Security concerns are preventing many businesses from adopting IoT-based technologies, but by embedding well-crafted IoT security requirements into the design risks can be mitigated.
Internet of Things (IoT) is a buzzword nowadays. You find it everywhere, and everybody talks about it. The truth is that IoT has the potential to transform the world, allowing us to have smarter and more effective interactions among all actors in an IoT system: things, apps, and people. We live surrounded by IoT, including home automation, healthcare, and industry.
All over, we find statistics predicting that connected devices will rapidly increase in the next few years. Forecasts show that the number IoT devices worldwide will triple in 10 years, rising from 8.74 billion in 2020 to more than 25.4 billion by 2030.
In this nonstop global scenario, the business potential for IoT systems is limitless, but there is also a huge risk with connecting such a high number of devices without securing them properly. Neglecting IoT security means giving black hat hackers a way into your mission-critical systems.
Neglecting security in IoT systems
There are many definitions of what IoT means and what it encompasses. Companies, such as IBM and Oracle, and specialized websites such as Wired, have outlined their own definition. For the purpose of this article, however, I want to show you what a common IoT system looks like, based on those concepts.
In all these definitions, we see references to common factors such as physical objects, sensors and actuators, software, communications, protocols, internet, data, processing, and information. However, none of them include security, either implicitly or explicitly.
This oversight on security is not accidental, nor is it particular only to IoT systems. It is common to think of products, systems, and services where security is a secondary component, sometimes not even a relevant one. Fortunately, the importance of designing secure IoT products and systems from their very conception has grown over time. This is partly due to real and serious incidents that have occurred because security as a relevant factor wasn’t considered.
Do not miss this reading: The 5 most critical web application security risks
I feel safe, but what are the risks?
The new possibilities and benefits provided by the use of IoT are compelling. We can consider multiple use cases:
- Smart homes. Current technology is affordable and readily available to consumers, like the Amazon Echo or the Nest Thermostat.
- Wearable devices such as Fitbit and Jawbone allow people to monitor vital signs and optimize their workout performance.
- Smart cities. The IoT is used to solve everyday problems (traffic congestion or air quality).
- Connected cars. They are equipped with internet access, full of sensors to automate many functions. Some of them are controlled by algorithms that allow the vehicle to stay on the road or detect if the driver is falling asleep.
- Remote monitoring. Radar-level sensors are able to easily measure points on moving and rotating machinery, so operators are constantly fed real-time data regarding the equipment’s functionality. Likewise, it gives insights into overall equipment lifecycles and repair needs, enabling predictive maintenance.
- Automation. Water is a precious resource, and farmers have to keep a consistent watering schedule to ensure proper crop care. Smart irrigation systems can help by automating the watering process while conserving water. The IoT device reads moisture levels in the soil and reports to the sprinkler system when water is needed.
As these use cases show, IoT is an omnipresent trend, requiring unprecedented interconnectivity. Its potential and benefits are limitless. But as the saying goes, with great power comes great responsibility. IoT is exposed to cyberattacks as any other system or technology.
In late 2019, before COVID-19, a Siemens/Ponemon Institute study revealed that 56% of gas, wind, water, and solar utilities worldwide had experienced at least one cyberattack within the previous year, which caused a shutdown or loss of operation data.
According to the U.S. Department of Health and Human Services, the first half of 2020 witnessed a 50% increase in health care cybersecurity breaches.
On May 12, 2017, a massive ransomware attack shut down 16 hospitals in the UK, which prevented them from accessing basic medical records. One hospital even had to cancel all non-urgent operations.
Two security researchers found a way to hack a Jeep Cherokee, with the driver in it! The hack was not that complex due to a flaw in how the Wi-Fi password was generated. They took advantage of other flaws, gaining access to the Controller Area Network (CAN) bus, which enabled them to control the steering wheel, engine, transmission, braking system, and many other features, all of this remotely over the cellular network.
Another relevant case was when Stuxnet, considered the world’s first digital weapon, made the centrifuges used to enrich uranium gas at the Natanz plant in Iran fail on an unprecedented scale. Stuxnet went beyond a simple computer hijack and data-stealing to cause physical destruction on the equipment the computer controlled, and in a nuclear facility.
