The internet of things is all around us -- from the Fitbit on your wrist measuring your heart rate to mobile devices...
to the Amazon Echo you ask to play a certain tune or report the weather. It's in the smart traffic management systems that optimize streetlight usage and alleviate congestion on the roadways, as well as the trash barrels that report when they're nearly full to improve sanitation and the efficiency of garbage collectors.
In the enterprise, smart devices and systems are helping to conserve energy and improve efficiency by adjusting the thermostat and turning off the lights in empty rooms. And in manufacturing plants, it's helping managers keep track of assets and monitor wear and tear on machines to predict when they'll need repair.
However, despite these promises and benefits, the internet of things increases the security risks businesses and consumers will face. Any device that connects to the internet could potentially be an entry point to infiltrate the larger network.
Enterprises of all shapes and sizes must prepare for the numerous issues IoT presents. Here are seven of the many inherent IoT security challenges, as well as suggestions to help you mitigate them.
1. Device discovery
You can't protect what you can't see.
It's one of the oldest security adages around -- and it's certainly relevant in the IoT market. Before you even think about network and device security, it's important to know exactly what you're going to secure. And with the issue of shadow IT ever-present, device awareness has become more difficult -- and critical -- than ever.
Port scanning, protocol analysis and other detection techniques can help enterprises determine which devices connect to the corporate network. Free tools, such as Nmap, Shodan and Masscan, can help. And many vendors offer services that discover, identify and manage IoT devices.
Once you discover which devices connect to your network, perform an IoT risk assessment to understand what they can -- and should -- have access to and why. Organizations should list approved devices on an enterprise asset register, along with the device's associated patch management processes and lifecycle information. You should also include these devices in your regular penetration tests. Capabilities for managing lost or stolen devices -- either remote wiping or, at least, disabling their connectivity -- will be critical for dealing with compromised IoT devices. Adding other policies that help manage BYOD into your incident response plan could also be beneficial.
Sometimes, connected vulnerable devices might not be as apparent as a connected printer, smart refrigerator or sensors you've added to machinery. Remember the Target point-of-sale data breach? It was caused by someone misusing a contractor's login to the company's connected HVAC system.
This article is part of
2. Authentication and authorization
IoT devices, by definition, have a unique identifier that can help with the tasks of authentication and authorization. Once you've discovered which IoT devices are on your network, it's time to decide what they can access and what they talk to. But with hundreds or thousands of unique IDs to deal with, the task can seem daunting.
First, establish what the device is and what it does, as well as what it needs to access. Operating on the principle of least privilege -- only allowing devices to see and access what is necessary for them to complete their jobs -- is a good start. Also, be sure to update any device that comes with factory-installed default passwords. Strong passwords can help combat IoT risks; two-factor authentication -- or three-factor or four-factor -- is even better.
Generally speaking, hardware-based roots of trust are considered the strongest IoT security option -- these are built directly into the hardware and embedded on the device. Digital certificates issued from a trusted public key infrastructure (PKI) can also be used; although, some devices don't have the ability to process these, so other lightweight cryptographic algorithms may be used -- more on those below. Newer technologies, such as biometrics and blockchain, can be used to authenticate IoT devices. Many IoT platforms offer features to manage your devices and control what data, other devices and networks they can access.
3. Device updates
Updating and patching devices is a critical component of any security strategy. However, an IoT environment presents several potential patching challenges. First, some devices are inaccessible. What if the sensors are dispersed across hundreds of acres of farmland to detect temperature, humidity and moisture? Or what if they're on top of a bridge, monitoring its vibration and the weather?
Second, not all devices can be taken offline for long periods of time -- think critical manufacturing equipment that can cost an industrial organization millions of dollars if it's offline for an hour or smart grids that have millions of people depending on them for heat or electricity.
Now, add in the fact that some IoT devices are simple sensors, with no user interface or screen, or that some can't accept updates. What if a device accepts the update, but something in the update corrupts it or causes a system failure? Will you be able to roll back to a known good state? Other devices reach their end of life and are no longer supported by their manufacturers.
One of the biggest IoT security challenges is the use of insecure or outdated software and firmware. As part of the device discovery or adoption process, be sure to enter each device into your asset register. Also, be sure to include which versions of software and hardware the devices run and keep track of when updates are available and track when devices must be retired.
If you can, consider device updates before deploying your IoT system. Be sure over-the-air updates are available and secure. And decide between automatic updates or a periodic schedule; each has its own set of benefits and drawbacks.
Choose your IoT platform wisely. Many contain features to ease the update process, such as automation, and can manage any devices that need rollbacks or resets. Additionally, keep an eye on the IETF Software Updates for Internet of Things working group -- it's developing a standard for IoT firmware updates.
