Illustration: © IoT For AllA new generation of connected Industrial IoT (IIoT) devices are helping businesses leverage the power of the internet for smarter operational technology (OT). Programmable logic controllers (PLCs) are widely used to control industrial electromechanical processes for manufacturing and robotics, and increasingly online. In cities, connected OT …
IoT & Security
IoT technologies offer many remarkable benefits. They can make complicated tasks, such as tracking a fleet of thousands of vehicles, monitoring and adjusting manufacturing processes or automating a smart home or office simpler, easier and more cost-effective than ever before. By inviting IoT devices into our homes, workplaces and public spaces, however, we also expose new attack surfaces. When we assign an IoT system to be responsible for a critical task or trust it to monitor sensitive information in our most private spaces, we want to ensure that the system can be trusted. For this reason, it is vital that security best practices are applied at all stages when developing an IoT solution.
Familiar Old Friends
Although IoT systems introduce a slew of new security considerations, we must also remember all of our old internet security best practices. The goal of many if not most IoT systems is to monitor and surface information to human users. We need to be sure to use best practices for user management, authorization, and authentication and data storage. Hashing passwords, sanitizing inputs, using SSL for all connections and using tools like two-factor authentication are standard practices across the technology industry. The IoT sector is—or should be—no different.
Because of the often sensitive and sometimes personal nature of the information gathered and generated by an IoT system, access control is also of paramount importance. Permissioning needs to be considered at a project, sub-system, device class, or even a specific device-level basis. One of the most important steps in creating an IoT solution is considering who should have access to what data. While the permissioning for this type of system might be more granular than many others because of the sheer number of devices involved, the same basic principles apply.
In addition to all of the old familiar security considerations, IoT systems introduce a host of new risks and perils.
It is crucial for any company considering the deployment of an IoT system to identify a trusted hardware partner as so many of the security risks inherent in IoT systems begin at the hardware level.
IoT devices store and use cryptographic keys to transmit their data through a gateway and (often) onward across the broader internet. Access to these cryptographic keys can allow malicious actors to spoof device data and wreak havoc on IoT systems. Because physical access to these devices in many cases can’t be controlled as rigorously as it can be with traditional computing devices, it is important that measures are taken to prevent physical device-level tampering. In some cases, where proprietary data and code are stored on the device, it may even be appropriate for the device to self-sabotage, destroying all onboard data when unauthorized access is detected.
In a world in which IoT devices control physical processes involving business operations and human safety, failure to properly secure IoT hardware can result in lost revenue, or in the worst case, lost lives. Even attacks that are seemingly less ominous can be extremely damaging to a company’s brand and the trust of their customers. Recent attacks on IoT devices, particularly webcams, in order to create giant botnets used for launching Distributed Denial of Service (DDOS) attacks are prime examples of this. A key part of these types of attacks is that the attack remains undetected. By their nature then, these attacks are not immediately damaging to hardware and software systems of targeted companies. Once it is discovered and disclosed that a company’s IoT devices have been compromised, the loss of trust that customers have in that company’s products can be devastating.
In many ways, IoT software solutions are only as good as the data being fed to them by hardware. If a hacker were to gain access to a device, extract its cryptographic keys or patch its firmware with malicious code, it would be very hard to detect that the device had been compromised because IoT data—being generated in the asymmetrical real world—is often unpredictable. It can be helpful, however, to run data analysis to ensure that devices are reporting as expected. For instance, if a device seems to be reporting more frequently than expected, it could be a sign that a device’s unique id is being used to spoof data. Setting boundaries and expectations on your data can highlight data irregularities that may indicate nefarious activity on your network. It is also appropriate in many situations to know the exact parameters that a device’s message specification should follow and to only allow certain types and fields of data to be written to storage or acted upon.
IoT Security for the Future
With the introduction of IoT solutions composed of many thousands or even millions of devices, the attack surfaces for these systems are greater than perhaps any other. However, balancing out these risks are the promise of huge, world-changing rewards. As is always the case, working with an experienced IoT solutions provider who can help you navigate this new, exciting, and sometimes frightening world is crucial.
