There are no guarantees when it comes to keeping anything secure, IoT security included.
“100% security from 100% of threats is 100% impossible.”
A safe bet, and perhaps as close to a guarantee as you can get is,
“Neglect security and you’re bound to experience bad things”
Try leaving your car doors unlocked, with the keys in the ignition, in an unlit parking lot overnight. IoT security is no different.
When it comes to the Internet of Things, security is in its infancy. But that is not an excuse to neglect it. Start with the basics: “Don’t make it easy for bad things to happen.”
- Identify potential threats early and continuously
- Assess Impact and Probability
- Put appropriate controls in place
- Apply best practices where they exist
The remainder of this blog will explore these concepts in more detail while focusing on what is practical today.
Security is Risk Management
Security as a practice, whether for protecting a home or a cloud data center, is the management of risks: You identify something bad that could happen. Next, you figure out how you can protect against it. Finally, you reduce the likelihood of it occurring, re-occurring, or causing serious damage.
For example, you want your home to be secure. The front door is a potential entry for thieves. Therefore, you install a quality lock as a form of security. It will reduce the likelihood of an intruder coming through your front door. But is your home secure now? No, a front door lock will not secure your home from other dangers, like a fire. So you mitigate that risk with fire alarms that reduce the likeliness of serious damage occurring. And on it goes until you have a relative level of security that you are comfortable with.
With IoT, much has been written about security solutions, or lack thereof. As an example, this graphic from Forrester identifies the state of IoT security solutions. Note that none have reached a point of maturity nor is any one solution a comprehensive solution for an entire IoT System. Like a home needs door locks and fire alarms, the IoT requires many security IoT solutions to secure the entire IoT system.
Security in IoT is much more than a measure to prevent someone from hacking into your IoT device and using it as a weapon, or hacking into an IoT device in order to access sensitive data on a cloud server. Security plans for IoT solutions must also include theft of a device, fire destroying a device, network outages, and whatever harm you can imagine.
A brief IT Security History
IT security has evolved with technology and the way we access technology over time.
In the era of stand-alone personal computers, security consisted of preventing them from being stolen. We soon after started exchanging software and data via tapes and disks. These introduced the risk of a PC virus which could unknowingly be installed by corrupt disks. While rare, it was definitely something that caused concern.
We then started connecting PCs to each other to form local area networks. Again, while rare, we opened up the possibility for issues originating from any PC in the network that may have inserted one of those infected disks. Physical security still remained the main concern.
When PCs began connecting to the internet, the world changed, and so did the bad guys. Now people could download and install malicious software without the user’s knowledge. At first, many CIO’s and CEO’s simply refused to give their employees access out of fear. But most people found workarounds and were able to demonstrate the productivity gains the internet provides. Soon, the productivity gains outweighed the risks and fear, forcing CIO’s to find solutions for security. This forced the evolution of IT Security standards, such as
- SSAE16
- ISO 27001
- NIST
- FEDRAMP
Now, an internet connection to access email, cloud, and SaaS tools and data is expected by employees everywhere and IT organizations are able to support these services with a fairly high level of confidence that bad things won’t happen.
In addition to security standards, an entire industry of services has evolved:
- IDS/IPS
- DDOS
- SOC/NOC
- SIEM
While these standards and services cannot provide 100% protection, they have evolved to a point where most companies are allowing their employees to leverage internet technology in their daily work.
IoT presents a new layer of security complexity
We have seen our homes, offices, factories, cars, phones, watches and almost every inanimate object become “smart” by embedding them with electronics, sensors, and actuators. By themselves, security concerns have primarily consisted of device theft and user safety, similar to the stand-alone PC days.
Now these smart devices are connected to the internet. Through the internet they are sending data and receiving commands from software running on cloud servers. This introduces risks that have not been accounted for in our IT security standards and services. And based on the Forrester report, it seems that these standards and services are still in the incubation stage.
How should an enterprise adopt IoT given the risk?
In the absence of standards, how does an IoT product owner make it hard for bad things to happen?
1. Identify potential threats early and continuously
An IoT product, at a high level, consists of data traversing three distinct layers of technology.
Early in the design process, when defining constraints and requirements across the layers of IoT, it’s important to establish an inventory of threats (or bad things that can happen). What bad could happen to the Things, the Internet, The cloud software and infrastructure, and the data? Try to consider threats over three different angles: confidentiality, integrity, and availability.
Confidentiality
A breach in confidentiality generally refers to unwanted access or use of the system and or data. Safe guards such as data encryption, 2-factor authentication to access the system, biometric verification, and isolation are examples of ways security professionals have managed the risk of a confidentiality breach.
Availability
A breach in availability generally refers to the system and or data not being accessible to devices and or people. Signs of a highly available system include uptime commitments and time-to-recover from a failure of any cog in the system.
Integrity
A breach in integrity generally refers to unwanted changes in the system or data including consistency, accuracy, and trustworthiness of the system output. A key performance indicator is the point at which the system would need to recover from in the event of an outage or data corruption.
2. Assess Impact and Probability
Each potential threat must be understood from an impact and probability standpoint. You may choose to ignore some threats while others may cause critical issues if you are unable to address them.
Impact
What is the impact if the threat becomes real? Your team should consider the impact the threat has on the safety of people, protection of physical assets, protection of data, and compliance with regulations (and potential fees if you fail to comply).
Probability
What is the probability of the threat occurring?
3. Put appropriate controls in place
Scoring
Score each threat by multiplying the probability ranking with the impact ranking. The result is a list of threats, ranked in order of importance, that require risk mitigation plans.
Prioritize
Your team may find that some risks are acceptable. Criteria to determine what risks are acceptable is IoT Solution-specific. Most importantly, the risks determined to require mitigation must be incorporated into the design specification of your IoT system. The longer you wait, the harder it is to mitigate the risk.
4. Apply best practices where they exist
Don’t make it easy for bad things to happen. IoT solutions are still relatively new, therefore we don’t have all the security practices defined and understood. However, this is not an excuse to ignore security best practice altogether.
Device Level Security
Device level security is probably the area in IoT where we are most immature as many devices are limited in compute capabilities and power. Examples of security controls that should be considered:
- SSL certificates
- Unique device passwords
- Whitelisted IP addresses
- Whitelist phone number (SMS)
- Checksum algorithms
(delivery reliability) - OTA firmware Updates
Connectivity Level
Connectivity includes the transport technology used to move data from the device to the cloud software/application and, if applicable, from the cloud software to 3rd party public and private data sources. Examples of security controls that should be considered:
- SSL/TLS between platform and device
- VPN to securely send SMS text messages using SMPP gateways
- Manage and frequently change device passwords
- Manage firmware updates
Application Level
The application level is where people interact with the IoT System. Given that there is generally a connectivity level between the device and IoT applications, Application level security is fairly well defined by cloud and internet software best practices. Examples of security controls that should be considered:
- Standard cloud security
(DDOS, IPS/IDS) - Authentication, authorization to access the platform and applications
- Database encryption
- VPC (Virtual Private Cloud) zone protected by a firewall (or an equivalent concept)
Summary
No one will ever have the answer to total security. This practice will continue to evolve as technology evolves. The most important thing an IoT Solution owner can do is to not ignore it. Build in a risk assessment into the early planning stages of the project. Then insist on risk mitigation being part of the design spec for each layer of the IoT System as well as the system as a whole.
Don’t make it easy for bad things to happen!