The top 10 strategies to secure your IoT devices

Ohio-based Cyber Security Services has released a list of its top 10 strategies for organisations to secure their vulnerable IoT devices.

The company argues that millions of IoT devices lack adequate security controls and are therefore exposed to cyberattacks. Security fears are paramount in both enterprise and consumer minds; a study from Metova in June found that while 85% of consumers polled would like to monitor utility usage in real-time through IoT devices, full understanding of the term was still required.

The top 10 security strategies are:

1. Changing or updating default passwords over a period of time.
   
2. Maintaining separate corporate network from vendor-managed and unmanaged IoT devices
   
3. Preventing IoT devices from communicating outside the organisation unless it is extremely important.
   
4. Businesses can put control to limit the number of vendors that are being granted remote access to IoT devices.
   
5. Implementing a NAC solution to improve IoT security by detecting maximum devices and identifying suspicious connections to the network.
   
6. Implementing vulnerability scanners provided by commercial vendors help identify the types of devices connected to a network.
   
7. Running an IDS and IPS on the network to detect malicious network traffic, which saves an IoT device from being compromised.
   
8. Appropriate device management to make sure that the remotely managed devices are catalogued with records in place detailing registration, configuration, authentication, and other pertinent device data.
   
9. Restriction on internal and external port communication that should be allowed only when needed.
   
10. Removal of incompatible OS, applications, and devices from the network for increased safety.

A recent study from Irdeto found healthcare organisations lack necessary measures to counter cyber-attacks despite being aware of the areas that are vulnerable and needs protection. In a survey of 232 healthcare security decision-makers, 50% of the respondents cited IT network as the most prominent vulnerable spot within healthcare organisations, followed by 45% of the mobile devices and accompanying apps and 42% IoT devices.

Some things that reshaping IoT for the future

1. An explosion of sensors
2. A new regulatory environment
3. Machine learning comes into its own
4. Better security & physical standards

For many Internet of Things observers, the IoT’s dizzying embracing and subsequent reshaping of modern business and cultural standards seems like it happened only yesterday. Yet the IoT is moving ever faster, developing at an astonishing rate and continuously reinventing itself. So what’s the next step in the long-line of IoT innovation, and how can eager investors cash in on tomorrow’s IoT fad today?

Those used to the ever-changing nature of the IoT will know by now that it’s constantly changing, but will also be aware that innovation in certain areas matters much more than gradual developments elsewhere. A quick review of the 4 things reshaping the IoT’s future the most shows which industries will be most vital towards its development and offers an alluring glance of what the IoT of tomorrow will look like:

1. An explosion of sensors

Few things empower the IoT as much as the sensors which make up its physical senses in the real world; already, millions of embedded sensors help companies and individuals collect useful data about the world around them, so that they may in turn shape it with better business decisions or new products. The IoT sensor market alone is expected to be worth a staggering $27 billion by 2022, and the rapid growth of an industry supplying the physical sensors and the coding that powers them will only continue in the coming decades.

[ Check out our corporate guide to addressing IoT security. ]

As billions of global consumers become the proud owners of smartphones and other handheld gadgets, the sensors which make up the IoT will not only grow in quantity, but also in financial value. As refinements to sensory technology continues, IoT-connected devices will be able to collect more data in less time at cheaper rates, and they’ll be able to better store, sort, sell, and make use of that data in the marketplace.

2. A new regulatory environment

Even strangers and newcomers to the IoT often recognize that consumer privacy and market regulation are two of the biggest concerns of the world’s largest digital phenomenon. Growing rates of corporate data breaches, such as the Equifax fiasco that jeopardized the personal data of millions of Americans alone, are making consumers and regulators alike more interested in data privacy and the general regulation of the IoT.

This will have a sizable impact on gadget producers and software developers alike; tomorrow’s IoT products and services will be created in a significantly stricter business environment, and greater cost will be shouldered by companies when it comes to things like investing in necessary IT security infrastructure and gadget security, not to mention data management.

3. Machine learning comes into its own

Anybody keeping tabs on the IoT has undoubtedly heard about machine learning and the wonders it can work in the business world, but fewer people understand that machine learning and the use of algorithms in tandem with the IoT in general are merely in their infancy. Much in the same way that today’s standard IoT devices and logo design software would look alien to someone only 10 years ago, the IoT of the next decade will be all but unrecognizable.

[ Prepare to become a Certified Information Security Systems Professional with this comprehensive online course from PluralSight. Now offering a 10-day free trial! ]

Top companies like Google, Microsoft, and IBM are all pouring money into artificial intelligence and machine learning for good reasons; current applications of algorithms in the business world are only the tip of the iceberg. Tomorrow’s IoT will be shaped largely by those with control over the best data-analytics and machine learning capabilities, which will be needed to keep up with the ever-increasing deluge of data and devices that stems from the IoT’s continuous expansion.

