People are often portrayed as the weakest link in a security chain. People can be fooled into revealing passwords, or will often choose passwords that are easily decipherable. It is a misconception that may lead some business owners or IT professionals to believe that IoT, given its near total level of automation, is inherently secure. Nothing could be further from the truth, because nothing is inherently secure.
IoT environments present cyber-criminals with a labyrinth of opportunities, and this year that labyrinth is expected to grow in size by 15 percent (year-on-year) to reach 20 billion devices, according to IHS Markit. To put that figure into perspective, the total number of unique mobile subscriptions globally stands at 4.9 billion (according to the GSMA). IoT dwarfs P2P mobile use in terms of connections and, subsequently, in terms of its potential for breaches in security.
An IoT environment typically includes network communications, radio frequency communications, cloud APIs, mobile apps, cloud services, and command and control applications found in the mobile and cloud-based pieces of the ecosystem. The IoT value chain is long and complex, with every element being both essential and interdependent. Furthermore, every link in the chain represents a potential vulnerability and, just like every other industry, no one provider can cover all of the IoT security vulnerabilities.
This fragmented landscape means that IoT security takes a village.
The village people
The device manufacturer is arguably the most obvious chain to the IoT link. These firms are not necessarily the manufacturer of the “things” being connected but rather they are specialist manufacturers of the elements such as communications modules and sensors that enable the things to be connected.
Establishing who takes responsibility for securing the things is crucial. The party with technical responsibility may well be different from the party that the end user considers responsible. A car buyer will assume the automotive firm is responsible – or possibly even the dealership. The smart meter user will hold the utility provider responsible. In both of these examples, the party held accountable may have little expertise or knowledge of IoT security. Ultimately though, the end user-facing firm will own the responsibility, because they'll be in the firing line if things go awry.
End users are likely to view the hardware provider as the responsible party, but any problems that arise with devices are more likely to exist in the software. Application developers will need to include strict controls for authenticating user access. IoT software must have robust fraud detection and prevention mechanisms to protect both the device and the data.
Moving away from the device layer, vulnerabilities also exist at the network level. Devices will connect to the internet via cellular, Wi-Fi, Bluetooth, LPWAN or even satellite. In the case of cellular, there is a certain level of security already built-in. Cellular connectivity uses global standards such as ciphering keys and encryption algorithms on the SIM itself to securely transmit and receive data. Cellular IoT also allows device data to be parsed into private networks to isolate it from other network traffic.
Cloud platform providers will also play a pivotal role in the development of a fully functioning IoT security landscape. Some, such IBM, Microsoft and Salesforce, will be focused on securing the data generated by connected devices in the cloud. While other IoT platforms, such as the Cisco Jasper Control Centre, will manage, monitor and secure the connectivity of deployed devices.
Devices represent a vulnerability gateway. The level of risk will vary depending on the context of how the device is being used. Various layers of security such as authentication, user access, application access, device lifecycle management, and data encryption should all be considered in order to safeguard connected devices. There is often a cost/benefit trade-off in security between protecting everything and paying for everything – and this trade-off can be quite pronounced for devices where thousands or millions are in use. Furthermore, device data has different levels of sensitivity. Data originating from a sensor tracking radiation at a nuclear power plant is arguably more sensitive than from a farmer's weather station. Understanding what and how many devices are in use, and the type of data being collected would be critical first steps in building the appropriate device security strategy.
Network and data protection
If devices are gateways then networks represent the connectivity highways over which data is transported to the cloud applications that deliver IoT services. Protecting this highway is every bit as important as keeping devices secure – because while the devices might be secure, there are a myriad entry points on any network. As with device protection there are numerous options for securing a network and the strategy used will depend on the type of connectivity, networks and device usage.
Wireless connectivity, such as Wi-Fi or cellular, and fixed line connections each have their own set of security protocols. Device data in transport should always be encrypted and parsed in secure private networks rather than sent openly over the internet. Additionally, to ensure devices communicate only with the appropriate applications, network authentication allows users to verify and authorise devices on both the network and applications within the network.
The true power of IoT stems from connecting devices via secure networks to the cloud. The importance of robust cloud security therefore cannot be overemphasised. When protecting cloud infrastructure, organisations should consider both digital and non-digital security practices. Adhering to standards such as ISO/IEC 27001 can provide a critical part of an overall strategy for ensuring information security.
In addition to securing the overall environment, businesses need to get granular with controls for the IoT applications themselves, specifically with regards to role-based access and anomaly detection. With role-based access organisations should implement identity management and access control lists to ensure that applications in the cloud are giving the right access to the right people. With anomaly detection organisations should make sure that the IoT platform they use is able to not only detect anomalous or suspicious behaviour, but also automate the remediation of any anomalies as well.
The IoT security checklist
The forecasts for IoT growth are huge, whether in terms of connected devices, data transported or revenue earned. However, with massive reward comes massive risk. Businesses throughout the value chain need to take a holistic view of security village which, of course, is easier said than done. Taking a holistic view means taking a look at all of the players in the ecosystem, devices, networks and connectivity platforms. This will help in the planning and implementation of a solid IoT security strategy.
To help focus your IoT security strategy, be sure to:
- Evaluate the end-to-end identification and authentication of all entities involved in the IoT Service (i.e. gateways, endpoint devices, home network, roaming networks, service platforms)
- Ensure all user data shared between the endpoint device and back-end servers is encrypted
- All “personal” and regulated data to be stored and used according to local privacy and data protection legislation
- Utilise an IoT connectivity management platform and establish rules-based security policies so immediate action can be taken if anomalous behaviour is detected from connected devices
- Take a holistic, network-level approach to security
For more information about building a secure IoT environment, download the whitepaper Understanding IoT Security.
Contributed by Sanjay Khatri, global head of platform product marketing, Cisco Jasper
*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media or Haymarket Media.