Securing environments with IoT devices requires a comprehensive functionality assessment as well as access control measures.
Addressing IoT security challenges is not possible without a mature security foundation, which many organizations still lack.
As organizations build a robust security architecture, their focus can gradually shift from remediation to a more proactive stance.
Despite the wide variety of cybersecurity guidelines, relatively few organizations deploying emerging technology have a mature security strategy. While cybersecurity awareness has increased, businesses with an ineffective cybersecurity posture face mounting risks. Cyberattacks themselves have become more damaging, and regulatory pressures related to security and privacy have escalated.
The Internet of Things (IoT) continues to raise the stakes, extending digital technology’s reach into the physical realm. Thanks to the interface between the digital and physical world created by IoT technologies, a cyberattack could potentially prompt various scenarios, from business disruption to industrial accidents. In addition, as IoT technology becomes more sophisticated and distributed within IT environments from the cloud to edge architectures, cybersecurity grows more complex.
The question of what to defend has also grown murkier. Decades ago, organizations using computing technology had a clear perimeter to protect. Typically, their computing and networking hardware was located in one or more buildings. Similar to how nobility erected castles in the Middle Ages, computer security professionals built a series of defenses for assets. People and processes inside a defined perimeter were largely trusted, while those outside were not.
Although the castle approach remains, its limitations have grown more apparent. One of the central IoT security challenges is its incompatibility with a perimeter-based security model focused on guarding a homogenous set of computing assets. The popularity of cloud computing and remote working pose further hurdles. The increasing risk of attacks occurring within the traditional security perimeter is another worry. As Forrester observed, the castle model tends to create a network “with a hard, crunchy outside and a soft, chewy center.” Additionally, over the past decade, a series of organizations with substantial — often multimillion-dollar security budgets focused on perimeter-based defenses — have fallen prey to attacks exposing troves of data.
Identifying What to Protect
One of the first steps in establishing a strong security foundation is to assess your various assets and related processes. Cybercriminals targeting your organization are likely to start with that same focus.
For manufacturers incorporating IoT functionality into products, this foundational stage involves addressing potential vulnerabilities early on as well as taking steps to harden products over time. While the need to incorporate baseline security in IoT devices is clear, until recently, manufacturers had little incentive to do so. Now, a growing body of legislation and regulatory precedent has spurred manufacturers to prioritize security.
“It is creating a commercial pressure [for manufacturers] to at least have a baseline security level, or you could face legal ramifications,” said Andrew Jamieson, director of technology and security at UL.
Similarly, organizations building IoT technology into an environment should assess the risk of each node on a network while addressing potential vulnerabilities created by new technology interfacing with legacy software and hardware.
Such an assessment isn’t possible without an accurate asset inventory, which is difficult to create as connected devices proliferate. “One of the biggest challenges is that there are so many different industry verticals and different kinds of devices,” said Zulfikar Ramzan, chief technology officer at RSA.
The goal of establishing an accurate inventory is challenging for many industrial organizations. “Because of the proliferation of IoT devices on [operational technology] networks, there’s a large discrepancy between what they think they have and what they actually have,” said Dave Weinstein, expert associate partner at McKinsey & Co. Further, in industrial and enterprise contexts many IoT devices are unmanaged. “You’ve got folks who install them on an as-needed basis,” Weinstein said.
There is also a challenge in defining normal behavior for a given connected device. “It’s one thing to know there is, for instance, an MRI machine on the network. It is another to know if it is being used for some nefarious purpose,” Ramzan said.
Macro- to Micro-Level Risk Assessment
Once an organization creates a comprehensive asset inventory, it can perform an in-depth analysis of its attack surface, which consists of various entry points attackers could abuse. The process is multifaceted, including analyzing how devices communicate, how they are administered, and the software and hardware they use.
This step involves documenting physical assets, IoT endpoints and related workstations and networking hardware, digital assets (including databases and cloud capabilities) and assessing who can access them. Another consideration is the communication and interaction among various components and assets. While few organizations understand their entire inventory, such knowledge can assist in identifying, prioritizing and remediating vulnerabilities.
A first step in creating a risk-based security strategy is establishing a bird’s-eye view of assets. But more challenging is quantifying the risk these assets pose. Once a baseline schematic is created, the next step is to take a closer look at the various components in the architecture and the attack surface they create. Given the broad and often malleable definition of IoT technology, “one of the first things you have to do is decide on a taxonomy of what these systems are,” Jamieson said. “And as our ability to understand security increases, we’re going to see an evolution of that taxonomy.”