Source: IoT For All
Earlier this year, an Illinois couple panicked when they suddenly heard a male stranger’s voice speak to their infant through the baby monitor. It turns out their smart cameras and thermostat, installed to provide security, had instead been hacked and turned against them.
More recently, A Wisconsin couple got the scare of their lives when a hacker accessed their smart home device and cranked up their heat, spoke to them, and even played vulgar music through a camera.
We don’t have actual numbers on how many more terrifying stories of smart home “invasions” are out there. We do know that as more and more homes are deploying smart home devices (the global smart home market expects to reach 53 billion by 2022).
Instead of just enjoying the rewards of convenience and connectivity, homeowners are also very likely to suffer very real security risks, as smart hackers turn these IoT-based gadgets – lights, locks, cameras, other surveillance systems and even common kitchen appliances such as coffee makers and refrigerators – into gateways to their homes.
In mid-2018, the FBI warned consumers that just as they secure their PCs and mobile devices, they should also safeguard their vulnerable IoT devices such as routers, cameras and other smart appliances.
Common Cyber Threats Against IoT Devices
As the use of network-connected smart home automation devices soars (many of them unsecured), so do incidents of IoT security breaches such as:
- Your public IP address pinpointed by hackers as IP addresses are revealed by unsecured devices, increasing the risk of home intrusion (criminals will know when you’re not home).
- Your hijacked device turned into an email server, able to send thousands of spam emails without the device owner even knowing about it.
- Your compromised devices recruited as malicious botnets to carry out massive Distributed Denial of Service (DDoS) attacks on government or public facilities (See https://www.iotforall.com/iot-ddos-attack/).
- Your IoT devices’ failure to encrypt messages before sending them over the network to keep communication and user information secure.
- Your device’s vulnerability to outside access because manufacturers don’t tell customers to change the default password, which threat actors can easily attain through brute force.
- Your router’s susceptibility to remote access, enabling hackers to intrude into the home network and discover unsecured IoT devices.
What Happens When Hackers Turn Smart Appliances Against You?
Once accessed and compromised, your smart appliances can wreak havoc on your life. Your smart lock, installed to be able to enter your house without a physical key? It can now lock you out or, worse, unlock the door to intruders. The smart light you set up to automatically turn on and off? It can now decide to turn on all the lights – and all the other electrical appliances – until it overloads your power system. That smart vacuum cleaner that you can schedule to do the cleaning for you? Believe it or not, it can now show potential burglars the very layout of your home. Have a router that connects your devices to the internet and makes all this convenience possible? Careful, it can now give away your personal credentials or private information.
You get the point. Every link in the “smart chain” must be secured.
Smart Devices…Not-So-Smart Security?
Smart homes are great, but they’re also way too open. According to OSWAP, each IoT device alone has 15 attack surface areas.
Smart-home owners, get security smart and protect your IoT devices against attacks by:
- Accounting for all your connected devices. Be sure to note each device’s settings, credentials, versions, and recent patches so you’ll know what security steps you need to take or even if you should replace or update any device.
- Authenticating the smart home device before sending or receiving data. Using two-way authentication via cryptographic algorithms ensures that the data comes from a legitimate, rather than fraudulent, source.
- Replacing default or weak passwords to prevent hackers from accessing them through brute force, and change device settings to achieve stronger security.
- Using encryption to protect data as it travels from your device to the cloud to ensure that no one can access the transmitted data without the proper decryption key.
- Segmenting IoT devices by deploying two wireless connections in the home, setting up IoT devices separately, and creating different passwords to prevent the spread of attacks and cut off devices in trouble.
Best of all, adopt a solution – enterprise-grade security protection adapted for homes – that can scan your home network for any unusual activity and then immediately shut it down, while letting you know an attempt was made to invade your privacy.
