By answering some basic questions on IoT security and pointing you to other resources on how to minimize your IoT cybersecurity risk, this will help you better understand what a robust IoT security strategy looks like.
What is IoT Security?
Larry LeBlanc, Chief Engineer, Security | Sierra Wireless
Cellular wireless technologies advancements (like LPWA and 5G), powerful IoT application platforms (like Microsoft IoT Central), secured IoT connectivity platforms (like AirVantage) and all-in-one IoT infrastructure solutions (like Octave™) are making it easier than ever for companies to deploy transformative new IoT applications. Yet, as the use of new industrial asset monitoring, predictive maintenance, smart energy, Internet of Medical Things (IoMT) and other IoT applications expands, so does the threat landscape for these applications.
Given this expanding threat landscape, and the growing number and sophistication of cyberattacks, how can organizations deploy IoT applications in a secure manner that protects them end-to-end — from edge-device to network to cloud?
IoT security is complicated, and no single article can provide you with all the information you need to implement a robust IoT security strategy that will address all your IoT applications’ vulnerabilities. However, by answering some basic questions on IoT security and pointing you to other resources on how to minimize your IoT cybersecurity risk, this will help you better understand what a robust IoT security strategy looks like, and provide you with some actionable steps you can take to implement such a strategy.
Why are IoT applications attacked?
Criminals seeking to ransom your data, competitors trying to steal your trade secrets, a rogue state actor seeking to advance their nation’s interests, a bored hacker that wants a little excitement, and other malicious actors all pose threats to your IoT applications.
Sometimes these malicious actors want to access the data generated and transmitted by your IoT applications. Other times they want to use these IoT gateways as an entry way to data on your other enterprise systems – as illustrated by the famous examples of criminals using a smart fish tank to gain access to a casino’s internal IT systems, and using a HVAC system to steal Target’s customer data. Hackers might even just be seeking to use your IoT devices to launch attacks on other organizations’ IT systems, as when the Mirai botnet took over IoT devices to launch an attack on Dyn, a domain name system (DNS) services provider, that ended up bringing down Twitter, Netflix, CNN and other sites that used Dyn’s services.
As these examples demonstrate, criminals attack IoT applications for multiple reasons, using multiple techniques. If you have an IoT application, you need an IoT security strategy that helps minimize the chances of all these types of attacks succeeding.
What is an IoT security strategy?
An IoT security strategy uses security technologies and processes to prevent IoT attacks, detect them when they do occur, and mitigate the extent and damage of these attacks.
A strong IoT security strategy should protect IoT applications end-to-end – from the Smart IoT module, router or other edge device to the Ethernet, Wi-Fi, cellular or other networks – these devices use to transmit data, to the cloud that gathers and analyzes this data and manages the edge devices.
This protection also needs to go beyond protecting just the IoT application’s data – as illustrated by the smart fish tank, Target and Mirai botnet example above, criminals might want to use your IoT application’s devices, network, or cloud to penetrate or attack your own IT systems or other organizations’ IT systems.
What unique security challenges does the IoT create for enterprises?
While many of the challenges that organizations face in securing their IoT applications are like the challenges they face in securing their business productivity, Enterprise Resource Planning, mobile and other applications, IoT security also poses its own unique challenges.
One of the biggest challenges in IoT security is the quantity of interconnected “things.” Beyond traditional IT infrastructure, the exponentially larger number of connected things increases the potential attack surface, thus creating more potential security issues. In fact, Gartner predicts there will be more than 15 billion IoT devices connected to enterprise infrastructure by 2029.
Many IoT devices have much longer expected lifetimes – 10 to 15 years or more – than the laptops, smart phones and other devices used for these other applications. This means that these devices need to be designed so they can be upgraded with security patches years in the future. This can be difficult with IoT devices, as many of these devices depend on battery power, and security upgrades use up a IoT device’s power when they are transmitted to the device.
In addition, unlike the devices used for other types of applications, many IoT devices are in places (on a pipeline, a power line, a roof, inside a piece of industrial equipment) that are difficult for people to access. This makes it important that IoT security technologies can be configured and managed remotely – sending a technician to physically connect to each device to update its security is likely to be extremely time-consuming and expensive.
IoT devices also gather data from things – hot-water heaters, air compressors, liquid fertilizer tanks – that have not had data collected from them before. Unlike computers and smartphones, these things might not have security technologies built into them, and your IoT security strategy needs to account for this.
How does 5G impact IoT security?
The new 5G cellular wireless standard offers faster data speeds, lower latency and other advantages over previous wireless standards. In doing so it does not change the way that enterprises should approach IoT security, so much as expand the IoT threat landscape with more data, more devices, and more use cases.
In some small ways, 5G does make it easier for enterprises to secure their IoT applications, since it enables mobile network operators to “slice” their spectrum to offer private cellular networks to these enterprises, separate from public cellular networks.
However, overall enterprises should see 5G as another driver to implementing a strong IoT security strategy. One that may be more complex to implement, since with 5G they are likely to have to protect more IoT devices, data, and applications than they did before.
