Understanding IoT Security
In this blog, we answer some IoT questions to help you understand what a robust security strategy looks like and give you steps to implement a strategy.
Join the DZone community and get the full member experience.
Join For FreeCellular wireless technologies advancements (like 5G), powerful IoT application platforms (like Microsoft IoT Central), secured IoT connectivity platforms, and all-in-one IoT infrastructure solutions are making it easier than ever for companies to deploy transformative new IoT applications. Yet as the use of new industrial asset monitoring, predictive maintenance, smart energy, Internet of Medical Things (IoMT), and other IoT applications expands, so does the threat landscape for these applications.
Given this expanding threat landscape, and the growing number and sophistication of cyberattacks, how can organizations deploy IoT applications in a secure manner that protects them end-to-end — from edge-device to network to cloud?
IoT security is complicated, and no single article can provide you with all the information you need to implement a robust IoT security strategy that will address all your IoT applications’ vulnerabilities. However, by answering some basic questions on IoT security, this will help you better understand what a robust IoT security strategy looks like and provide you with some actionable steps you can take to implement such a strategy.
Why Are IoT Applications Attacked?
Criminals seeking to ransom your data, competitors trying to steal your trade secrets, a rogue state actor seeking to advance their nation’s interests, a bored hacker that wants a little excitement, and other malicious actors all pose threats to your IoT applications
Sometimes these malicious actors want to access the data generated and transmitted by your IoT applications. Other times they want to use these IoT gateways as an entryway to data on your other enterprise systems — as illustrated by the famous examples of criminals using a smart fish tank to gain access to a casino’s internal IT systems and using an HVAC system to steal Target’s customer data. Hackers might even just be seeking to use your IoT devices to launch attacks on other organizations’ IT systems, as when the Mirai botnet took over IoT devices to launch an attack on Dyn, a domain name system (DNS) services provider, that ended up bringing down Twitter, Netflix, CNN, and other sites that used Dyn’s services.
As these examples demonstrate, criminals attack IoT applications for multiple reasons, using multiple techniques. If you have an IoT application, you need an IoT security strategy that helps minimize the chances of all these types of succeeding.
What Is an IoT Security Strategy?
An IoT security strategy uses security technologies and processes to prevent IoT attacks, detect them when they do occur, and mitigate the extent and damage of these attacks.
A strong IoT security strategy should protect IoT applications end-to-end. From the IoT module, router, or another edge device to Ethernet, Wi-Fi, cellular, or other networks, these devices are used to transmit data to the cloud that gathers and analyzes this data and manages the edge devices.
This protection also needs to go beyond protecting just the IoT application’s data. As illustrated by the smart fish tank, Target, and Mirai botnet example above, criminals might want to use your IoT application’s devices, network, or cloud to penetrate or attack your own IT systems or other organizations’ IT systems.
What Unique Security Challenges Does the IoT Create for Enterprises?
While many of the challenges that organizations face in securing their IoT applications are like the challenges they face in securing their business productivity, enterprise resource planning, mobile, and other applications, IoT security also poses its own unique challenges.
One of the biggest challenges in IoT security is the quantity of interconnected “things.” Beyond traditional IT infrastructure, the exponentially larger number of connected things increases the potential attack surface, thus creating more potential security issues. In fact, Gartner predicts there will be more than 15 billion IoT devices connected to enterprise infrastructure by 2029.
Many IoT devices have much longer expected lifetimes —10 to 15 years or more — than the laptops, smartphones, and other devices used for these other applications. This means that these devices need to be designed so they can be upgraded with security patches years in the future. This can be difficult with IoT devices, as many of these devices depend on battery power, and security upgrades use up an IoT device’s power when they are transmitted to the device.
In addition, unlike the devices used for other types of applications, many IoT devices are in places (on a pipeline, a power line, a roof, inside a piece of industrial equipment) that are difficult for people to access. This makes it important that IoT security technologies can be configured and managed remotely. Sending a technician to physically connect to each device to update its security is likely to be extremely time-consuming and expensive.
IoT devices also gather data from things (such as hot-water heaters, air compressors, liquid fertilizer tanks) that have not had data collected from them before. Unlike computers and smartphones, these things might not have security technologies built into them, and your IoT security strategy needs to account for this.
How Does 5G Impact IoT Security?
