When deploying edge connectivity and computing technologies for large-scale commercial IoT, the challenges of complexity, cost and risk often serve as major hurdles between idea and deployment. In previous articles, I’ve explored ways to reduce cost and complexity by addressing the unique design challenges of commercial IoT environments and removing the siloed design approach common in the commercial space.
While I’ve also looked at mitigating risk in those articles, the topic of security deserves its own discussion. The reality is that securing a single IoT network can be a challenge on its own. But when you’re securing an IoT network across multiple locations, and thousands of nodes and devices, you enter into a level of risk that requires serious consideration into network deployment and long-term monitoring.
With end-to-end security arguably being one of the most important pieces of IoT edge infrastructure, let’s consider what it takes to truly secure the commercial IoT environment from the point of manufacture to long-term updates in the field.
What threats should we look for?
Commercial IoT is comprised of tens of thousands of edge computing devices and sensors deployed and networked across hundreds to thousands of locations. Also, as IoT devices can support multiple, simultaneous applications and connections, the IoT network is vulnerable to attack from several directions:
- Nosy neighbor: Just as there are many different devices running many different applications together on a single piece of hardware in the cloud, the same level of security should cover multi-tenancy in commercial IoT environments. Yet, with limited resources, there needs to be a lower-cost implementation to allow for this.
- Tampering: With most of the devices being deployed in unsecured or only semi-secured environments, individuals could physically tamper with them and possibly change the behavior of an application. This is of particular concern in high-traffic commercial deployments such as hospitality or retail environments.
- Extracting secrets: Beyond tampering, physical access to devices provides an opportunity for an attacker to open the device and extract proprietary information, such as security keys and IP information.
- Exploiting software: IoT has become a readily available platform for remote attackers to steal data, gain access to a network or deploy distributed denial-of-service attacks.
How can IoT teams mitigate these threats?
The solution to these issues is to take a layered security approach to IoT edge infrastructure. For each class of threat mentioned above, there is a cost-effective and scalable approach.
To combat the nosy neighbor, utilize containers specifically designed for constrained hardware environments — or, in Ubuntu, “snaps.” Snaps are self-contained, read-only file systems that do not affect neighboring apps. This also makes apps easier to manage and update. It means the app is confined, has its own library and can’t modify the operating system. It can exchange information with other snaps via granular policies and permissions, but the confinement keeps malicious code from spreading and allows for easy and quick policy violation research.
To prevent tampering and physical attacks from changing the behavior of deployed IoT devices, consider these preventative controls as crucial to design:
- Prevent root access by making it impossible to plug a serial cable into the PCB header and avoid open debug consoles.
- Don’t set default logins and passwords.
- Ensure apps are immutable by using snaps.
- Verify that everything from public keys to kernels are signed and verified.
To keep individuals from extracting intellectual property use automatic encryption for the entire file system, including code, configuration and credentials. This should be complemented with secure boot to retain integrity of the system during power cycling and system start up. Also, avoid embedding credentials in the app code — use a secrets management technology instead — and ensure each device has its own unique credentials.
Finally, to avoid software exploits, the most important factor is automatic and frequent security patches. This can be challenging without a clean, clear separation of the operating system and the individual applications. With snaps, patches are easily deployed as often as they are needed. As a bonus, snap confinement combined with an automatic update service allows for flexible and immediate scheduling of patches. This allows IoT teams to concentrate on their product feature releases and upgrades, and not security patches.
No replacement for constant monitoring and consistent partners
Keep in mind that no security measure is perfect, and a plan must be in place for when security is breached. This is where monitoring becomes crucial. It is best practice to have a centralized application performance monitoring system that can quickly identify anomalies and weaknesses and give developers a fair shot at remediation. In the same vein, centralized logging can provide forensics to determine the extent of a breach and troubleshoot specific areas of concern.
For those designing IoT applications or managing IoT networks, it is critical to find a manufacturing partner that has considered these risks. Hardware should be designed in a way that not only addresses the above threats, but also provides a high level of observability into what is occurring in your hardware and on your network.
End-to-end security of commercial IoT is an ongoing process that spans from point of manufacture to deployment and on to the updates in the field. It should be embedded throughout the edge infrastructure, with an eye toward each of the threat classes.
By finding the right partners, IoT teams can greatly reduce business risk while spending more time focusing on the competencies they excel in: developing applications that drive business value.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.