How do I implement a strong IoT security strategy?
Cybersecurity is a complex subject, and the strategy for IoT security should reflect the specific security requirements of the IoT application and use case for which they are designed. This makes it difficult to provide you with all the information you need to implement a strong IoT security strategy – especially one that features Defense-in-Depth, with multi-layered device, network, and cloud protection — in a single blog post.
However, by following these best practices, you can strengthen your IoT security strategy and lower the probability that an IoT cyberattack will succeed in penetrating your defenses and disrupting your operations.
- Select IoT devices with advanced security features and support for secure protocols: Not all IoT devices are created equal when it comes to IoT security. By using devices with features that include secure boot, secure over-the-air firmware updates, secure storage, access controls and other advanced security features, along with support for secure protocols like HTTPS and TLS, you will position yourself to implement a strong IoT security strategy.
- Protect Your IoT network: Cybercriminals can breach your IoT application though your network as well as through your IoT devices. Ensure your devices and network and cloud allow you to put in place network security mechanisms that include stateful firewalls with Network Address Translation (NAT) and Port Address Translation (PAT), port forwarding, DMZ hosts, Private Access Point Name (APN) options and Virtual Private Network (VPN) capabilities, like IKEv2, MOBIKE, and FIPS 140-2.
- Use a Secure Cloud: Your IoT application is likely to use not just IoT devices and wireless networks, but cloud services as well. When selecting cloud services for your IoT application, confirm that the service allows you to create unique or random device credentials, encrypts data using mutual authentication, and can mitigate DDoS attacks.
- Stay Informed of New Threats: New IoT security vulnerabilities and new types of cyberattacks are constantly emerging. This requires you to constantly update your IoT security strategy to reflect these changes. By putting in place a process to collect and evaluate information on new security threats and vulnerabilities from your IoT partners as well as government agencies, and regularly ensure that all firmware or other updates needed to protect yourself from these new threats and vulnerabilities have been implemented, you can keep your IoT security strategy from weakening over time.
- Secure Your Keys: Use strong credentials for mutual authentication of devices and servers. Unique credentials should be used for each device and ideally the credential should be random, or at the very least not derived from anything knowable about the device (e.g. serial number, IMEI, MAC). Even strong credentials should be rotated in accordance with industry guidelines to limit the usefulness of any stolen credentials.
- Work with Trustworthy Partners Who Have IoT Security Expertise: As the IoT becomes integral to your business success, it is more important than ever for you to partner with companies who you can trust with your IoT applications and data. In addition, unless you are in the IoT security business, it will be difficult for your organization to invest all the resources necessary for you to have dedicated IoT security experts on your team. Partner with companies you can trust, with a long, respected IoT track record, that have offices in countries with strict regulations in place to protect their customers’ data. In addition, work with IoT partners that have built out their IoT security expertise and process with investments that include a dedicated product security team and security champions to advocate for IoT security in all areas of product management. Also look for partners who are actively involved in industry organizations focused on cybersecurity such as CTIA, GSMA, ETSI and others, and have been qualified by MITRE (the organization that operates the National Vulnerability Database) as a Common Vulnerabilities and Exposures (CVE) Numbering Authority. As a CVE Numbering Authority, these companies are trusted by MITRE to accept vulnerability reports, coordinate with security researchers, and issue CVEs reports for their products.
- Zero Trust Model: This proactive security model assumes that the network and/or devices are always at risk to internal and external threats. To counter the threats, there is a series of actions that organizations can take including strong identification for device authentication to centralized configuration and compliance solutions. Other requirements for Zero Trust for IoT solutions are based on the existing IoT infrastructure.
Where can I learn more about IoT security?
The industry organizations, research firm reports, media articles and other content below can provide you with further guidance on IoT security:
- GSMA: IoT Security Guidelines and Assessment
- Microsoft: Internet of Things (IoT) Security Best Practices
- ENISA: Guidelines for Securing the Internet of Things
In addition, these Sierra Wireless white papers, eBooks, podcasts, and webinars can help you better understand how to design and implement a strong IoT security strategy that features Defense-in-Depth:
- How Secure is Your Cellular WAN? (White Paper)
- Risky Business: Strategies for Securing IoT Endpoints (White Paper)
- Infosec Security Management Policies and Procedures (Podcast)
- Defense-in-Depth and AirLink® Security (Podcast)
- Secure Network Design for Cellular Router Deployments (Podcast)
- Modernizing Utility Infrastructure: Smart, but Not Always Secure (eBook)
Finally, Start with Sierra and contact us directly to talk about your IoT security needs, and how our IoT solutions, services, and expertise can help you protect your IoT applications from cyberattacks, freeing you to focus on maximizing your applications to unlock value in today’s connected economy.
The content & opinions in this article are the author’s and do not necessarily represent the views of ManufacturingTomorrow
This post does not have any comments. Be the first to leave a comment below.
Post A Comment
You must be logged in before you can post a comment. Login now.