Ready for IoT Security?
By Gary Audin
Big data will be collected from IoT devices. IoT device accuracy both in the data produced and its transmission must be near flawless. The vast number of IoT devices that will be deployed places a burden on the IT staff and in business operations. You need to pursue a global, holistic, macro, and micro views of IoT security. You have to inspect everything from the IoT devices, the networks connecting the devices, the management platforms, regulations, and the standards involved.
Approaching IoT Security
You need to pursue a global, holistic, macro, and micro views of IoT security. You have to inspect everything from the IoT devices, the networks connecting the devices, the management platforms, regulations, and the standards involved.
Deploying IoT devices is driven by business operations as well as IT. A conflict may occur determining who owns the end devices and who manages them. Operations departments may use cloud services and ignore and bypass the IT department. IT should be involved as an advisor to the business operations.
Enterprises need to consider the possible risks of the introduction of IoT devices. Both industrial and consumer products look more vulnerable than traditional IT devices. If business operations are part of the effort to deploy IoT devices, they should understand the risks and develop a balance between connecting IoT devices to IT versus creating their own shadow IoT support independent of IT.
You need to deploy strict identification and authentication processes. There will be endpoint devices that are part of industrial IoT environment. You may also deploy some devices from the consumer products available. In either case encryption becomes mandatory. There many wireless services that could be deployed as well as wired services, both eventually travel over the Internet.
You need to investigate your management platform as well. It may be adequate for the endpoints that you already own. It may have to be upgraded to support the wide range of IoT devices that you expect deploy.
If you decide to deploy edge computers at or near the IoT devices, investigate those edge computing devices to ensure that they provide the security control that the endpoint IoT devices may not contain. You may also want to implement applications in the edge computers. Therefore, the edge computers have to be evaluated against the attack surfaces and vulnerabilities as well as the endpoints.
Finally, you need to consider your adoption of standards. There many national and international organizations already in existence for protecting consumer and financial data. There are also federal and state regulations. Make sure your data is transmitted and stored according to the standards and regulatory requirements.
Attack Surfaces and Vulnerabilities
There is a long list of vulnerabilities specified in the “IoT Attack Surface Areas Project; The OWASP IoT Attack Surface Areas” by the Open Web Application Security Project. The IoT Attack Surface Areas Project provides a list of attack surfaces for those looking to deploy or implement IoT technologies within their organizations that should be considered and addressed by vendors, providers, developers, and security researchers. The list includes attack surfaces such as, hardware, storage, networks, interfaces, applications, APIs, authentication, and authorization. Use the vulnerability list as one form of checklist for IoT security.
The IoT Security Checklist
No checklist is exhaustive. These are some suggestions to follow when considering and deploying IoT devices:
- Ensure your passwords, both local and remote, are strong and there is multifactor authentication. Never use products that have hard coded passwords. It is easy for attacker use them. You need to govern permissions that you delegate for accessing these devices and implement privileged access management.
- Don’t make assumptionsabout the security characteristics or privacy policies of the controlling applications. Avoid using devices that have poor security and privacy capabilities. Connect the IoT devices on a separate network that has its own monitoring capabilities and is placed behind firewalls.
- Turn off those capabilities that you don’t want. These extra capabilities could be mechanisms used to bypass controls and security processes. The physical access of the device should block intrusion such as eliminating buttons to reset the product, change ports, or passwords. Avoid automatic connections via wireless networks. You may want to implement network device isolation to prevent device infiltration.
- Ensure that the software ports that allow remote control configuration are appropriately restricted. Employ encryption wherever you can. If encryption is not available, you should not consider that IoT device as part of the network. Consider deploying a VPN.
- There are firmware and software updates. If these updates have to be done locally or manually, don’t buy those products.
- Investigate the IoT devices should have some form of lifecycle. You may have to remove them when they are no longer updatable or secure. You also may have to turn them off when you have to replace power sources