Igor Rabinovich is CEO and founder of Akita.Box (Wireless IDPS) and the Akita.Cloud platform.
The Internet of Things (IoT) is fast turning into an intrinsic part of the digital transformation for industries such as utilities, transportation or manufacturing. The market is expected to reach a value of $922.62 billion by 2025, becoming one of the biggest catalysts for new emerging technologies.
Although Industrial IoT (IIoT) adoption offers benefits ranging from automating and optimizing the business to eliminating manual processes and improving overall efficiencies, security continues to be an afterthought, one that creates risk that industrial organizations are ill-equipped to manage.
The Trickle-Down Effect
The lack of mature security frameworks and the breadth of security considerations are big barriers for the improvement of IoT security. Today, there is no common approach to cybersecurity in IoT, which leaves the door open for device manufacturers to take their own approach, resulting in undeveloped or underdeveloped standards to guide adoption of IoT security measures and best practices.
In many cases, manufacturers designing IIoT devices are challenged to integrate effective security controls into the product design, which results in devices having little to no encryption for securing data at rest or in transit. Because security is not built into the device at the onset, users struggle with securing them after they have been implemented, constantly leaving the door open to potential cyber-attacks, which could lead to operational downtime, loss of customer data and even end-user safety hazards.
This challenge becomes compounded as users come up against other complicating factors, such as:
- Complexity of the ecosystem – an IIoT ecosystem is an amalgamation of diverse, dynamic, independent, and legacy devices that intertwine communication protocols, interfaces, and people. Such complexity hampers the ability of IT security professionals to even start with the most basic cyber hygiene, such as changing default passwords, keeping an inventory of hardware and software components on the company network or patching applications regularly.
- Intricate monitoring and management – the more complex an environment, the more likely it is that IT administrators lack visibility, access, and control over one or more of its components. Moreover, the deployment of IoT devices on legacy infrastructures and non-IP based devices also exacerbate the IT administrators’ inability to monitor and control these devices.
- Lack of IoT security awareness and knowledge – the lack of understanding of connected devices and architecture security pose a significant challenge. Most organizations don’t have a full understanding of the risk and exposures they face to protect their devices or the real impact (both positive and negative) those devices have on their security posture.
Thinking of security as an afterthought is one of the most common mistakes when building or adding new connections. IIoT can be effectively disruptive if done properly when done poorly it creates unnecessary risks.
Industrial IoT Security – Partnering for IIoT Security Success
Many organizations don’t have the skills needed to maintain, let alone build their IIoT security architecture. For that same reason, they should consider partnering with specialists when moving into this space.
Managed security service providers (MSSPs) are adapting offerings to address the needs of complex IIoT environments. As IIoT devices have different application requirements, deployment conditions and networking needs than traditional enterprise environments, MSSPs are investing in specialized capabilities to understand how to configure devices for at-scale operations and to ensure that best practices are followed for both preventative and real-time maintenance.
Businesses considering partnering with an MSSP should take into account the expertise, resources and services their potential partner will bring to the table. They need to look for a provider that will deliver leading-edge security features such as threat intelligence and monitoring, data correlation and device management and support, while also understanding the differences between monitoring traditional networks with these unique technologies. Leadership will also needs to revisit policies and procedures on risk management through an IIoT lens and use audits and assessments as enablers for the application of relevant security controls.
The influx of IoT devices has opened up new entry points into enterprise networks that cybercriminals can exploit. Whether it is in a new connection or an extension of a legacy architecture, cybersecurity must be at the core of the IIoT implementation. Organizations will need to take a defense-in-depth approach to cybersecurity if they are to be better prepared to face the threats targeting IIoT. This starts by identifying the challenges their implementations present, from the increased complexity to awareness and management. The point behind IIoT is to create a seamless connection between people, devices, and networks and drive efficiencies on an industrial scale. If this is to be achieved, cybersecurity is the one guest that cannot be late to the party.
Source: IoT For All