In our previous article on IoT security "What is IoT Security and Why is it Important for Businesses", we talked about how the Internet of Things, although a very positive move for business productivity and communications, has opened up the cybersecurity attack surface.
The decision to implement an IoT strategy can be daunting when security issues are taken into consideration. This is also complicated by the costs of securing IoT devices along with associated services and systems – Gartner predicting costs of $1.5 billion by the end of 2018.
In the world of cybersecurity, knowledge is power. If you know what you have to deal with you can put more effective structures in place. To this end, here are our top 10 tips for business in securing the Internet of Things:
There is no point in locking the door if you have given the key away. Authentication that is robust and effective is Security 101 for the IoT.
Areas of authentication that cause concern include:
A Ponemon/Thales study “2018 Global PKI Trends Study” has found that 44 percent of organizations are using the IoT as a driving force in the uptake of Public Key Infrastructure (PKI) enabled applications.
Encryption is a fundamental method to protect data at rest and in transit. The IoT produces and consumes masses of data, so encryption becomes part of the overall system. PKI is a way of managing public key-based encryption and digital signing. PKI is based on the idea of paired keys: a public and a private key.
The private key is always kept secret by the owner, but the matching public key is shared to allow a secure connection to be made - like an encrypted handshake. PKI underpins many of the secure processes we take for granted, including the encrypted Internet communications that utilize the SSL/TLS protocol.
Any Internet-enabled or other connected device-based system must use PKI and encryption to ensure:
PKI requires digital certificates to identify the actors in the system – these need to be issued by a trusted Certificate Authority (CA). The entire integrity of the process is dependent on the CA trustworthiness.
If you don’t already, consider using a managed PKI service to manage the certificate lifecycle: certification, issuance, re-issuance, and expiration.
Security logs can give you an early warning about a security issue or they can give you the evidence to determine the cause of a security incident.
Either way, they are very important to generate and understand. Ensure that you can log across a number of areas of your IoT infrastructure, including physical access via USB ports.
Many IoT devices are associated with mobile apps. Security measures must extend to any connected apps.
An example is in the access control to an IoT mobile app. If at all possible, set in place second-factor authentication to access the mobile app. OWASP, who keep watch on IoT vulnerabilities, also recommend ensuring that any mobile app uses transport encryption.
Universal Plug and Play is a discovery protocol to allow devices to automatically find other devices on a network.
Unfortunately, uPNP flaws are used by hackers as an exploit to infect devices with malware. One of the latest uPNP vulnerabilities targets BroadCom’s implementation of the protocol. NetLab 360 believe malware has infected around 100,000 routers this way.
It is important to either not use uPNP at all or if you must use it, ensure that device firmware is always fully patched and up to date.
Vulnerability management is essential for all applications, and IoT devices and related services are no exception.
Cybercriminals target “firmware” on IoT devices. This is the software that controls the device. You must always keep the firmware patched and up to date. You can do this either automatically if the device manufacturer has auto updates setup or manually. If you perform updates manually, make sure you do so from a genuine and reputable website associated with the device manufacturer.
An IoT device can be a valuable item. They are also easy prey for thieves as they are often small and can be placed in remote places with no human user in touch control. The hyper-connectivity of devices means that if one device is compromised, it might lead to a domino effect across other devices. Because of this, device physical security is also important to include in your IoT security strategy. A fundamental part of ensuring the physical security of IoT devices is to close unnecessary ports.
Physical security is not just about the protection of a device. Another aspect of the IoT is the use of sensors that generate data. The integrity of these data depends on the physical protection of the sensors. If a sensor can be manipulated or is just simply faulty, the data generated might produce skewed and inaccurate analytical results.
The IoT Security Foundation (IoTSF) gives some excellent advice on protecting the more physical aspects of your IoT devices.
IoT devices are not islands. They link up across Cloud infrastructure and the data they generate flows across, and in and out, of the connected parts. Cloud security is paramount, and you should look at a number of areas within the Cloud part of your IoT deployment.
Related Posts: Cloud Security: Protecting Data in the Cloud
A cautious approach to the purchase of smart devices is a sensible one.
Security should be an integral part of the design remit of the manufacturer/supplier/deployer. If placing a large order, ask for evidence of security tests that are carried out on the device and associated services/apps. Look at areas such as the use of secure-coding techniques, code analysis, and vulnerability testing.
Although there are currently no global standards for IoT security, there are working groups, including at the Internet Society Internet Engineering Task Force (IETF), who are pushing for standard protocols. There are, however, other general Internet standards that should be used by manufacturers/suppliers, including TLS/SSL and encryption standards.
Can the device easily use PKI managed services, i.e. does the device(s) have built-in capability to utilize a cloud PKI management system?
One more thing, you should reconsider purchase if the manufacturer uses hard-coded credentials.
Knowing which devices you have in play is essential.
An inventory of devices also allows you to map data movement. This then feeds into security policy and strategy – giving you the knowledge to know where to put technological measures in place to prevent data exposure and close off vulnerabilities.
You should also consider continuous monitoring of smart devices and their traffic so you can spot anomalies and unexpected behavior; IoT devices open up the attack surface for both external hackers as well as insider threats.
An overriding aspect of securing your IoT infrastructure and beyond, is being aware of what you are up against.
Security awareness across your organization is a good way to build a culture of security that engages everyone encouraging a cyber-safe mindset. When security becomes second nature, secure actions are more likely to follow. Cybersecurity is a companywide venture and one which is even more important with the IoT extending the reach of business.
Everyone that works with data and IoT devices should be aware of the security issues that they bring to the workplace, and how to manage them. This includes the extended vendor ecosystem too; after all, your defenses are only as strong as the weakest human link.
By 2025, 25 percent of the data we generate will be real-time; this means we have to get security right from the start, and filter this across all of our business functions. The Internet of Things brings us security challenges, but we can meet them using know-how and by applying practical fixes.
As part of the push towards a hyper-connected world, organizations need to keep on top of their most critical assets. Knowing what you have, within departments across your business functions, will help you to identify the areas of highest priority.
Our top 10 tips will help inform your overall IoT cybersecurity strategy and allow you to implement security measures across your company, no matter how extended it becomes.