4. Better security & physical standards

The high levels of attention being paid to IoT security in light of continuous hacks and data breaches will have a strong impact in the long term; in the IoT of tomorrow, gadgets won’t be valued based on how cheap they are to produce and program, like they are now, but rather based on their levels of security and physical endurance.

Advancements in everything from IT security infrastructure to gadget batteries and production standards will reshape current marketing trends and consumer patterns. Devices will be able to operate longer without needing a charge, and data privacy standards inside of IoT companies will themselves be much more stringent to prevent outside regulation or intrusion.

Ultimately, a public reevaluation of security standards is likely to drive the physical world of the IoT as much as it is the regulatory world that exist on paper to constrain it. The only consistent thing about the IoT is that it’s constantly evolving, surpassing modern expectations and standards and demanding new innovations and perspectives to adapt and conquer new sectors of the market. Much of the IoT of the 21st century will look completely different, but investors and consumers alike are unlikely to see more change than in these key 4 areas.

IoT Eco System and IoT Gateway security

Cybercriminals have an array of potential attack vectors to choose from when targeting IoT implementations. Here’s how to work towards comprehensive security in Internet of Things applications.

The Internet of Things may have a significant economic potential, but it also gives malicious actors an ever-expanding toolbox for cyber attacks. Gartner estimates that 5.5 million “things” get connected each day. It’s no wonder that hackers are beginning to target IoT devices with weak security for botnets and other attacks: they are often low-hanging fruit.

As both physical and digital threats increase, the need to find technologies to reduce such risks is also rising. This article will discuss the vulnerable points in an IoT application and the key strategies to resolve them, including details on maintaining supply chain integrity. It will also cover the fundamental elements needed to create a robust security paradigm.

Potential attacks for IoT applications

A handful of IoT-related attacks seem to receive the most attention in the popular press. There is, of course, the Mirai botnet that brought down a chunk of the internet last year. There’s BrickerBot, which renders insecure IoT devices unusable. On the industrial side, Stuxnet is famous for causing physical damage to nuclear centrifuges in Iran. And then there is BlackEnergy — a malware variant that shut down a portion of Ukraine’s power grid.

Attacks with a physical component: IoT attacks at the physical layer of the OSI Model require unauthorized access to physical sensing, actuation and control systems. Consider how electronic car theft works as an example. Since cars are essentially computers on wheels, hackers have a variety of options at their disposal. They can clone the radio signals from a key fob to open a locked vehicle. A hacker with physical access to a vehicle’s Controller Area Network (CAN) bus underneath the steering wheel can cause all sorts of mischief: They can unlock the car’s immobilizer that stops a thief from driving away and reprogram a new key for the vehicle. Access to the CAN bus could also enable them to hack the speedometer, door locks and other components.

The similar threat applies to industrial control systems, which have a decades-long history. Many industrial machines make use of supervisory control and data acquisition (SCADA), a technology that was created decades ago without much thought about security. As a result, an attacker with physical access to a SCADA system can cause significant damage to industrial facilities and critical infrastructure.

Similar threats could apply to medical devices. An attacker could gain access to an implantable device such as a cardioverter defibrillator or an external medical device such as an insulin pump to install malware.

Pure software attacks: This category includes malware variants such as viruses and trojans and worms. Also in this category is fuzzing, in which random data is thrown at software to see how it reacts. Distributed Denial of Service (DDoS) attacks can be software-based as well, although they can also occur at lower levels of the OSI Model. One potential example of an IoT-related DDoS risk would be safety-critical information such as warnings of a broken gas line that can go unnoticed through a DDoS attack of IoT sensor networks.

Network attacks: One of the biggest vulnerabilities of IoT devices is their wireless connectivity, which can make them remotely exploitable. Here, there are a variety of possible attacks that are possible on the devices, or “nodes,” connected to the network.

In an enterprise Internet of Things context, those nodes typically communicate with the gateway that is the core of that implementation. The node connects all of the IoT devices to the cloud.

Let’s assume that we have an industrial IoT application with interconnected gateways linked to each other in a mesh network. If a hacker jams the functionality of a gateway with denial of service requests, they can bring down the whole IoT project. Thus, a single attacker can stop the IT and OT elements of a system from interacting, as we discussed in the article “IoT gateway architecture: Clustering ensures reliability.” 

Cryptanalysis attack: In this type of exploit, a hacker tries to recover an encrypted message without access to an encryption key. Examples include brute-force attacks when a hacker tries every possible password combination to gain access to a system. The known-plaintext attack, with roots stretching back to WWII, is another example, in which a hacker has access to unencrypted text as well as its....Continue reading

Article By : Mohiit Bhardwaj

How to Secure your IoT Solution From Edge to Cloud?

