Guarding Your Turf In The IoT Era

milind kamat

Internet of Things (IoT) increased operational efficiency is making lives easy for everyone. However, security is the area of utmost concern with safeguarding connected devices and networks in the world of IoT. Users can access data freely. The article talks about various ways to protect your company from any possible data breach.

Security Premise of IoT

IoT is tipped to fundamentally change how the world sees data security and privacy. Every sensor, device, and connection that gathers, transmits, stores, or processes sensitive data, is a potential risk. A study by Hewlett-Packard found that 70% of the most commonly used IoT devices contain some or the other security vulnerabilities. The vast scope, dynamics and diversity of IoT assets, makes achieving effective governance and cybersecurity a great challenge.

With the rapid adoption rate of IoT, we will start becoming increasingly reliant on intelligent, interconnected devices, that too with an “open” network framework. In such a case, any disruption or intrusion will have the potential to disrupt anything from operational issues to personal privacy to even public safety at large.

There needs to be a new security concept for infrastructures and objects on the IoT. While the Internet has not been designed with security in mind, companies are well aware that this time, immature security concepts represent a risk to the overall adoption of the technology and might hamper economic growth at a broader level. Therefore, security concepts have to be discussed from the very beginning and still we have a long way to go.

Concerns Regarding Security

Since IoT is all about physical “things”, hackers that gain access to such things, cannot just perform the usual digital attacks like stealing data, moving money, or shutting down websites — they can cause havoc by tampering with infrastructure like electrical grids and traffic signals hubs, or put lives at risk by meddling with healthcare devices, airplanes, or elevators among other such threat perceptions and scenarios.

The following categories underline the IoT security concerns:

Security of Scale: In a mature world of IoT, there will be millions and billions of intelligent endpoints, such as cars, pacemakers, and air-con units, each equipped with dozens of active sensors and millions of lines of code. Many of these endpoints will be accessible, often physically, to the hackers. The network connections that these endpoints use to communicate may also be vulnerable, giving access to central applications and databases.

Innumerable devices will be introduced into open networks and will start connecting and interconnecting one way or the other, which are potential entry points. With the imminent explosion of wearables and infinity of things, there is a huge scale of devices that will be in play, some of which are unknown or in their initial stages of prototype at the moment.

Security of Device Types: There are variety of used cases with different type of vendors, different generations and different capabilities; all of these make security more difficult and vulnerable. Knowing where vulnerabilities exist across a handful of smartphone OS varieties pales in comparison to keeping pace with the status of manifold sensors, cameras, meters, controllers, and other machines and equipment.

Privacy Concerns: The issue of “Privacy” is also a major concern. IoT applications gather large volumes of data about people’s behavior and conduct. Consumers and employees are increasingly concerned about how the data might be used, and the potential risk of criminals stealing it, in case of any data breach. Companies need to address these privacy concerns and be prepared for changes in data protection regulation.

Old Security Methods: Building firewalls or putting security into the devices themselves requires a substantial reengineering to address device constraints. Blacklisting, for example, requires huge amount of disk space to be practical for IoT applications.

Embedded devices are designed for low power consumption, with a small silicon form factor, and often have limited connectivity. They typically have only as much processing capacity and memory as needed for their tasks. And they are often “headless”—that is, there isn’t any human being operating them, who can input authentication credentials or decide whether an application should be trusted or not; they must make their own judgments and decisions about whether to accept a command or execute a task.

Probable methods to introduce security into IoT:

1. Regulations: Standardizations of security protocols across the data emission and ingestion will bring commonality and convergence across platforms and device types.

2. IoT Device Security: a. Protection Against Potential Virus Attacks Devices can use Linux variant of OS rather than just Windows e.g. Debian OSb. Strong Private Encryption Key Usage of strong private encryption key based on AES encryption standardc.  Layered Security Multi-layer security – OS level, device software, and encryption can be setup. It will allow only trusted packets and reject others.d. Security Compliance Support Information Security support, say on Debian OS security and toolset for vulnerabilities.e. OTA Based Security Patches Support for over the air security patch upgrades that will help in future hack proofing the devicesf.  Highest Level Security Standard Any data sent from any device to cloud is encrypted using industry standard encryption algorithms – AES 128 bit encryption.g. Blockage of Device Root Access.h. Access through SSL Making mandatory usage of POP3 or HTTPS for any data accessi. Trusted Network Access

OS firewall security turned ON to enable only ports through which sensor data is sent and ACK/OTA received, no other network access.

3. Role of Security Administrators

Security admins can become familiar with gateway solutions that incorporate protocol filters, policy capabilities and other functionalities directed at the security challenges specific to IoT.

With an understanding of the IoT security landscape, administrators will be better equipped to be part of the decision-making process, when it comes to deploying connected devices. Data exfiltration and other anomalies will need to be spotted quickly, and preventing problems in real time will be the key to stemming suspicious activity.

4. Access Control

Mandatory or role-based access controls built into the operating system can limit the privileges of device components and applications, so they access only the resources they need to do their tasks. If any component is compromised, access control ensures that the intruder has the most minimal access to other parts of the system as possible. Device-based access control mechanisms are analogous to network-based access control systems. The principle of least privilege dictates that only the minimal access required to perform a function should be authorized in order to minimize the effectiveness of any breach of security.

5. Device Authentication

When the device is plugged into the network, it should authenticate itself prior to receiving or transmitting data. Just as user authentication allows a user to access a corporate network based on user name and password, machine authentication allows a device to access a network based on a similar set of credentials stored in a secure storage area.

6. Firewalling and IPS

The devices will also need a firewall or deep packet inspection capability to control traffic that is destined to terminate at the device. Deeply embedded devices have unique protocols, distinct from enterprise IT protocols. For instance, the smart energy grid has its own set of protocols governing how devices communicate with each other.

7. Updates and Patches

Once the device is in operation, it will start receiving hot patches and software updates. Operators need to roll out patches, and devices need to authenticate them in a way that does not consume bandwidth or impair the functional safety of the device.

8. OS Level Security 

Software security controls needs to be introduced at the operating system level, take advantage of the hardware security capabilities now entering the market, and extend up through the device stack to continuously maintain the trusted computing base. Building security at the OS level takes the onus off device designers and developers to configure systems to mitigate threats and ensure their platforms are safe.