You may not be aware that the Internet of Things (IoT) has already invaded your organisation. Consider that the massive Target breach of 2013-2014 stemmed from network infiltration through Target’s HVAC (heating, ventilation, air conditioning) vendor. An IoT device is basically a sensor with intelligence and connectivity. Pedestrian devices have become smart and network-connected; think of telephones, security devices, and HVAC, among others. Each new connected device introduced to a network can become a hacker’s entry point into the network.
And the number of IoT devices is growing dramatically. This is why Microsoft wants to get in on the act. It has acquired Solair, adding a working and proven set of IoT products and software on the Microsoft Azure platform, to enhance its growing cloud services business.
The complicated history of IoT
Security was not an important consideration in the first generation of PCs. After all, they were “personal computers”, networked only for printer service. As network capabilities grew, especially when PCs became capable of accessing corporate assets on minicomputers and mainframes, security was added as an afterthought. This pattern continues in the development of IoT devices.
Most IoT devices are not generic; they are manufactured for a specific purpose. Thus, one company would contain a plethora of device types, one for lighting management, another for security cameras, etc. The code that manages most IoT devices is often ad hoc, created by engineers and/or users with no devops training. You can see that there is next to no standardization of what you might call the “operating system”. Establishing an orderly and systematic method of patching faulty or insecure code is well-nigh impossible. There are now thousands of vendors implementing thousands of unique combinations of software and implementing dozens of technologies (WiFi, Bluetooth, NFC, zigbee, RFID) on literally billions of new devices.
IoT devices typically lack the computing power to support proper security tools such as encryption. No wonder there have been outbreaks of hacks involving medical devices, automobiles, baby monitors, and physical security systems.
There is no one department that seems to be given responsibility for implementation and support of IoT. Depending upon the company, it could be the user department, engineering or IT. This speaks to the cross-cutting nature of IoT. Although IT tends to be chosen to manage IoT projects because of their background in project management, most IT personnel have limited exposure to embedded software development. Moreover, the useful life of IoT devices is typically longer than PCs or mobile devices, making continuity of support a major concern.
IoT chips can contribute to security vulnerability
IoT vendors have traditionally incorporated Application-Specific Integrated Circuits (ASICs) with unalterable programs, all memory being read-only. This approach minimizes security vulnerabilities. But vendors are increasing using another type of integrated circuit, the Field Programmable Gate Array (FPGA). The chip is reconfigurable, even during run time.
A Georgia Tech case study purports that with FPGAs, "There are entirely new attack vectors to consider, ones that lie outside the traditional computer security mindset." The study introduces an entirely new architecture to deal with these vectors that they call Trustworthy Autonomic Interface Guardian Architecture (TAIGA).
Standards for smart devices
Speaking of standards, the vulnerability of IoT devices has not been lost on industry and the public, and there are a number of promising approaches.
For network-connected smart medical devices, the DTSec standard was unveiled by the Diabetes Technology Society in May 2016. DTSec contains a set of performance requirements to improve cybersecurity through independent expert security evaluation by DTSec-approved labs such as Brightsight. The Diabetes Technology Society will publish the names of products that successfully pass the evaluation process. At this point, the standard applies only to diabetes-related smart devices smart devices like insulin pump controllers and continuous glucose monitors.
The IoT Trust Framework from Online Trust Alliance (OTA) takes another tack, issuing guidelines for IoT manufacturers, developers and retailers. The OTA has such influential members as Microsoft, Symantec, ADT, AVG, Target, TRUSTe and Verisign. The proposed guidelines include the following:
- Make privacy and data collection policies available before purchase, encrypting or hashing all personally identifiable data at rest and in motion. Users should be told whether they can remove or make anonymous all personal data when they stop using the device or when it reaches the end of its life.
- Require manufacturers to conduct penetration testing on their products and to tell consumers about vulnerabilities.
- Prompt for default passwords to be uniquely generated or changed on first use.
- Websites linked to the IoT must adhere to SSL best practices and HTTPS encryption by default. In the 2015 OTA Audit, websites of the top 50 IoT manufacturers were evaluated for the first time, receiving a dismal failure rate of 76 percent.
The OTA is also developing testing tools and methodologies. Eventually, OTA plans to have a certification program.
Integrating IoT into your company
Policy and procedure for the use of IoT should be in place before it is implemented in an organisation. Recent research from ForeScout Technologies analysed responses from over 350 IT pros from a wide range of companies around the world. Fewer than half (44 percent) of respondents have a security policy that includes IoT devices. Almost a third (30 percent) said their company failed to have a specific solution in place to secure IoT devices and 26 percent don't know if they have security policies on their devices.
Some other considerations include:
- IoT devices have the same legal ramifications as any server. For example, privacy laws apply.
- Segment your network. This has two advantages. First, it ensures that a breach is limited to a small subset of the network for faster quarantine and remediation. Second, attempts at unauthorized movement between segments are more easily detected.
- Each connected device, IoT or otherwise, should be able to encrypt network traffic.
- Consider implementing WebTitan. It protects organisations from threats by managing internet traffic. It can protect the network from malware and malicious attacks and control bandwidth usage.
Hopefully this is food for thought. I’d love to hear your thoughts on this subject . What challenges does IoT pose for your organisation ? Feel free to contact me at firstname.lastname@example.org