BACKGROUND IMAGE: iSTOCK/GETTY IMAGES
IoT security is the technology area concerned with safeguarding connected devices and networks in the internet of things (IoT).
IoT involves adding internet connectivity to a system of interrelated computing devices, mechanical and digital machines, objects, animals and/or people. Each "thing" is provided a unique identifier and the ability to automatically transfer data over a network. Allowing devices to connect to the internet opens them up to a number of serious vulnerabilities if they are not properly protected.
IoT security has become the subject of scrutiny after a number of high-profile incidents where a common IoT device was used to infiltrate and attack the larger network. Implementing security measures is critical to ensuring the safety of networks with IoT devices connected to them.
IoT security challenges
A number of challenges prevent the securing of IoT devices and ensuring end-to-end security in an IoT environment. Because the idea of networking appliances and other objects is relatively new, security has not always been considered top priority during a product's design phase. Additionally, because IoT is a nascent market, many product designers and manufacturers are more interested in getting their products to market quickly, rather than taking the necessary steps to build security in from the start.
A major issue cited with IoT security is the use of hardcoded or default passwords, which can lead to security breaches. Even if passwords are changed, they are often not strong enough to prevent infiltration.
Another common issue facing IoT devices is that they are often resource-constrained and do not contain the compute resources necessary to implement strong security. As such, many devices do not or cannot offer advanced security features. For example, sensors that monitor humidity or temperature cannot handle advanced encryption or other security measures. Plus, as many IoT devices are "set it and forget it" -- placed in the field or on a machine and left until end of life -- they hardly ever receive security updates or patches. From a manufacturer's viewpoint, building security in from the start can be costly, slow down development and cause the device not to function as it should.
Connecting legacy assets not inherently designed for IoT connectivity is another security challenge. Replacing legacy infrastructure with connected technology is cost-prohibitive, so many assets will be retrofitted with smart sensors. However, as legacy assets that likely have not been updated or ever had security against modern threats, the attack surface is expanded.
In terms of updates, many systems only include support for a set timeframe. For legacy and new assets, security can lapse if extra support is not added. And as many IoT devices stay in the network for many years, adding security can be challenging.
IoT security is also plagued by a lack of industry-accepted standards. While many IoT security frameworks exist, there is no single agreed-upon framework. Large companies and industry organizations may have their own specific standards, while certain segments, such as industrial IoT, have proprietary, incompatible standards from industry leaders. The variety of these standards makes it difficult to not only secure systems, but also ensure interoperability between them.
The convergence of IT and operational technology (OT) networks has created a number of challenges for security teams, especially those tasked with protecting systems and ensuring end-to-end security in areas outside their realm of expertise. A learning curve is involved, and IT teams with the proper skill sets should be put in charge of IoT security.
Organizations must learn to view security as a shared issue, from manufacturer to service provider to end user. Manufacturers and service providers should prioritize the security and privacy of their products, and also provide encryption and authorization by default, for example. But the onus does not end there; end users must be sure to take their own precautions, including changing passwords, installing patches when available and using security software.
Notable IoT security breaches and IoT hacks
Security experts have long warned of the potential risk of large numbers of unsecured devices connected to the internet since the IoT concept first originated in the late 1990s. A number of attacks subsequently have made headlines, from refrigerators and TVs being used to send spam to hackers infiltrating baby monitors and talking to children. It is important to note that many of the IoT hacks don't target the devices themselves, but rather use IoT devices as an entry point into the larger network.
In 2010, for example, researchers revealed that the Stuxnet virus was used to physically damage Iranian centrifuges, with attacks starting in 2006 but the primary attack occurring in 2009. Often considered one of the earliest examples of an IoT attack, Stuxnet targets supervisory control and data acquisition (SCADA) systems in industrial control systems (ICS), using malware to infect instructions sent by programmable logic controllers (PLCs).
