'Security must be built into the foundations of IoT and extend through the ecosystem. A secure IoT platform is the answer. Let's take a look at the requirements.'
Many IoT devices are vulnerable to cyberattack because they are not designed with security as a priority, and instead rely on patching after vulnerabilities are discovered. This doesn’t work sufficiently well. Security must be built into the foundations of IoT and extend through the ecosystem.
Gartner predicts that, “By 2025, 30% of critical infrastructure organizations will experience a security breach that will result in the halting of an operations or mission-critical cyber-physical system.”¹ Over recent months, one of the criminal business models that has worked, and has been copied by many, is extortion via ransomware. State sponsored terrorism is another threat of increasingly profound concern. The types of threats, where they come from, and their potential severity are ever-evolving. The number of IoT devices globally is about 17 billion.² More devices mean more access points into crucial systems, from homes to power grids, industrial facilities, medical equipment, automobiles, etc.
Then there are lower level attacks that often go undetected, such as denial of service attacks, unauthorized access, and data exfiltration. These can have a long-term impact on an organization, with loss of revenue, decline in customer trust, and reputational damage. These types of attacks can be used as a stepping stone for more advanced attacks, such as ransomware or advanced persistent threats.
There is progress towards a more secure ecosystem. Buyers of IoT are increasingly requiring a Root of Trust in devices. OEMs increasingly require that their parts from down the supply chain are validated for security. Authentication protocols and encryption are becoming a greater priority in product design and development. And people in governmental organizations are, too, acutely aware of the need. Security standards and legislation are progressing, with NIST (USA) and CRA (EU) outlining security regulations specific to the vulnerabilities of connected devices and systems.
An IoT platform built from the ground up for security can shoulder a large part of the responsibility. The platform must be structured as a solid base for implementing the following:
Encryption of data in transit using protocols such as DTLS and TLS to ensure data cannot be intercepted or read by unauthorized parties.
Secure protocols such as HTTPS, gRPC, CoAPs+TCP to provide a secure connection between the client and the server, preventing eavesdropping and tampering with data.
Unique device IDs and access control mechanisms, which can be used by firewalls to more effectively identify and control access to IoT devices on a network.
Device identification, access control, and encryption, along with the capability to monitor devices and the network to detect anomalies or unusual activity, such that an Intrusion Detection System can detect and prevent unauthorized access to devices.
Authentication and authorization of devices using digital certificates or OAuth access tokens, data encryption using hard drive encryption and TPM chips, secure patching of firmware and software with OTA updates such as that provided by Mender or Hawkbit.
Secure boot to ensure that only trusted software is loaded onto the device, and that the device is not tampered with.
Training for developers on secure coding techniques, code review tools, and automated testing to ensure code is free of vulnerabilities.
Built-in input validation mechanisms to ensure user-supplied data is sanitized and validated before it’s processed. This can include measures such as filtering out malicious characters and checking for valid input formats.
Secure data storage and transmission with protocols such as HTTPS, COAPS, and TLS.
Regular security updates that are easy to implement and do not disrupt platform functioning.
Application security testing tools to help developers detect and fix vulnerabilities in their applications, including static and dynamic analysis of code, penetration testing, and vulnerability scanning.
Logging and monitoring capabilities to detect and respond to security incidents, including the ability to track user activity, detect suspicious activity, and alert administrators of potential security issues.
Encryption of data in transit with SSL/TLS, trusted third-party certificate to establish a secure connection, mutual authentication with both the client and the server presenting a valid certificate to establish a connection.
Encryption of data at rest with disk encryption and database encryption, using industry-standard encryption algorithms such as AES256.
Role-based access control, access control lists to restrict access to specific resources, and multi-factor authentication to ensure only authorized users have access.
Data integrity: secure hash algorithm to generate a hash of the data, which can be used to detect any unauthorized changes; digital signatures to ensure data has not been tampered with; industry-standard algorithms, like SHA-256.
OAuth 2.0 or OpenID Connect for user authentication and to enable multi-factor authentication on user accounts.
Role-based access control (RBAC) to limit users’ access to only the resources and actions necessary for their role.
Regular monitoring and auditing of user activity to detect and prevent unauthorized access or suspicious activities.
System for data classification and tagging, making it easier to filter on specific criteria and identify security threats and trends. Real-time processing of data to quickly identify patterns and anomalies.
Monitoring and alerts, for example with notifications when thresholds are exceeded or certain patterns in data are detected.
Integration with other data sources, such as network logs and system event logs. This context can help identify potential security threats.
User access control and data security, to ensure only authorized users have access to the data and analytics layer.
Continuous monitoring for suspicious activity and auditing of access to the data and analytics layer.
Last week, the Doomsday Clock was set to 90 seconds away from midnight, the closest it has ever been to the hour of potential apocalypse. The reality of our future on our planet may be a much better deal than that, and my money is on a better deal, but the hour of the day is symbolic of what’s going on in our society right now, even if the hurdles we encounter are much more manageable. A company’s reputation is built on years and decades of good work; it can be destroyed by a cyberattack in minutes. Choosing the right IoT platform is critical in establishing a comprehensive and effective IoT security strategy.