Originally posted on November 26, 2018 on LinkedIn.
Nobody anticipated the internet would cause the disruption it has, when it was first invented. Not even the inventors and innovators. Personal lives, businesses and governments have all been overhauled by the widespread use of the internet. The internet of things is a true epitome of how the internet has changed every aspect of human life. Security is a major concern as far as the internet of things is concerned. Below are 10 ways through which you can secure the internet of things.
The internet of things consists of a web of physical devices connected through the internet. Transmission of data across these devices is immediate. Businesses and organizations are able to operate more efficiently and adapt quickly to business environment changes. IoT systems ensure the machines can make predictions, and automatically make decisions based on these changes. The IoT basically puts all your IT systems at the control of your finger.
IoT is driving business enterprises and government organizations nowadays. Industries are enjoying enhanced equipment maintenance and better asset management. Sale departments are getting real-time information on market behaviors. Supply chain management has been automated. All this proves that human-machine collaboration has never been better.
Risks Posed to IoT Systems
All these improvements are impressive. However, we should never even for a moment close our eyes at the data security challenge posed to IoT systems. The control of IoT systems is prone to falling in the hands of the people. All endpoints of an enterprises systems need to be tightly secured. Cyber resilience should be a major focus for any enterprise. Enterprises should be able to keep up with technology innovations and improvements. Cyber threats come from all quarters. Today, anyone who does not want an enterprise to thrive will target their IT and IoT systems. The risks posed include;
• The enterprise has integrated IoT technologies into all its systems, and those of partners. The leaves them with little to zero control over data security.
• Size has been the latest craze as far as IoT devices are concerned. A lot of effort is put into developing little devices that consume lesser space. Such devices are difficult to spot or control.
• All the connections in the IoT webs are not similar. Some are weak and vulnerable. They could be easily breached. The integrity of the enterprise’s data could be compromised through connections that it does not have jurisdiction over.
• Cybercriminals are always salivating and the prospects of getting in a large corporation’s IoT systems. Cyber-attacks on business have been very rampant recently.
Cybersecurity within IoT systems cannot be overlooked. The consequences of failure or security breach on such systems are devastating. Any security breach could affect all the operational assets on the system and bring the whole enterprise to its knees. Partners, suppliers, and customers could also suffer under such circumstances. For instance, in October 2016, a distributed denial-of-service (DDoS) attack was executed on service provider Dyn through an IoT botnet. It was the largest of its kind. A large part of the internet was taken down, and it affect other large companies such as The Guardian, Netflix, Reddit, CNN, and Twitter.
The attacking IoT botnet was created by a malware named Mirai. Computers Infected with Mirai would start continually searching the internet for weak and vulnerable IoT devices and networks. Default Usernames and passwords would be used to log into these devices and deposit malware. DVR players, digital cameras, digital switches, and many other devices were affected.
The infected devices are operated by human for various purposes. The physical security and safety implications of a breach is enormous. Such a breach would put business partners at risk, or at times cause injury to workers. Take for instance the digital switches, the malware could make them malfunction and start leaking current. That would put the operators at risk of electrocution. During a recent incidence, Strava, a fitness app that posts heat maps of the user’s exercise routes online malfunctioned and inadvertently disclosed the location and layout of North African U.S military bases.
IoT drives the today’s world. Any serious organization has to integrate it into its systems at some point. The organizations have to make cyber resilience a top priority though. Cyber resilience is not an issue of just the IT part of a business. It touches on physical and organizations aspects of the business.
IoT and Governance
The World Economic Forum (WEF), in a 2016 report, stressed the importance of boards of directors to understand new technologies and their effect to the cyber resilience of their company. It advised them to take responsibility for coming up with, and implementing an effective and efficient strategy. According to the WEF survey of business leaders, 88% of the leaders felt that businesses are not prepared for the IoT and cyber resilience challenge.
