IoT is a huge Opportunity for your Enterprise/Product Dev environment to rethink security!
The permeation of IoT into our cyberspace has without doubt, pushed the world into a wild frenzy of connecting anything with enough space to contain a board with a few chips, a sensor, and a battery mounted onto it. A 10 minute survey of e-commerce sites like Alibaba and amazon will amaze you with varieties of IoT products that reflect the sheer creativity of mankind - we are only restricted by what our mind is able to imagine. The main thrust of this article is to challenge readers to consider some critical questions as you guide your company towards IoT adoption.
So, you are an IT/OT administrator charged with leading the integration of IoT into your business operations. However, you are wondering what are the security considerations to note as you purchase and install these devices? You desperately want to avoid getting famous due to hackers’ activity on your systems. Here are a few questions to consider.
1- Does this product vendor provide a supply chain of trust?
“The Supply Chain of Trust is knowing from where you’re sourcing software or hardware and understanding the security inside of whatever it is, you’re sourcing. It boils down to taking ownership for each layer of security.” In this globalized world, we know that “all our computerized systems are deeply international” and no single country produces a device, including all its components across the value chain. It is hence important to develop a skeptical posture towards third party component(s) that will find its way into your device, manufacturing processes, system(s) or network(s).
As statistics have consistently shown, the supply chain has remained a very vulnerable soft target for attackers such that as much as 80% of cyber breaches may originate from the supply chain. In 2018 alone, according to the Symantec Internet Security Threat Report 2019, supply chain attacks grew by 78% worldwide. Quoting Kellerman of Carbon Black … “They (attackers) have no desire to leave the environment. And they don’t just want to rob you and those along your supply chain… attackers these days want to ‘own’ your entire system” from vendor supplied Software/Hardware to Supplier Systems, Embedded Hardware to Data Aggregators & Storage Solutions etc.
So, when you ask this question, look out for the vendor’s compliance to best practice security policies, processes and procedures, usually represented by cyber security certifications or a stamp of compliance. New technologies like blockchain have shown a lot of promise in addressing supply chain of trust, providing complete traceability of products security from the manufacturing site to the end user.
2- What security functionality is inherent in this device?
The security functionality inherent in a device gives more options in implementing security controls and provides defense-in-depth to address identified risks i.e. from device to architecture level. At the bare minimum, an IoT device must: must be securely updatable, and must provide secure communications with the outside world.
Possess a root of trust or a secure key provisioning: Root of Trust (RoT) is a source that can always be trusted within a cryptographic system. Because cryptographic security is dependent on keys to encrypt and decrypt data and perform functions such as generating digital signatures and verifying signatures, this functionality guarantees the IoT device’s ability to securely perform subsequent cryptographic operations for data security, secure communications, etc. Devices that do not come with this function must provide a secure alternative for cryptographic key insertion into the device.
Possess secure update functionality: Users must avoid the potential for persistent vulnerabilities in devices that have no update capability by ensuring that all devices and systems are built with the ability to be updated when vulnerabilities are discovered.
3- What is the impact of integrating this product/solution into my network?
As enterprise IoT products range increases, continuous integration of various devices into a central network will increase the probability of malicious attacks by hackers. In addition, the increasing risk of connecting the same IoT device in both home & enterprise networks (BYOD), increases the likelihood of cross contamination. There are cases where apps used for managing an employee’s personal IoT device (with very wide-ranging permission requirements) are installed on organizations PC or Mobile device. Furthermore, IoT devices increase pressure on enterprise infrastructure (e.g. bandwidth) and in many cases, impacts existing enterprise data flow/ data access policies.
Secure integration of IoT into a legacy architecture is preceded by an impact assessment covering aspects such as (not restricted to) network architecture, system functionalities, data CIA triad, attacker profile, geopolitical location, etc. In industrial environments where we often see legacy devices, for example, retrofitting security into existing equipment is one way for many plants to take advantage of industrial IoT. For other plants, a complete overhaul of network security may be necessary, for example updating a legacy network protocol to one with better transport security and continued security patches, integrating low latency network devices that are able to handle secure communication from IoT devices, etc.
4 - Do I have clarity on my data flows?
To provide clarity in the impact analysis, a comprehensive cartography of data flows within all segments of the organization is very critical. This helps in the appropriate allocation of resources and security controls during device and system configuration, bringing IoT communications into compliance to enterprise security policies and risk acceptance levels.
5- Do I have legal responsibility?
Finally, the potential privacy implication of the data being mapped must be thoroughly scrutinized in light of existing regulations. Companies must build systems that are able to monitor and prove compliance to data protection regulations.
Final Thoughts
As it is said, “a stich in time saves nine” - this even truer in IoT Security as security by design has proven to be much cheaper and robust than patching of an already built but insecure system. Call an expert today and discuss your security concerns; this will make it a lot harder for an attacker to make you the headline of primetime news.
This article is written by Mr. Isaac Dangana - Sr IoT Security Analyst at Red Alert Labs
Isaac has been involved in cybersecurity subjects like Applied cryptography, Computer forensics, IoT device security research, Network security, Communication protocol security, and the development of cybersecurity certification schemes #RedLabBlog