The internet of things is all around us -- from the Fitbit on your wrist measuring your heart rate to the Amazon...
Echo you ask to play a certain tune or report the weather. It's in the smart traffic management systems that optimize streetlight usage and alleviate congestion on the roadways, as well as the trash barrels that report when they're nearly full to improve sanitation and the efficiency of garbage collectors.
In the enterprise, smart systems are helping to conserve energy and improve efficiency by adjusting the thermostat and turning off the lights in empty rooms. And in manufacturing plants, it's helping managers keep track of assets and monitor wear and tear on machines to predict when they will need repair.
However, despite these promises and benefits, the internet of things increases the security risks businesses and consumers will face. Any device that connects to the internet could potentially be an entry point to infiltrate the larger network.
1. Device discovery
You can't protect what you can't see.
It's one of the oldest security adages around -- and it's certainly relevant in an IoT world. Before you even think about securing your network and devices, it's important to know exactly what you're going to secure. And with the issue of shadow IT ever-present, device awareness has become more difficult -- and critical -- than ever.
Port scanning, protocol analysis and other detection techniques can help enterprises determine which devices connect to the corporate network. Free tools, such as Nmap, Shodan and Masscan, can help. And many vendors offer services that discover, identify and manage IoT devices.
Once you discover which devices connect to your network, perform an IoT risk assessment to understand what they can -- and should -- have access to and why. Organizations should list approved devices on an enterprise asset register, along with the device's associated patch management processes and lifecycle information. You should also include these devices in your regular penetration tests. Capabilities for managing lost or stolen devices -- either remote wiping or at least disabling their connectivity -- will be critical for dealing with compromised IoT devices. Adding other policies that help manage BYOD into your incident response plan could also be beneficial.
Sometimes, connected vulnerable devices might not be as apparent as a connected printer, smart refrigerator or sensors you've added to machinery. Remember the Target point-of-sale data breach? It was caused by someone misusing a contractor's login to the company's connected HVAC system.
2. Authentication and authorization
IoT devices, by definition, have a unique identifier that can help with the tasks of authentication and authorization. Once you've discovered what IoT devices are on your network, it's time to decide what they can access and what they talk to. But with hundreds or thousands of unique IDs to deal with, the task can seem daunting.
First, establish what the device is and what it does, as well as what it needs to access. Operating on the principle of least privilege -- only allowing devices to see and access what is necessary for them to complete their jobs -- is a good start. Also, be sure to update any device that comes with factory-installed default passwords. Strong passwords can help combat IoT risks; two-factor authentication -- or three-factor or four-factor -- is even better.
Generally speaking, hardware-based roots of trust are considered the strongest IoT security option -- these are built directly into the hardware and embedded on the device. Digital certificates issued from a trusted public key infrastructure (PKI) can also be used, although some devices do not have the ability to process these, so other lightweight cryptographic algorithms may be used -- more on those below. Newer technologies, such as biometrics and blockchain, can be used to authenticate IoT devices. Many IoT platforms offer features to manage your devices and control what data, other devices and networks they can access.
3. Device updates
Updating and patching devices is a critical component of any security strategy. However, an IoT environment presents a number of potential patching challenges. First, some devices are inaccessible. What if the sensors are dispersed across hundreds of acres of farmland to detect temperature, humidity and moisture? Or, what if they're on top of a bridge, monitoring its vibration and the weather?
Second, not all devices can be taken offline for long periods of time -- think critical manufacturing equipment that can cost an industrial organization millions if it's offline for an hour or smart grids that have millions of people depending on them for heat or electricity.
Now, add in the fact that some IoT devices are simple sensors, with no user interface or screen -- or that some can't accept updates. What if a device accepts the update, but something in the update corrupts it or causes a system failure? Will you be able to roll back to a known good state? Other devices reach their end of their life and are no longer supported by their manufacturers.
One of the biggest IoT risks is the use of insecure or outdated software and firmware. As part of the device discovery or adoption process, be sure to enter each device into your asset register. Also, be sure to include which versions of software and hardware the devices run, and keep track of when updates are available and track when devices must be retired.
If you can, consider device updates before deploying your IoT system. Be sure over-the-air updates are available and secure. And decide if a device should update automatically or on a periodic schedule; each has its own set of benefits and drawbacks.
Choose your IoT platform wisely. Many contain features to ease the update process and can manage any devices that need rollbacks or resets. Additionally, keep an eye on the IETF Software Updates for Internet of Things working group -- it's developing a standard for IoT firmware updates.
4. Disruption, DDoS attacks and IoT botnets
To fully understand the severity of an IoT distributed denial-of-service (DDoS) attack, look no further than the 2016 Mirai attacks. While the Mirai attacks initially targeted a Minecraft server host, the malware ended up first hitting security journalist Brian Krebs' website and French web host OVH. A month later, the botnet hit domain name system service provider Dyn, which resulted in downtime for several high-profile websites, including Amazon, Netflix and Twitter.