The report looked into four case studies. The case studies were in the transportation, healthcare, critical infrastructure, and automotive sectors. IoT risks have been picked out in all of these sectors. The conclusion made by WEF was that it is crucial for boards to refer to the 10 principles of cyber resilience governance, as outlined in the report. Principle 4 is- integration of cyber resilience. It is one of the most important principles among the 10. It concerns the design of IoT systems. The designs of the IoT systems have to be certified as secure before they are integrated into an organization.
IoT Cyber Resilience Standards
As of now, there are not law or regulations governing IoT systems and IoT security. Standards for IoT systems have not been developed yet either. The components of an IoT systems are probably to many, for anybody to formulate effective regulations and standards for a whole system. A bipartisan group of U.S. senators in August 2017, introduced a bill proposing some basic security standards for any network of devices purchased and operated by the U.S government.
Among the top objectives of the proposed legislation was to ensure that security is part of the development of any new systems from the word go. Governments around the world are currently considering having such a regulation among all their systems. Business enterprises and other organizations need to be vigilant of such legislation and regulation to ensure they are not caught unaware.
The European Union has formulated directives aimed at securing the IoT, although Europe does not have any specific legislation concerning IoT security. The Network Information Security Directive, is one that obligates IoT operators to take responsibility for, and manage risks that their IoT systems are exposed to.
Relevant IoT security standards are now urgently required to ensure the systems are secure with a certain level of certainty. For instance, IoT solutions in healthcare need to consider nonbinding recommendations from the U.S. Food and Drug Administration concerning the management of cybersecurity of medical devices. The IoT systems integrated in the European transport sector need to be subject to the Directive 2010/40/EU on in-vehicle communications protection as well.
Standard security controls and protocols can be employed in mitigating IoT security risks. Controls such as assets and configuration management, risk management, and network segmentation can all be applied in IoT security. Organizations should strongly consider adopting standards such as the he international standard for information security management systems (ISO/IEC 27001:2013).
IIoT: New Threats to Industrial Operations
Industries have harnessed the convenience and ease of operation offered by IoT. Industrial Internet of Things is expanding at a blistering pace. Utility industries, manufacturing, chemical, pharmaceutical as well as oils and gas are all adopting IoT systems. The systems include control and operational systems that monitor and control heavy industrial machinery. Heavy machinery connection and automation has been made possible. IIoT sensor data and analytics can be harnessed from these systems. The result is high efficiency and low downtime.
Unfortunately, the security risks that these systems are exposed to is enormous. Due to the nature of machinery being controlled, these systems are like ticking time bombs. Failure to patch with latest firmware, username and password infiltration, and other lax controls make these systems quite vulnerable. Hackers are lurking in the shadows waiting to pounce on any weak system. Schneider Electric announced a vulnerability in its Triconex controllers in December 2017. These controllers are used by millions across the world in safety systems. Schneider Electric said the controllers were vulnerable to the HatMan malware, that can directly or remotely interact with, and compromise a safety system.
The security of IIoT systems comprises of both cybersecurity and physical security. The system can be infiltrated from any physical device. Enterprises need to be aware of this aspect, and provide ample security both online and offline. For instance, none of the devices on an IIoT system should ever be on public internet. Clear access policies should be formulated. Everyone within the enterprise should know who has access to what. Such privileges and permissions ensure the right people are mandated to secure the IoT systems. Physical devices and their controls should be secured in strong locked cabinets, and alarms and CCTV cameras set up around them. If possible, remote access alarms should be set up. All these measures are to ensure there are no loopholes left for hackers to infiltrate the systems.
How to Approach IoT Security
IoT cyber resilience is achieved after a set of procedures and undertakings have been executed successfully. Through assessment of a whole system is the first step of examining its cyber resilience. The assessment should focus on identity and access management, IoT devices, incident response, and monitoring systems.
