The Internet of Things (IoT) continues to grow at an unbelievable rate, and creates tremendous benefits and opportunities for society. With it grows the demand for products and services that control, manage, and protect the massive amounts of data streaming from all those network-connected devices. But as they provide more and more advantages, and even become essential to our daily lives, security has not managed to keep pace with the vicissitudes of the rapid development taking place.
This article discusses some of the substantial economic and safety risks, challenges and vulnerabilities, as well as strategic principles and practices to consider when endeavoring to secure your IoT operation or application.
It is no secret that the ubiquity of IoT has led to the increasing prevalence of cybercrime. Data is being stolen at an alarming rate while it is being generated, gathered, and analyzed. Vigilante.pw, a prominent, non-profit website continually logging data breaches and compromised databases, shows in real time just how frequent this problem is.
Data breaches often include payment card information (PCI), personally identifiable information (PII), sensitive personal information (SPI), and protected health information (PHI), which are among the most valuable commodities for sale on the black market.
“Right now there’s a much bigger database leaking/trading scene than ever before,” according to Keen, the pseudo-named owner of Vigilante.pw. “There are a lot of different people playing in this scene. I don’t think anything is getting better, that much is pretty clear, (and) there’s a lot of stuff out there that we don’t even know about.”
In addition to privacy concerns, there are physical risks, too, with IoT connected devices and the information they produce. Concern is escalating over those utilizing them for crimes like impersonation and cyber-theft, and for sowing discord. Harassment and stalking, break-ins, fraudulent transactions, vandalism, and burglary are also possible.
Challenges and Vulnerabilities
Unauthorized access that makes data, property, and lives vulnerable must be avoided, especially in mission-critical environments like banking and healthcare. IoT is mostly dependent on cloud and mobile services for information exchange between applications and their devices. Thus, sufficient measures to configure the security of these interfaces are paramount in making sure data is transferred, processed, and stored safely.
The majority of IoT devices transmit data via a Web Interface, and many of those transmissions have security holes. Allowing plaintext login credentials, and not requiring strong passwords or disabling access after a certain number of failed login attempts can all lead to lost data and control of the IoT device.
Data can also be intercepted if network communications are unencrypted, or transmitted through insecure protocols. More stringent regulations are necessary to prevent data loss and manipulation. Otherwise, IoT devices may be compromised and used in deviant ways, or rendered unusable.
Regular firmware or software updates may then be necessary once all interfaces are secure. Integrity verification and systems with strong authentication/authorization procedures may be difficult and expensive to implement. However, the risks and results of not doing so may be much costlier!
Physical security is also necessary for many IoT devices. Businesses should mandate strict monitoring and control over the physical access to their devices to safeguard the data used for analytics, application integration, and other purposes. Like cloud and mobile interfaces, the consequences of neglecting physical security can end up being dire.
IoT Security Principles and Practices
Implementing security beyond the basics — which some IoT devices don’t even have — can help mitigate the kinds of risks and vulnerabilities above. The U.S. Department of Homeland Security recommends the following six principles, along with suggested practices to address IoT security challenges:1
- Incorporate Security at the Design Phase.
- Enable security by default through unique, hard to crack default usernames and passwords.
- Build the device using the most recent operating system that is technically viable and economically feasible.
- Use hardware that incorporates security features to strengthen the protection and integrity of the device.
- Design with system and operational disruption in mind. Where feasible, developers should build IoT devices to fail safely and securely, so that the failure does not lead to greater systemic disruption.
- Promote Security Updates and Vulnerability Management.
- Consider ways in which to secure the device over network connections or through automated means.
- Consider coordinating software updates among third-party vendors to address vulnerabilities and security improvements to ensure consumer devices have the complete set of current protections.
- Develop automated mechanisms for addressing vulnerabilities.
- Develop a policy regarding the coordinated disclosure of vulnerabilities, including associated security practices to address identified vulnerabilities.
- Develop an end-of-life strategy for IoT products.
- Build on Recognized Security Practices.
- Start with basic software security and cybersecurity practices and apply them to the IoT ecosystem in flexible, adaptive, and innovative ways.
- Refer to relevant Sector-Specific Guidance, where it exists, as a starting point from which to consider security practices.
- Practice defense in depth. Developers and manufacturers should employ a holistic approach to security that includes layered defenses against cybersecurity threats, including user-level tools as potential entry points for malicious actors.
- Participate in information sharing platforms to report vulnerabilities and receive timely and critical information about current cyber threats and vulnerabilities from public and private partners.
- Prioritize Security Measures According to Potential Impact.
- Know a device’s intended use and environment, where possible.
- Perform a “red-teaming” exercise, where developers actively try to bypass the security measures needed at the application, network, data, or physical layers.
- Identify and authenticate the devices connected to the network, especially for industrial consumers and business networks.
- Promote Transparency across IoT.
- Conduct end-to-end risk assessments that account for both internal and third party vendor risks, where possible.
- Consider creating a publicly disclosed mechanism for using vulnerability reports.
- Consider developing and employing a software bill of materials that can be used as a means of building shared trust among vendors and manufacturers.
- Connect Carefully and Deliberately.
- Advise IoT consumers on the intended purpose of any network connections.
- Make intentional connections. There are instances when it is in the consumer’s interest not to connect directly to the Internet, but instead to a local network that can aggregate and evaluate any critical information.
- Build in controls to allow manufacturers, service providers, and consumers to disable network connections or specific ports when needed or desired to enable selective connectivity.
IRI’s Data-Centric Security Contributions
One example of an IRI data-centric security function is field-level encryption, which can also be format-preserving encryption (FPE). FPE is a best practice in IoT because it allows you to mask and transfer data securely, while maintaining its original format and storage space. Encrypting data values at the field level can stem the losses from device or communication breaches because the data involved was already protected.
With 50 billion IoT devices predicted to be in use by 2020, it really is at the intersection of big data gathering and communication. The storage, dissemination, and use of that data represent tradeoffs between risks and rewards, so we must strive to protect what’s sensitive in that data. IoT security is not only a means to an end, it’s a necessity to ensure the continued growth and development of free enterprise and information technology. The lifestyles to which we have become accustomed will depend on it.
- Strategic Principles for Securing the Internet of Things (IoT), Version 1.0 – DHS Release, November 15, 2016