Maintain supply chain integrity: Enterprise companies need to ensure that their vendors and suppliers have defined Supply Chain Management (SCM) procedures that include baseline testing of components and specifications for parts used in IoT projects. In addition, they should be able to provide information on the entire manufacturing process. They should also share any changes in the system or any technical vulnerabilities in components with the IoT system owner. Any updates of the system such as changes in configuration, software changes and so forth should also be shared with the system owner or operator. Supply chain management systems should be able to consult a dashboard where they can easily access vendors’ and suppliers’ details, and any changes in the specifications of the components or parts.

Establish a chain of trust: Ensuring a high degree of security for an IoT implementation requires that devices, gateways and applications that are part of an IoT value chain. A trustworthy system enables the “chain of trust,” and this level of confidence should be maintained in the entire lifecycle of the system and adapt to new changes.

The basic categories for building a chain of trust, according to the Industrial Internet Consortium’s security framework include:

1. Security, which is the assurance of a system that it will remain secure from any outside threats, and attempts to harm the system. It also includes confidentiality of the information that it will not be disclosed to any unauthorized entity, the integrity of the system to avoid inappropriate changes and destruction of the information, and availability of the system to provide instantaneous information to an authorized user.
2. Safety, which is the condition at which a system runs without posing a threat of danger includes safeguarding people and physical OT assets.
3. Reliability is the ability of a system or component to perform its required functions under stated conditions for a specified time. Reliability and availability are correlated. Reliability can be thought of like a fraction: it is the amount of actual availability over scheduled availability, as affected by things like scheduled maintenance, updates, repairs and backups. Hence, when the scheduling is done properly, it is possible to get the actual availability (reliability) closer/equal to the scheduled availability.
4. Resilience is achieved by designing the system so that, when a failure occurs, the system can find an alternative way to accomplish the task. Failure in a single component should not affect other parts of the system. The system should be able to deal with failed or faulty processes automatically.
5. Privacy is the ability of personnel or an organization to have control of the information flow. It includes matters such as the confidentiality of processing and transferring data and who has access to that data.

When a system has all of these characteristics, it should be able to stand up to risks predicted for the system.

Communication and network security

An important aspect of any connected device or IoT system involves peer-to-peer communication between gateways and devices as well as communication to the cloud.

Data security

Securing data at endpoints involves data-at-rest (DAR) and data-in-use (DIU). The communication security is required for data-in-motion (DIM). For DAR, TPM (Trusted Platform Module) storage key can be used to secure the data. For DIU, runtime integrity techniques can be used to monitor memory access, and detect & protect against memory attacks. For DIM, data tokenization (a type of cryptography) can be used to protect sensitive data with encryption that can be decoded by authorized parties. See the example below showing a hospital’s patients database

There are three main techniques for cryptography: shared key, certificate-based authentication, and token-based authentication.

Cyber theft prevention

From a theft perspective, the most common type of targets are IP addresses, Fully Qualified Domain Names (FQDNs), and malicious URLs. There are many frameworks that can identify the cyber threats and mitigate them, including the Collective Intelligence Framework (CIF),

Trusted Automated eXchange of Indicator Information (TAXII) and Structured Threat Information Expression (STIX). Such technological frameworks continuously analyzes data, creating a chain of messages. In the STIX framework, for instance, whenever a user asks for specific data, the system provides information on cyber risks, threat actors, a recommended course of action and other information. For building a chain of trust, it is important for IoT devices to share threats and other pertinent information with the nearby devices that are on the same network.

Hardware security

Hardware security can be achieved in an IoT solution with Trusted Platform Modules (TPMs) and Trusted Execution Environment (TEE). TPM is essentially a chip that is installed on an IoT device near the CPU. It is used for mainly cryptographic operations, which creates a security key, saves it, stores the data and other related operations. They can use to ensure the integrity of a platform, for disk encryption and password protection.

TEE is a separate execution platform that differentiates the operational capability from the security functionality. It consists of APIs, kernel and a trusted OS that runs security checks, parallel to the standard OS. TEE consists root of trust (RoT), which includes a trusted boot platform, a measured boot process and an attestation process. TEEs also help ensure the integrity of applications and data storage. A trusted boot platform enables a secure boot, avoiding problems with malware that self-installs during the boot process. A measured boot process provides data on every process of the boot sequence before executing it on the standard OS. The attestation process allows the process to share its trustworthiness and security parameters with other trusted sources, securely. TEEs also help ensure the integrity of applications and data storage.

Blockchain-based security

While blockchain is best known for its use in cryptocurrencies like Bitcoin, the technology can be used for authentication in IoT networks as it uses a “micro-ledger” as evidence for peer-to-peer communications. Blockchain can record the communication history of two IoT gateways or devices. Once an action (or “transaction”) get stored in a micro-ledger, then it cannot be altered in the future. While certificate-based encryption technologies can be forged, Blockchain has the advantage of being distributed, and thus supports the security concept of non-repudiation, meaning a person who triggers an action on an IoT network cannot deny doing so.