Some call it the next industrial revolution. Some call it a lifestyle revolution. Connected cars, connected machines, smart cities, devices that track human behavior, wearable technology, personalized health-care devices — the world of IoT is full of fascinating examples, each at a different stage of realization. A Gartner report suggests that as many as 20.8 billion devices will be a part of the global IoT ecosystem by the end of 2020. The IoT backbone comprises of advanced communication platforms and cloud computing solutions that enable seamless integration of devices, applications, services, networks, and gateways. The complexity, however, also inflates the security challenges posed by IoT. This guide intends to highlight these IoT device security challenges for tech leaders and to help them prepare to diffuse them.
IoT device security: A bigger challenge
There are several reasons why IoT device security is more challenging than IT security in general. Some reasons:
- Sophisticated security requires computing power; IoT devices don’t always possess the capability to host such power machinery because of size constraints.
- Cloud-data is a veritable playground for hackers to experiment and persist with their nefarious designs.
- Man-in-the-middle attacks are a known cancer for IoT, and are still hard to beat.
- The complexity of IoT creates a complex web of several attack surfaces and multiple potential vulnerabilities.
- Because IoT devices are easily and inexpensively available in the market, it’s easy enough for hackers to familiarize themselves with the hardware.
- Most device info is stored in the cloud, and hackers are easily able to fake device identities.
Whatever the scope of an IoT implementation is, note that these data security parameters — confidentiality, authenticity, availability, and integrity — will need all the protection you can afford.
The need for dedicated IoT device security strategy
Think your existing IT security strategy will work just fine for IoT? That’s a big mistake. There’s another commonly committed mistake — when IT leaders start hunting for an all-encompassing security solution for Internet of Things. Assuming your IoT projects encompass all the layers of the general ecosystem of this technology, a single solution simply isn’t there for you.
IoT requires the best in all aspects of security — physical, operational technology, and cybersecurity. Thus, it makes sense to envisage IoT security as an ecosystem in itself. Unexpected challenges are likely to erupt because of the existence of several layers in the IoT ecosystem. This calls upon leaders to initiate risk assessments and simulations such that IoT specific breaches can be visualized closely. This helps businesses build reliable playbooks that enable organizations to respond to IoT security challenges.
IoT device security — Understand the device lifecycle
IoT ecosystems comprise hundreds of devices, each with their single-purpose. This is in contrast to devices such as PCs, where a single device performs a wide variety of functions. The basic device lifecycle includes steps such as:
- Boot: loading of firmware, and starting as expected.
- Initialization: reading configuration, establishing connections, and syncing up data.
- Operation: performance of designated key function for a large duration of time.
- Update: new firmware installation, re-booting.
Securing each step of the lifecycle
At each step, specific security features need to be implemented. Some of these are covered here:
- Firmware integrity checks, via embedded passwords and checksums, to make sure no tampering has been done.
- Public/private certificate-based encryption of the firmware, to make the boot up fully secure.
- Necessitate device users to change the default password of the IoT device.
- Encryption of communication from device to device, between device and Internet, and from device to user interface (128/256 bit, HTTPs, AES, etc.).
- Using Key Management System or Certificate Management System to protect encryption keys and to highlight fake identities in the communication cluster.
- Removal of backdoor debug accounts; studies show that the existence of such accounts increases the risk exposure of devices.
- In-device system to highlight abnormal operations to end users.
- Runtime integrity checks make sure that the device is not compromised during operation (cloud-based two-way integrity check is a reliable method).
- Host IPS and virtual patching to minimize risks before a firmware-over-the-air (FOTA) trigger.
The new firmware must also be encrypted before the FOTA trigger to make sure the next boot is secure, and the lifecycle is repeated. Eventually, the device is terminated after it has completed several lifecycles.
More IoT device security considerations
Apart from the technical details we covered in the last section, let’s tell you more about other device security aspects that will make your entire IoT landscape more robust.
When you purchase an IoT device, make sure it has the memory and computing power to support the level of security you intend on implementing for your IoT devices. Very soon, you will observe that device security concerns will grow, and hence, manufacturers will naturally upgrade devices such that they support the security goals of enterprises.
The devices you use must be patchable. If you cannot patch a device, it’s a huge security risk that will keep on becoming more and more obvious with time. Consider the baby monitors and CCTV cameras that were compromised because of the Mirai botnet. This also means that older devices need more caution.
Watch out for devices with hard-coded passwords — they’re almost certainly going to be an easy target for hackers. Also, some devices are simply not made to support encryption; their performance goes down if you bring in encryption. Devices that can’t be updated over the air (OTA) also expose your IoT systems to undue risks, so avoid them.
Understand the core of IoT device security
“Things” are the superstars of the Internet of Things. The pace of adoption of IoT among enterprises is impressive. If your organization is also a part of this massive wave, it’s super-important that you understand the core of device security. The tips, methods, and hacks shared in this guide are meant to help IT leaders make better purchase and implementation decisions.
Featured image: Shutterstock