Risk assessment investigates the depth of the effects that would be caused by a security breach incident. If the risk is too much and the security cannot be guaranteed, it would be better to not have the IoT system. The assessment guides the formulation of a response plan. The response plan is a set of processes and procedures to be followed in response to an attack. Enterprises need to ensure their response plan is up-to-date and robust. Attack simulations can help gauge the suitability of a particular response plan.
One of the most crucial aspects of a response plan is the time frame. The plan needs to be executable as fast as possible. As mentioned earlier, IoT attacks or failures might pose health and safety risks to people. The faster the response plan can mitigate the situation or restore normalcy, the better. In the case of business enterprises, the plan should outline a clear plan towards asset recovery, and business continuity. All the procedures in the plan should be executable under any circumstances. Frequent review of the response plan is a crucial part of ensuring cyber resilience as well.
Asset Identifications and Management
IoT security is security to an enterprises’ assets as well. Asset management is therefore paramount, as far as IoT security is concerned. Identifying and mapping the IoT devices on a network is the first step towards establishing cyber resilience. If the identification is being conducted for the first time in a long period, there is bound to be a large inventory of devices that is unaccounted for. Identifying each of these devices will need a special approach. The aim is to ensure all the devices are identified so that they can be secured. Below are a couple of ways in which the identification can be conducted.
• Key stakeholders in both business and corporate functions need to be interviewed. This would be in a bid to understand the IoT-related project they are involved in.
• Forensic accounting can also help unearth IoT devices in a network. Capital and operating expenditure analysis will give leads to most of these devices.
• Network analysis, both active and passive, is the thorough-most method. It is very time intensive though. (DXC Technology advocates for this method).
• Active analysis involves software scans on the different subnets and sections of a network. Such scans interfere with the firmware of various devices on the network though. They might end up causing unanticipated failures in the devices. The scans are generally not recommended.
• Passive analysis involves installation of network probes. It is time-consuming, but it is safe and effective. The probes help technicians follow a network web stage by stage and identify all the devices on it, as well as network usage patterns.
Once the inventory of IoT have been noted down, risk assessment follows. Risk assessment is also an intricate process that need a clearly defined scope. Upon completion of the assessment, appropriate processes and policies should be formulated. Such policies should be able to mitigate the risk, as per the enterprises risk appetite. The processes should be interactive and recurrent to ensure the risks within new systems are detected and mitigated.
Identity and Access Management
Widespread use of IoT in an organization means high-level human-to-machine and machine-to-machine interactions. There need to be a clear outline of identity management and assertion. Organizations need to know what is in charge of which part of the network, and ensure zero possibilities of impersonation. Mutual authentication is a better means of identity management rather than the good old default usernames and passwords. Hardware-backed security credential can also be used as an extra layer of security.
The demand for public key infrastructures will be quite high after such changes. Scaling of this infrastructures is essential in order to handle the rising demand. The convergence of physical access controls made possible by developing management systems, and computer access controls are the best ways dealing with the inherent nature of IoT. There will be a correlation of actions and behaviors within the physical and virtual spaces of the system. It will ensure that only authorized operators have physical access to the devices.
It is important to also explore network access control and effective architectural designs. Network enclaves and flow-based software-defined networking allow some impressive architectural designs. The interaction of the IoT’s devices with the network will be limited and there will be an interactive way of managing a device’s access permissions.
After all the above systems are in place, an auditable secure action log by devices and operators will be required. The log should be well maintained to safeguard operations and information. It should be audited regularly as well.
Life-Cycle and Supply Chain Management
IoT will certainly last for a long time. Many enterprises are always looking to have hands-off interaction with the systems. However, the systems require continuous human support, management, and maintenance. Security is one aspect of these systems that cannot be dealt with in a hands-off manner. While purchasing IoT devices, enterprises need to ascertain that they are free from vulnerabilities and are secure from cyber-attacks. State of the art defense systems should be the main aspect to look for in any device. Technology innovation pose new threats every day. The devices should be updatable and adaptable to changing risks.