Attacks on industrial networks have only continued, with malware such as CrashOverride/Industroyer, Triton and VPNFilter targeting vulnerable OT and industrial IoT systems.
In December 2013, a researcher at enterprise security firm Proofpoint Inc. discovered the first IoT botnet. According to the researcher, more than 25% of the botnet was made up of devices other than computers, including smart TVs, baby monitors and household appliances.
In 2015, security researchers Charlie Miller and Chris Valasek executed a wireless hack on a Jeep, changing the radio station on the car's media center, turning its windshield wipers and air conditioner on, and stopping the accelerator from working. They said they could also kill the engine, engage the brakes and disable the brakes altogether. Miller and Valasek were able to infiltrate the car's network through Chrysler's in-vehicle connectivity system, Uconnect.
Mirai, one of the largest IoT botnets to date, first attacked journalist Brian Krebs' website and French web host OVH in September 2016; the attacks clocked in at 630 gigabits per second (Gbps) and 1.1 terabits per second (Tbps), respectively. The following month, domain name system (DNS) service provider Dyn's network was targeted, making a number of websites, including Amazon, Netflix, Twitter and The New York Times, unavailable for hours. The attacks infiltrated the network through consumer IoT devices, including IP cameras and routers.
A number of Mirai variants have since emerged, including Hajime, Hide 'N Seek, Masuta, PureMasuta, Wicked botnet and Okiru, among others.
In a January 2017 notice, the Food and Drug Administration (FDA) warned the embedded systems in radio frequency-enabled St. Jude Medical implantable cardiac devices, including pacemakers, defibrillators and resynchronization devices, could be vulnerable to security intrusions and attacks.
IoT security tools and legislation
Many IoT security frameworks exist, but there is no single industry-accepted standard to date. However, simply adopting an IoT security framework can help; they provide tools and checklists to help companies creating and deploying IoT devices. Such frameworks have been released by GSM Association, the IoT Security Foundation, the Industrial Internet Consortium and others.
In September 2015, the Federal Bureau of Investigation released a public service announcement, FBI Alert Number I-091015-PSA, which warned about the potential vulnerabilities of IoT devices and offered consumer protection and defense recommendations.
In August 2017, Congress introduced the IoT Cybersecurity Improvement Act, which would require any IoT device sold to the U.S. government to not use default passwords, not have known vulnerabilities and offer a mechanism to patch the devices. While aimed at those manufacturers creating devices being sold to the government, it set a baseline for security measures all manufacturers should adopt.
Also in August 2017, the Developing Innovation and Growing the Internet of Things (DIGIT) Act passed the Senate, but is still awaiting House approval. This bill would require the Department of Commerce to convene a working group and create a report on IoT, including security and privacy.
While not IoT-specific, the General Data Protection Regulation (GDPR), released in May 2018, unifies data privacy laws across the European Union. These protections extend to IoT devices and their networks and IoT device makers should take them into account.
In June 2018, Congress introduced the State of Modern Application, Research and Trends of IoT Act, or SMART IoT Act, to propose the Department of Commerce to conduct a study of the IoT industry and provide recommendations for the secure growth of IoT devices.
In September 2018, California state legislature approved SB-327 Information privacy: connected devices, a law that introduced security requirements for IoT devices sold in the country.
What industries are most vulnerable to IoT security threats?
IoT security hacks can happen in any industry, from smart home to a manufacturing plant to a connected car. The severity of impact depends greatly on the individual system, the data collected and/or the information it contains.
An attack disabling the brakes of a connected car, for example, or on a connected health device, such as an insulin pump hacked to administer too much medication to a patient, can be life-threatening. Likewise, an attack on a refrigeration system housing medicine that is monitored by an IoT system can ruin the viability of a medicine if temperatures fluctuate. Similarly, an attack on critical infrastructure -- an oil well, energy grid or water supply -- can be disastrous.