What’s in a name – IoT security
Here are some characteristics that make IoT unique in terms of attack surface, attack vectors, and security requirements:
- Device lifecycle being much longer than regular PCs, servers, and smartphones
- Security objectives that have great variation across verticals/domains
- Use of multiple operating systems for the end devices (the things) and gateways
- Built-in security in SoCs, MCUs, and CPUs that supply considerable variation across vendors
- Lack of common standards across vendors or vendors not adhering to standards at all
- Lack of interoperability among vendors due to the lack of standards to comply with
These characteristics mean there is no single security solution to protect all IoT systems. To make things even more complex, IoT security is different from traditional cybersecurity, as it is more a combination of engineering disciplines, including, for example, the hardware factor.
Some of the most significant attacks on IoT are as follows:
- Physical. Hardware tampering, bus sniffing, connecting to unprotected/unsecured interfaces
- Software. Attackers benefit from insecure default settings, affecting the bootloader, the firmware or the applications, flaws in the update mechanism, and others to hijack the device or make it unusable
- Connectivity. Wired/Wireless scanning and mapping, denial of service (DOS)
- Protocol. Spoofing (impersonate), eavesdropping (spy), etc.
- Cryptographic. Cryptanalysis used to crack weak passwords, break cryptographic protocols, or breach authentication schemes
- Authentication. Brute force password attacks
- Malware. IoT botnets, e.g., Mirai, which affects thousands of webcams
An attack against the IoT will try to exploit weaknesses and flaws present in any of the components of the system. Some of the top reasons for IoT security breaches include:
- Weak/guessable default credentials. Many IoT devices are sent out with default passwords that are either not changed or are easily guessed by hackers.
- Unsecured networks. If the internet network is insecure, authentication can be bypassed, and sensitive data can be compromised.
- Vulnerable IoT ecosystems. If IoT devices are centrally managed and integrated with legacy systems, businesses risk introducing security vulnerabilities across their IT estate.
- Inefficient/non-existent update and patching mechanisms. To prevent technology from becoming compromised, businesses will often run real-time updates and patches on endpoints. However, without a provider delivering those updates often, IoT devices become outdated and vulnerable.
- Lack of IoT governance. IoT devices collect a lot of personal data. If security measures, encryption, and data protection policies are not put in place, cybercriminals can steal information easily.
Attacks on an IoT system like the ones listed can be facilitated when there is no careful product/system design, including security, from the start. That is why it is crucial to take into account not only the functional requirements but also the security requirements for the solution to be complete and robust. We find these among the IoT security requirements:
For existing systems, a security risk assessment is mandatory in order to know the dangers for the system and mitigate the associated risks by adding the needed controls to protect the system. What can we do to mitigate the risk and the potential damage caused by an attack? Luckily, there are good practices we can follow:
- Devices inventory. Identify all connected devices, understand what each device does, and have a unique centralized inventory for all.
- Central, automated password management. Enforce strong, unique passwords through an automated password management process. Passwords should be stored in a central repository and rotated at a predefined frequency.
- Identity access management. All users, including root, should validate their identity. Disable automatic root access.
- Least privilege. Limit access to what is needed based on credentials and permissions.
- Secure software execution. Do a system check of firmware (secure boot) before a system boots up.
- Secure remote access. Restrict remote access (for firmware updates, maintenance, and more) to verified parties, locations, and established ports.
- Patch management. Run regular software patching to keep systems up-to-date, avoiding all OS or firmware versions that might be vulnerable to attacks.
- Data security. Encrypt sensitive data in transit in the access networks and those going through the internet. Encryption at the end device might be a challenge due to resource constraints (limited memory and processing power).
- Vulnerability assessment. This is mandatory to uncover vulnerabilities present for each component in the system. A vulnerability assessment must be followed by a plan to fix the issues found.
Perfect security does not exist. The risk of human error will always exist — an unsuspecting user who forgot to change the default password on the end device, a firmware flaw, or a new exploit that leaves the company’s IoT systems exposed.
We can always improve the security posture for an IoT system by embedding well-crafted security requirements into the design, from the start of the project, as well as by following the best practices.
Comments? Contact us for more information. We’ll quickly get back to you with the information you need.