The new 5G cellular wireless standard offers faster data speeds, lower latency, and other advantages over previous wireless standards. In doing so it does not change the way that enterprises should approach IoT security, so much as expanding the IoT threat landscape with more data, more devices, and more use cases.
In some small ways, 5G does make it easier for enterprises to secure their IoT applications since it enables mobile network operators to “slice” their spectrum to offer private cellular networks to these enterprises, separate from public cellular networks.
However, overall enterprises should see 5G as another driver to implementing a strong IoT security strategy — one that may be more complex to implement since with 5G they are likely to have to protect more IoT devices, data, and applications than they did before.
How Do I Implement a Strong IoT Security Strategy?
Cybersecurity is a complex subject, and the strategy for IoT security should reflect the specific security requirements of the IoT application and use case for which they are designed. This makes it difficult to provide you with all the information you need to implement a strong IoT security strategy in a single blog post, especially one that features defense-in-depth with a multi-layered device, network, and cloud protection.
However, by following these best practices, you can strengthen your IoT security strategy and lower the probability that an IoT cyberattack will succeed in penetrating your defenses and disrupting your operations.
Select IoT Devices With Advanced Security Features and Support for Secure Protocols
Not all IoT devices are created equal when it comes to IoT security. By using devices with features that include secure boot, secure over-the-air firmware updates, secure storage, access controls, and other advanced security features, along with support for secure protocols like HTTPS and TLS, you will position yourself to implement a strong IoT security strategy.
Protect Your IoT Network
Cybercriminals can breach your IoT application through your network as well as through your IoT devices. Ensure your devices and network and cloud allow you to put in place network security mechanisms that include stateful firewalls with network address translation (NAT) and port address translation (PAT), port forwarding, DMZ hosts, private access point name (APN) options, and virtual private network (VPN) capabilities, like IKEv2, MOBIKE, and FIPS 140-2.
Use a Secure Cloud
Your IoT application is likely to use not just IoT devices and wireless networks, but cloud services as well. When selecting cloud services for your IoT application, confirm that the service allows you to create unique or random device credentials, encrypts data using mutual authentication, and can mitigate DDoS attacks.
Stay Informed of New Threats
New IoT security vulnerabilities and new types of cyberattacks are constantly emerging. This requires you to constantly update your IoT security strategy to reflect these changes. By putting in place a process to collect and evaluate information on new security threats and vulnerabilities from your IoT partners as well as government agencies, and regularly ensure that all firmware or other updates needed to protect yourself from these new threats and vulnerabilities have been implemented, you can keep your IoT security strategy from weakening over time.
Secure Your Keys
Use strong credentials for mutual authentication of devices and servers. Unique credentials should be used for each device and ideally the credential should be random, or at the very least not derived from anything knowable about the device (e.g. serial number, IMEI, MAC). Even strong credentials should be rotated in accordance with industry guidelines to limit the usefulness of any stolen credentials.
Work With Trustworthy Partners Who Have IoT Security Expertise
As the IoT becomes integral to your business success, it is more important than ever for you to partner with companies who you can trust with your IoT applications and data. In addition, unless you are in the IoT security business, it will be difficult for your organization to invest all the resources necessary for you to have dedicated IoT security experts on your team. Partner with companies you can trust with a long, respected IoT track record, and that have offices in countries with strict regulations in place to protect their customers' data. In addition, work with IoT partners who have built out their IoT security expertise and process with investments that include a dedicated product security team and security champions to advocate for IoT security in all areas of product management. Also look for partners who are actively involved in industry organizations focused on cybersecurity such as CTIA, GSMA, ETSI, and others, and have been qualified by MITRE (the organization that operates the National Vulnerability Database) as a Common Vulnerabilities and Exposures (CVE) Numbering Authority. As a CVE Numbering Authority, these companies are trusted by MITRE to accept vulnerability reports, coordinate with security researchers, and issue CVE reports for their products.
Zero Trust Model
This proactive security model assumes that the network and/or devices are always at risk to internal and external threats. To counter the threats, there is a series of actions that organizations can take including strong identification for device authentication to centralized configuration and compliance solutions. Other requirements for zero trust for IoT solutions are based on the existing IoT infrastructure.
Published at DZone with permission of Larry LeBlanc. See the original article here.
Opinions expressed by DZone contributors are their own.
Comments