Other attacks, however, cannot be underestimated. For example, an attack against smart door locks could potentially allow a burglar to enter a smart home. Or, in other scenarios such as the 2013 Target hack or other security breaches, an attacker could pass malware through a connected system -- an HVAC system in Target's case -- to scrape personally identifiable information, wreaking havoc for those affected.
How to protect IoT systems and devices
IoT security methods vary depending on your specific IoT application and your place in the IoT ecosystem. For example, IoT manufacturers -- from product makers to semiconductor companies -- should concentrate on building security in from the start, making hardware tamper-proof, building secure hardware, ensuring secure upgrades, providing firmware updates/patches and performing dynamic testing. A solution developer's focus should be on secure software development and secure integration. For those deploying IoT systems, hardware security and authentication are critical measures. Likewise, for operators, keeping systems up to date, mitigating malware, auditing, protecting infrastructure and safeguarding credentials are key.
Common IoT security measures include:
- Incorporating security at the design phase. IoT developers should include security at the start of any consumer-, enterprise- or industrial-based device development. Enabling security by default is critical, as well as providing the most recent operating systems and using secure hardware.
- Hardcoded credentials should never be part of the design process. An additional measure developers can take is to require credentials be updated by a user before the device functions. If a device comes with default credentials, users should update them using a strong password or multifactor authentication or biometrics where possible.
- PKI and digital certificates. Public key infrastructure (PKI) and 509 digital certificates play critical roles in the development of secure IoT devices, providing the trust and control needed to distribute and identify public encryption keys, secure data exchanges over networks and verify identity.
- API security. Application performance indicator (API) security is essential to protect the integrity of data being sent from IoT devices to back-end systems and ensure only authorized devices, developers and apps communicate with APIs.
- Identity management. Providing each device with a unique identifier is critical to understanding what the device is, how it behaves, the other devices it interacts with and the proper security measures that should be taken for that device.
- Hardware security. Endpoint hardening includes making devices tamper-proof or tamper-evident. This is especially important when devices will be used in harsh environments or where they will not be monitored physically.
- Strong encryption is critical to securing communication between devices. Data at rest and in transit should be secured using cryptographic algorithms. This includes the use of key lifecycle management.
- Network security. Protecting an IoT network includes ensuring port security, disabling port forwarding and never opening ports when not needed; using antimalware, firewalls and intrusion detection system/intrusion prevention system; blocking unauthorized IP addresses; and ensuring systems are patched and up to date.
- Network access control. NAC can help identify and inventory IoT devices connecting to a network. This will provide a baseline for tracking and monitoring devices.
- IoT devices that need to connect directly to the internet should be segmented into their own networks and have access to enterprise network restricted. Network segments should be monitoring for anomalous activity, where action can be taken, should an issue be detected.
- Security gateways. Acting as an intermediary between IoT devices and the network, security gateways have more processing power, memory and capabilities than the IoT devices themselves, which provides them the ability to implement features such as firewalls to ensure hackers cannot access the IoT devices they connect.
- Patch management/continuous software updates. Providing means of updating devices and software either over network connections or through automation is critical. Having a coordinated disclosure of vulnerabilities is also important to updating devices as soon as possible. Consider end-of-life strategies as well.
- IoT and operational system security are new to many existing security teams. It is critical to keep security staff up to date with new or unknown systems, learn new architectures and programming languages and be ready for new security challenges. C-level and cybersecurity teams should receive regular training to keep up with modern threats and security measures.
- Integrating teams. Along with training, integrating disparate and regularly siloed teams can be useful. For example, having programing developers work with security specialists can help ensure the proper controls are added to devices during the development phase.
- Consumer education. Consumers must be made aware of the dangers of IoT systems and provided steps they can take to stay secure, such as updating default credentials and applying software updates. Consumers can also play a role in requiring device manufacturers to create secure devices, and refusing to use those that don't meet high security standards.
With any IoT deployment, it is critical to weigh the cost of security against the risks prior to implementation.