The attacks could have been much worse. A DDoS attack against a game server is a nuisance, but with other targets, Mirai could be detrimental, or even life-threatening, to companies, governments and people.
Unfortunately, it is nearly impossible to prevent a DDoS attack. An organization can take steps to prevent an attack from succeeding, however. Use intrusion prevention and detection systems (IDS and IPS) with DDoS features, or partner with an internet service provider that can detect and filter DDoS packets before they reach your network. You should also follow other basic security hygiene, such as changing default passwords.
5. IoT passwords
The infiltration of the fall 2016 Mirai attacks was traced back to connected cameras and other IoT devices that had factory-default or hardcoded passwords. The cybercriminals infiltrated the servers using these devices and a list of known credentials -- a list that, by some accounts, only had 60 username-password combinations.
The onus here is twofold. Enterprises and end users should be diligent in updating passwords and using strong passwords or passphrases -- a choice they don't have if passwords are hardcoded. Here, manufacturers must take their share of the blame. Simply put, hardcoded passwords are passé and should never be part of a device's design process. Manufacturers can also remedy the default password security issue if they require default credentials be reset by users prior to the device functioning.
Encryption is considered the most effective way to secure data. Cryptography is a key mechanism to prevent privacy risks and protect the integrity of IoT data at rest and in transit between users, companies and other people or devices. It also helps ensure IoT privacy and builds trust between companies and users -- especially when personally identifiable information or sensitive data come into play, such as with embedded and connected medical devices. Encryption also prevents cybercriminals from manipulating or falsifying data.
There's one problem, though. Many connected devices -- think the small sensors collecting temperature, humidity or moisture data -- cause the greatest IoT risks, as they do not have the power, processing or memory resources required to run traditional encryption algorithms, such as AES. These devices must use an algorithm with high security, but low computation -- one that considers the size, power consumption and processing capabilities of resource-constrained devices.
Enter lightweight cryptographic ciphers.
Elliptic curve cryptography, for example, provides the security equivalent of RSA, but with smaller key sizes and operations that require less processing, making it an ideal option for devices with low storage space, processing power and battery life. Other lightweight ciphers include Clefia, a lightweight AES; Enocoro, a hardware-oriented steam cipher; and Speck, an add-rotate-xor cipher.
Experts also recommend using trusted security protocols, such as Transport Layer Security or Datagram Transport Layer Security.
PKI is another tried-and-true security option. PKI can be embedded onto devices at the manufacturing or enterprise level. PKI supports the distribution and identification of public encryption keys, allowing users and devices to securely exchange IoT data, and it issues unique identities and digital certificates to devices.
In addition to using cryptography, ensure you define proper encryption key lifecycle management processes.
7. Securing the network
Beyond securing IoT devices and the data they collect, it is critical to ensure the networks those devices connect to remain safe. It's also important to use traditional security measures, including IPS and IDS, antimalware and firewalls. Many best practices also suggest segmenting the IT network from the IoT network.
One of the major challenges and risks of IoT is the operational technology networks connecting to IT networks generally were never considered a threat. They didn't connect to the internet, and while sometimes subjected to hacks, they did not pose an imminent risk to IT networks. Plus, these legacy systems -- some decades old -- often run their own proprietary systems, meaning common security mechanisms may overlook their issues during routine checks. Because the devices and machines cannot be easily or cost-effectively replaced, organizations must properly update, patch and secure them.
Using network segmentation, organizations can put different networks or parts of networks into different zones or subnetworks -- for example, one for sales, finance, operations and so forth. Each zone has its own customized security policies based on its users and devices.
While a common gripe with network segmentation is it can impede efficiency and connectivity, using a gateway can mitigate these issues. Acting as an intermediary between the device and the network, a security gateway has more processing power, memory and compute capabilities than the IoT devices connecting to it. Therefore, it can implement stronger security measures, such as firewalls and antimalware, closer to the devices, preventing security issues from passing up the network.
Beyond antimalware, firewalls, IDS and IPS, and network segmentation, combat IoT risks by ensuring port security, disabling port forwarding and never opening ports when not needed. It's also critical to block unauthorized IP addresses.
Bandwidth is another common risk of IoT -- more connected devices coming onto the network equals business continuity challenges. If critical applications do not receive their required bandwidth, productivity and efficiency will suffer. To ensure high availability of applications and services, consider adding bandwidth and boosting traffic management and monitoring. This will not only mitigate business continuity risks, but also prevent potential losses. From a project planning standpoint, organizations should do capacity planning and watch the growth rate of the network, so increased bandwidth demand can be met.
Chipmakers and cryptography specialists are doing their part building embedded security for IoT
Read more on updating IoT firmware and software
Don't overlook IoT security -- start at the device level