By: Troy Cogburn, Senior Research Engineer & John Filitz, Research Analyst
The adoption of Internet of things (IoT) is continuing to rise and is estimated to reach 50 Billion Devices by 2020. With this comes a great concern of how to make sure we keep all these connected devices secure. The Mirai Botnet attack was undoubtably the first big IoT breach we’ve seen, and it practically took down the internet for the entire US East Coast. This is just one of many attacks with others compromising connected devices such cars, baby monitors, cardiac devices, toys and much more. With a stream of continually advancing IoT devices being implemented daily, why is it so hard to secure them?
Top Challenges in Securing IoT Devices
For many companies the traditional ways of securing infrastructure are no longer valid for IoT. These devices have extremely lightweight operating systems and cannot be treated like a traditional endpoint. Given compute and memory limitations of IoT devices, in majority of the cases it is simply impossible to install agents on IoT devices for malware and ransomware protection.
The lack of agents also makes it very difficult to perform vulnerability scans and patch management on such a wide variety of devices and protocols. Some of the most vulnerable devices are Industrial Control Systems (ICS) and Supervisory Control and Data Acquisition (SCADA) systems, which are often managed by Operating Technology groups. These technologies were developed in a pre-Internet era, and thus are extremely vulnerable to compromise. A further challenge concerns isolating these systems once they are breached. This confluence of factors makes it difficult to apply conventional security approaches to securing the many different types of IoT devices found in the broader IoT ecosystem
In a 2017 study, Forrester found that around sixty percent of companies surveyed with these devices have already been breached. Early last year the Open Web Application Security Project (OWASP), an open source community that produces content methodologies, tools, and technologies in the field of web application security, released their top ten security challenges with IoT Security:
- Weak, Guessable, or Hardcoded Passwords
- Insecure Network Services
- Insecurity Interfaces
- Lack of Secure Updates
- Use of Insecure or Outdated Components
- Insufficient Privacy Protection
- Insecurity Data Transfer & Storage
- Lack of Device Management
- Default Settings
- Lack of Physical Security
5 Ways to Secure Your IoT Environment
From the above it is evident that securing the IoT environment is challenging. This raises the question of how do we go about taking the right actions to safely deploying these devices? Well as with most cyber security, nothing is ever entirely secure, but here are five key attributes to improving the security posture of your IoT Devices:
1. Visibility & Monitoring
The first step is to gain visibility into your IoT environment with the goal to discover all devices whether they be managed or unmanaged. Surprisingly, around 40% of devices found usually are unmanaged. From there the next steps include classifying these devices for asset management and building a profile and baseline on how they should be performing. Once this is established, these devices can be monitored and managed according to the baseline.
2. Network Enforcement
Network enforcement is key to ensuring IoT security. The first step in implementing network security protocols requires network segmentation according to classification and role. Network access should be restricted where deemed appropriate but should not interfere with Operation practice. Network enforcement hinges on effective firewall segmentation of traffic by policy. Other aspects include strong governance of remote access to IoT devices. Remote access should be granted on a limited and as needed basis. Increasingly real-time network traffic monitoring and detection are seen as essential to securing the IoT environment.
3. Vulnerability Management and Patching
Poor vulnerability management and a lack of routine patching remains a significant blind spot in IoT device security. The vast majority of IoT devices run on firmware that is several years old and has never been updated or patched. Strict vulnerability management should include only allowing certified devices on the network, accompanied with routine firmware and patch updating.
4. User Management
User management of IoT devices should follow the Zero Trust model. Authorization and authentication should be informed by the specific access privilege, and vulnerability assessment for the environment in which the IoT device is deployed. Selecting appropriate proximity-based model (Bluetooth, RFID and WIFI) according to the use-case, is vital to ensuring the security of the IoT environment.
Data encryption in the IoT environment is increasingly being fulfilled by building secure APIs (application programming interface) that incorporate end-to-end data encryption in transit, and increasingly also at rest. Building robust security into APIs is now seen as essential to securing the IoT environment. The key attributes of secure APIs include secure communication protocols, data protection, signed firmware, hashed passwords and Private Key Authentication.
The IoT landscape is ever-increasing in size and scope. Although securing IoT devices is challenging, it is not an impossible task. By taking a systems-based approach and focusing on the 5 key areas we have identified here, can go a long way in improving the security posture of your IoT environment. At Trace3 we have the know-how and expertise to help you with this pursuit, by leveraging our deep skills pool combined with some of the latest emerging security solutions in edge computing and IoT security.
Curious with how you can secure your IoT Devices? The Trace3 Security team is here to discuss solutions that will help you start using your devices more securely.