  Technical ecosystem has unique characteristics and must deal with scalability, distributed, heterogeneity, low energy, and omnipresent nature of IoT devices. Authentication, confidentiality, integrity, and end-to-end security, on the other hand, are the inherent security requirements. 

Referring to ITU IoT reference model that is composed of four layers as well as management capabilities and security capabilities. Security aspects need to be looked at each layer.

Fulfilling these requirements is difficult given the constraints and limitations in computational and power resources.

IDENTITY & AUTHENTICATION

IoT devices and objects should be able to recognize and authenticate each other. When many entities (i.e. devices, humans, software etc.) are involved authentication becomes difficult. An academic survey found that there are more than 80 difference authentication mechanisms proposed or implemented. There is no authentication standard at this point. Authentication can also become more complex due to the scale and size of the IoT fabric.

COMPUTE POWER

Because IoT devices have limited computing and power capabilities, designing, and implementing encryption or authentication methods is difficult. For maximum IoT security, these cryptographic algorithms must be able to work on small devices and compatible with the device’s compute capabilities. Lightweight and pluggable solutions should be created and deployed to match the limited compute power of IoT devices.

IoT DEVICE HETEROGENEITY 

IoT devices are heterogeneous in terms of their capabilities, communication protocols, technical interfaces etc. This poses serious challenges when trying to secure the end-to-end security that requires the devices to share information and collaborate. 

Establishing secure sessions and secure communication becomes complex with a variety of communication technologies at play. Organizations face a problem designing and executing security protocols that cover such a wide range of diverse IoT devices. When designing defensive measures to ensure IoT security, keep these characteristics in mind.

Key Mistakes that put your Business at Risk

Following are some common mistakes/ignorance that can result into fatal cyber-attacks:

• Not having a security and privacy program
• Security not being incorporated into the product designing and ecosystems
• Insufficient security understanding and training for engineers and architects
• Lack of visibility & Insufficient monitoring of devices and systems to expose security events
• Immature incident response practice

Refer https://w-se.com/the-owasp-iot-top-10-list-of-vulnerabilities/ for OWASP top 10 IoT vulnerabilities.

How to Secure IoT Devices?

IoT security needs to be a multi-layered approach starting from securing the devices, network, perimeter, and the other parts of the IoT ecosystem that are specific to the given environment. 

It is important to use only the permitted software in IoT devices as the open-source libraries and components many times have inherent security vulnerabilities that opens door for attackers. It is important to keep the device software updated with latest patches installed. In addition, the devices should authenticate before joining the network to ensure that only trusted entities have network access.

Because IoT endpoints have limited processing and memory, it is recommended to leverage firewall and perimeter security layer to filter malicious traffic transmitted closest to the ingress point. 

With reference to ITU IoT reference model, different layer has different security requirements: 

• Application Layer: authorization, authentication, application data confidentiality and integrity protection, privacy protection, security audit and anti-virus
• Network Layer: authorization, authentication, use data and signalling data confidentiality, and signalling integrity protection
• Device Layer: authentication, authorization, device integrity validation, access control, data confidentiality and integrity protection. 
• Specific security capabilities are closely coupled with application-specific requirements, e.g., mobile payment, security requirements.

When designing the security of IoT devices, you must consider the custom security procedures in addition to conventional security procedures. It would be best if you assured device security, network security, and the overall security of the IoT architecture and system.

To secure IoT devices, you can use the following security best practices:

• Deploy tamper-resistant IoT devices: Deploy tamper-resistant IoT devices that are disabled when tampered with.
• Make physical security a priority: Physically isolate devices and allow only authenticate human access.
• Install fixes and update firmware: Upgrades, firmware updates, and patch installations should all be done as soon as the manufacturer releases them.
• Perform dynamic testing: This method reveals both code flaws and hardware security issues.
• Protect data when disposing of IoT devices: Define protocols for disposing of IoT devices as they become obsolete. Devices that have been improperly discarded might represent a threat to privacy and be used for a variety of harmful reasons.
• Use strong authentication: Always use strong passwords and change default passwords as this makes the device vulnerable to password stuffing attacks. 
• Adaptive authentication should be encouraged: Contextual information and machine learning techniques are used in adaptive authentication, also known as context-aware authentication (CAA), to assess the risk of malice. The user will be requested a multi-factor token if the risk is high.
• Strong encryption and protocols should be used: Use robust encryption in various IoT protocols to ensure secure data transmission (Bluetooth, Zigbee, Z-Wave, Thread, Wi-Fi, cellular, 6LoWPAN, NFC, etc.)
• Reduce device bandwidth usage: Avoid being a target of IoT-borne distributed denial of service (DDoS) attacks by limiting network capabilities and bandwidth to the absolute minimum required for the device to function.
• Limit the detection of these devices on the network:  To reduce the attack service avoid leaks of sensitive personally identifiable information (PII) close the unwanted ports on the device. To allow only the authorized clients to discover the IoT device, you’ll need correct service mechanisms and authentication protocols.
• Divide the network into segments: Virtual local area networks (VLANs), IP address ranges, and their combinations categories help break large networks into smaller local networks. This allows you to depict distinct segments controlled by firewalls by creating distinct security zones.

Conclusion

As your organization’s IoT grows, you must ensure that adequate IoT security solutions are implemented and proven to be effective in protecting your distributed assets from cyberattacks.

To keep your internet-connected devices safe and secure, use the security principals as mentioned above in conjunction with IoT security software. 

In this article I wanted to touch upon the IoT specific cyber security challenges and best practices. We have just scratched the surface of the IoT world, and I believe the possibilities are endless. I am eager to see us all go to the next stage where we embrace IoT with confidence and trust.

Author:

Published in Telematics Wire