4. Disruption, DDoS attacks and IoT botnets
To fully understand the severity of an IoT distributed denial-of-service (DDoS) attack, look no further than the 2016 Mirai attacks. While the Mirai attacks initially targeted a Minecraft server host, the malware ended up first hitting security journalist Brian Krebs' website and French web host OVH. A month later, the botnet hit DNS service provider Dyn, which resulted in downtime for several high-profile websites, including Amazon, Netflix and Twitter.
The attacks could have been much worse. A DDoS attack against a game server is a nuisance, but with other targets, Mirai could be detrimental, or even life-threatening, to companies, governments and people.
Unfortunately, it is nearly impossible to prevent a DDoS attack. An organization can take steps to prevent an attack from succeeding, however. Use intrusion prevention and detection systems (IDSes and IPSes) with DDoS features, or partner with an internet service provider that can detect and filter DDoS packets before they reach your network. You should also follow other basic security hygiene, such as changing default passwords.
5. IoT passwords
The infiltration of the fall 2016 Mirai attacks was traced back to connected cameras and other IoT devices that had factory-default or hardcoded passwords. The cybercriminals infiltrated the servers using these devices and a list of known credentials -- a list that, by some accounts, only had 60 username-password combinations.
The onus here is twofold. Enterprises and end users should be diligent in updating passwords and using strong passwords or passphrases -- a choice they don't have if passwords are hardcoded. Here, manufacturers must take their share of the blame. Simply put, hardcoded passwords are passé and should never be part of a device's design process. Manufacturers can also remedy default password security concerns if they require default credentials be reset by users prior to the device functioning.
Encryption is considered the most effective way to secure data. Cryptography is a key mechanism to prevent privacy risks and protect the integrity of IoT data at rest and in transit between the user, company, customer and other people or devices. It also helps ensure IoT privacy and builds trust between companies and users -- especially when personally identifiable information or sensitive data come into play, such as with embedded and connected medical devices. Encryption also prevents attackers from manipulating or falsifying data.
There's one problem, though. Many connected devices -- think about the small sensors collecting temperature, humidity or moisture data -- cause the greatest IoT risks, as they do not have the power, processing or memory resources required to run traditional encryption algorithms, such as Advanced Encryption Standard (AES). These devices must use an algorithm with high security but low computation -- one that considers the size, power consumption and processing capabilities of resource-constrained devices.
Enter lightweight cryptographic ciphers.
Elliptic curve cryptography, for example, provides the security equivalent of RSA, but with smaller key sizes and operations that require less processing, making it an ideal option for devices with low storage space, processing power and battery life. Other lightweight ciphers include Clefia, a lightweight AES; Enocoro, a hardware-oriented steam cipher; and Speck, an add-rotate-xor cipher.
Experts also recommend using trusted security protocols, such as Transport Layer Security or Datagram Transport Layer Security.
PKI is another tried-and-true security option. PKI can be embedded onto devices at the manufacturing or enterprise level. PKI supports the distribution and identification of public encryption keys, allowing users and devices to securely exchange IoT data, and it issues unique identities and digital certificates to devices.
In addition to using cryptography, make sure to define proper encryption key lifecycle management processes.
7. Securing the network
Beyond securing IoT devices and the data they collect, it is critical to ensure the networks those devices connect to remain safe from unauthorized access and ransomware. It's also important to use traditional security measures, including IPSes and IDSes, antimalware and firewalls. Many best practices also suggest segmenting the IT network from the IoT network.
One of the major IoT security challenges and risks is the operational technology networks connecting to IT networks, generally, were never considered a threat. They didn't connect to the internet and, while sometimes subjected to hacks, they did not pose an imminent risk to IT networks. Plus, these legacy systems -- some decades old -- often run their own proprietary systems, meaning common security mechanisms may overlook their issues during routine checks. Because the devices and machines cannot be easily or cost-effectively replaced, organizations must properly update, patch and secure them.
Using network segmentation, organizations can put different networks or parts of networks into different zones or subnetworks -- for example, one for sales, finance, operations and so forth. Each zone has its own customized security policies based on its users and devices.
While a common gripe with network segmentation is it can impede efficiency and connectivity, using a gateway can mitigate these issues. Acting as an intermediary between the device and the network, a security gateway has more processing power, memory and compute capabilities than the IoT devices connecting to it. Therefore, it can implement stronger security measures, such as firewalls and antimalware, closer to the devices, preventing security threats from passing up the network.
Beyond antimalware, firewalls, IDSes and IPSes, and network segmentation, combat IoT risks by ensuring port security, disabling port forwarding and never opening ports when not needed. It's also critical to block unauthorized IP addresses.
Bandwidth is another common risk of IoT -- as you scale, more connected devices coming onto the network equals business continuity challenges. If critical applications don't receive their required bandwidth, productivity and efficiency will suffer. To ensure high availability of applications and services, consider adding bandwidth and boosting traffic management and monitoring. This will not only mitigate business continuity risks, but also prevent potential losses. From a project planning standpoint, organizations should do capacity planning and watch the growth rate of the network, so increased bandwidth demand in the future can be met.