Organizations can start by creating functional block diagrams for individual IoT devices that cite the software stack they use, including relevant software frameworks, third-party tools and so forth.
Relevant software considerations include security controls of the following:
What degree of control does the software have over assets and what type of data does it store? How could an attacker exploit those elements?
Does the software have known vulnerabilities or include back doors?
How does the software respond to various hardware malfunctions or performance problems?
What type of encryption and authentication does the software support?
What kind of code review has the software received?
Is there a secure infrastructure for regular automatic software updates, including for firmware?
How secure is the authentication process?
Does the software collect sensitive data? If so, are there defined procedures for protecting it?
Many IoT devices feature lightweight computing capabilities and rely on cloud-based services for some degree of their functionality. For cloud-based IoT services, organizations should ensure that off-premises software is configured correctly and that appropriate access controls are in place. Lax cloud security controls have fueled myriad data breaches in recent years.
Conversely, secure cloud infrastructure can enable organizations to streamline security operations. Consider the benefits for IoT device makers relying on cloud functionality for their products. The centralization of cloud architecture enables manufacturer agility in terms of software updates that improve security while maintaining interoperability and functionality. “If we have a mature cloud framework interacting with IoT systems, you can use that framework to benefit new products … and currently fielded products as well,” Jamieson said.
Despite hardware costs declining, IoT devices have matured in processing capabilities and functionality. The edge computing model, which brings computation and data storage closer to the data source, is becoming more prevalent. Given that edge computing deployment is initial, edge-specific cyberattacks are still minimal.
But IoT deployments using an edge computing architecture often deserve special security consideration. First, edge computing devices communicating with gateway devices can complicate network visibility. Second, as endpoints gain functionality, they demand more sophisticated software. “As you increase the amount of code, you increase the attack surface,” Jamieson said. Similar to the situation with the cloud, the expanding capabilities of edge computing offer pros and cons from a security perspective. On the one hand, it potentially allows attackers to run more code to survey network components, perform crypto-mining and so forth. On the other, the increase in processing capabilities enables IoT implementers to take advantage of more sophisticated security software agents.
Given the “Internet of Things” moniker, two foundational security considerations are networking and hardware. While IoT promises a dramatic increase in the types of networked devices, the basic architectural underpinning in most implementations remains broadly similar to traditional networking deployments. For that reason, traditional reference architecture models such as the Open Systems Interconnection (OSI) model and the Purdue Model of Control Hierarchy for industrial control systems can benefit IoT deployments, depending on the context. While such models can help organizations evaluate architectural hierarchy and interconnection between assets, they are no substitute for a security reference architecture.
Networking and hardware considerations relevant to cybersecurity include the following criteria:
What types of communication protocols and wireless authentication methods does the system use?
What type of network security features are supported?
Is end-to-end encryption supported and feasible?
How secure is the hardware? Do endpoints include embedded security features such as trusted platform modules or hardware security modules?
What threat might the hardware or networking gear pose to an attacker who is physically present, (i.e., vandalism and tampering?)
The OSI model can be valuable when assessing a range of networking attacks. An essential element is to implement the principle of least privilege, which limits to the greatest extent possible access control without interfering with core processes. Organizations can also improve their maturity to embrace cryptographically protected and multi-factor authentication where feasible.
One element that can complicate a centralized approach to access control is third-party business relationships with business and channel partners. A variety of vendor security assessment tools are available. Frameworks such as the recently released Department of Defense’s Cybersecurity Maturity Model Certification can also be valuable in assessing third-party cybersecurity maturity.
Putting the Pieces Together, Securely
Once organizations have addressed basic and intermediate-level cyber-hygiene issues, their focus can become more proactive validating security controls and enhancing them over time. Organizations pursuing advanced cybersecurity maturity stand to not only reduce a vital element of business risk, but also stand to safeguard their reputation and the potential to differentiate themselves in the marketplace.
Such maturity isn’t possible without factoring in cybersecurity from the beginning of a relevant process, whether designing a new product or rolling out a smart factory. “Organizations need to shift security earlier in the process,” said Sean Peasley, a partner at Deloitte.
While regulations such as the European Union’s General Data Protection Regulation and the California IoT Security Law are helping drive security awareness, they are less valuable to organizations with ambitions to make considerable progress in optimizing security controls. “They are a minimum set of requirements,” Jamieson said. “If you are a company that wants to market on security, the baseline is not good enough. You need to represent to your customers that you go beyond that.”