enterprisesecuritymag

Securing IoT Applications for the Next Era of Industry

By Srinivas Bhattiprolu, Senior Director, Solutions for Asia Pacific and Japan, Nokia Software

Srinivas Bhattiprolu, Senior Director, Solutions for Asia Pacific and Japan, Nokia Software

IoT Security –an axe to grind for businesses

The Internet of Things (IoT) has today become one of the most popular – and probably the most touted – trends across both business and technology. It is set to transform the business landscape as we know it, as we expect there to be some 50 billion internet-connected things by 2030. These will comprise dedicated-function objects such as refrigerators, connected cars and homes, and many more. It goes without saying that IoT will have a tremendous economic impact; transforming organizations into digital enterprises and enabling new business models, enhancing productivity and client experiences.

However, the ways in which enterprises can realize any benefits will be diverse and, in some cases, laborious, as IoT is introducing a gamut of security and privacy risks to the IoT eco system. To add to the challenge, IoT security is beyond the skillsets of traditional IT leaders, as it involves the management of physical devices, rather than purely virtual assets. Research by Gartner shows that by 2020, more than 25% of identified attacks in enterprises will involve IoT, yet the budget allocations on IoT security are insignificant today.

With IoT projected to provide an opportunity worth nearly 2.25 Trillion USD by 2025, every organization is jumping on this bandwagon to take advantage of this enormous potential and communication service providers will be at the forefront of this charge. However, very few organizations are focused towards implementing a holistic and an all-inclusive security framework for their IoT offerings.

The pressing need to secure IoT applications

During the infancy stages, IoT solutions managed to get away with making security an afterthought. Yet, that approach can no longer be accepted as IoT has now become part of the mainstream and making its way into mission-critical systems. To illustrate, incidents involving Trendnet’sSecurView camera, St. Jude’s cardiac device and Jeep Cherokee have demonstrated how successful IoT attacks can result in significant financial, reputational damage. In worse cases, they can be life threatening as well.

From a security perspective, a geographically distributed structure of IoT requires data communication: which typically has associated risks across the CIA triad (confidentiality, integrity and availability). The diversity of technologies enmeshed in an IoT system therefore has the potential of introducing a range of vulnerabilities. To secure an end-to-end IoT system, it is necessary to grasp the vulnerabilities and exploits concomitant with individual components, as well as the whole system, including human elements. This requires a comprehension of the architecture of an IoT system, the functionality assumed by the components, the data, and the control flow across the systems involved.

It is impossible to make any IoT solution comprehensively secure. However, understanding the possible vulnerabilities across different layers and the corresponding threat vectors, coupled with adoption of best practices, can certainly strengthen the security position of IoT solutions. 

Possible vulnerabilities and threat vectors

IoT systems tend to be intricate and heterogeneous; they include multiple tiers, technologies, deployment locations, device manufacturers, APIs and much more. From a security standpoint, end-to-end IoT systems have numerous vulnerabilities across different strata, encompassing multiple components that are each subjected to distinctive attacks.

Below is a summary of possible vulnerabilities and corresponding attacks that can affect each of the components

Layer

Possible vulnerabilities

Threat vectors

Physical

  • Orphaned devices
  • Physical tampering on MMUs (Malfunction Management Units)

IoT Devices

  • Simplistic implementation of various stacks
  • Improper exception handling and input validation
  • Excessive and direct exposure to internet
  • Command Injection
  • Enlisting devices as Botnets
  • Malware
  • Client-side certificates and key related attacks

Local wireless communication

  • Use of non-IP protocols and local data link that are less secure
  • Snooping
  • Man, in the Middle
  • Takeover
  • Re direction
  • Command Injection

IoT Gateways

  • Deficiencies in software libraries
  • Credential compromise
  • Enlisting as botnets

Networks

  • Transport corruption
  • Exploiting vulnerabilities in IP router platforms
  • Directing high-scale attacks toward content servers and router networks
  • Snooping attacks
  • Data poisoning attacks
  • Router control plane/data plane attacks
  • Volumetric DDoS attacks

Application Server in the cloud

  • Potential for masquerading
  • Denial of Service
  • Snooping
  • Takeover

Applications

  • Stolen credentials
  • Malware
  • Phishing/Spear Phishing

Others/Whole system

  • Middleware vulnerabilities
  • API vulnerabilities
  • Human negligence
  • IoT Specific Malware
  • Data Manipulation

There are a myriad threat vectors, and so attacks can ensue with or without any human involvement. Also, the scale of the infection spread is very high and rapid in case of IoT, making the negative ramifications even more pronounced. For instance, there are several focused and evolving malwares exploiting the vulnerabilities across different levels of an IoT solution.

Best practices to adopt

The threats and vulnerabilities are manifold, so there is currently no silver bullet for securing IoT. However, business and organisations can still implement a few best practices that will aid them in securing the IoT offerings, as shown below.

           Item

        Description

Inventory control and physical access

  • Keep track of the IoT devices including initial configuration and subsequent monitoring, decommissioning abandonware
  • Protect physical access

Keep the systems current and harden the devices

  • Device operating systems and device drivers are updated to the latest versions
  • Deployed devices are upgraded and patched in a timely manner

Ensure IP routing infrastructure is resilient and robust

  • Choose router platforms which are “secure by design” with built-in hardware-assisted approaches to help secure the routing environment

Monitor outbound and lateral IoT traffic

  • Monitor IoT devices for aberrant behaviour to automatically identify rogue devices

Segment IoT Traffic

  • Keep the IoT traffic separate from other network segments to limit exposure and malware spread

Detect & clean real-time& audit frequently

  • Auditing IoT infrastructure continually
  • Act in real-time

Best practices for IoT applications

  • Follow approved cryptographic standards
  • Static code analysis to identify common coding issues
  • Protect credentials
  • Utilize latest developments like AI and multi-dimensional analytics in IoT Security

IoT is at an inflection point and expanding rapidly into mission-critical areas, especially with the imminence of 5G.Security and privacy concerns will be the biggest hindrances to IoT adoption and growth, and therefore enterprises must seek to implement robust security measures to alleviate these apprehensions. Additionally, governments must focus on driving unified standards/regulations for IoT security that don’t exist today, while those in academia must disseminate learnings to all the key stakeholders and increase research focus on IoT security.

To strengthen trust in IoT, all the stakeholders need to join together and dedicate themselves to making IoT security a mandatory aspect and a crucial point of integration into their operations.

Read Also

Keeping Data Secure as Information Moves to the Cloud

Keeping Data Secure as Information Moves to the Cloud

Tommy Richardson, Former CTO of ADP and Chief Technology Officer and SVP of Technology, Nextech's
RSA for Valentine's Day, Better than Flowers or Candy for this Cyber Girl

RSA for Valentine's Day, Better than Flowers or Candy for this Cyber Girl

Kate Kuehn, Head of Security Practice, BT in the Americas
Getting In Front: Thinking Differently about Threat Intelligence

Getting In Front: Thinking Differently about Threat Intelligence

Tim Callahan, SVP, Global Security, & Global CSO, Aflac

Weekly Brief