Update processes and procedures should be easy to follow, and secure as well. The mechanisms need to be part of an organization’s operations, so that they are executed when required. When the device starts operating, its behavior should be easy to monitor. Observation systems need to be in place. These systems should also be able to interpret the observations made. All connection to the device, both local and remote should be logged into a central system for monitoring and analysis.
IoT devices, just like any other physical device has a lifespan. They will need to be disposed at some point. Improper disposal is a security threat too. There has to be a protocol for disposing such devices. One of the most crucial undertakings should be to ensure all information on the device has been erased.
Before settling on any supplier, an enterprise needs to focus on security. The suppliers need to guarantee the security of the device for the period it will be in use. IoT devices collect, process, and send data around. Having trustworthy suppliers is therefore very essential. The organization need to be certain that the devices they get can only communicate the data within.
Incident responders are a combination of systems, and humans that should be able to determine whether an attack can cause failure, that could pose threats to life, or halt critical services. The effectiveness of an incident response system to and IoT attack is determined by how comprehensive and prepared it is for that particular attack. Preparedness means having fast executable procedures within a response plan. Documentation and drills should be conducted to ensure preparedness. DXC prefers an approach similar to that of firefighting. The response plan should seek to achieve the 3-core objective below, and in that order.
• Halt the Spread – The first steps should seek to stop the attack from compromising any more machines. The easiest way is to observe the pattern of the attack and anticipate which machines could be attacked next and disable them, or their connectivity.
• Prevent damage – In the course of disabling the systems, their safety should be a top concern. They should be disabled in a manner that does not cause damage or pose threats to people. The aim is to stop the attacker from executing dangerous commands within the compromised systems.
• Eliminate the threat – Once every part of the system has been secured safely, the attacker can now be dealt with. The cause of attack or failure can be removed and defense mechanisms implemented.
Enterprises need to ensure they have the capacity to deploy forensic resources effectively at a moment ‘s notice. IoT systems can be very challenging for forensic investigators. Some of the challenges faced include:
• Legacy systems – some of these systems may have decades-old equipment that would make it hard to conduct forensic analysis.
• Custom-designed architectures – IoT systems are custom-designed for their application and implementation. The design is often well understood by a few people within the organization. When there is a high staff turnover, lack of specific knowledge about the system might be a high hurdle during forensic investigations.
• Physical access – Large IoT system might be very widespread making physical access a big challenge.
• Unavailable or unhelpful logging – Security professional will find it difficult to work with IoT logs developed by engineers.
• Proprietary protocols – IoT protocol standards have not been fully established yet. As such, many people would not understand the exchanges that occur among the machines. Network communications analysis becomes very difficult.
• Inability to recreate – Duplicating IoT components is not possible. For instance, programmable logic controllers cannot be reimaged. Recovery from an attack therefore becomes a tedious and time-intensive process.
All these challenges can be dealt with, although there needs to be a proper response plan and preparedness. Any efforts made after machines have been compromised and shut down, or a lot of clients have been left standards, are in most cases futile.
In the face emerging technologies and innovations, security is a dynamic aspect. In any area of computing, installing a system correctly and leaving can never guarantee its security. There needs to be constant monitoring and updating. This helps identify vulnerabilities when they arise and deal with them in good time.
The monitoring and response processes and procedures on IoT systems is not a fully developed discipline yet. It is, however, necessary for an enterprise to tailor make one for themselves. Any new IoT system design should incorporate a monitoring and response system. Luckily, many modern devices used in IoT systems have defined behaviors and are relatively some to monitor.
The only challenge in the fast decision cycles required in IoT systems. IoT devices feature inherent safety imperatives. The duration between the time of an attack to the of response should be as little as possible.
When the safety-first outline by the three points above is implement. Decision cycles might be affected, as the circumstances can never be typical. Early detection by well-instrumented systems and rapid response should be prioritized at all times.
IoT continues to gain momentum in the business world. The scale of cyber security requirements is also bound to rise sharply. Cyber resilience should be a priority for any organization seeking to reap the benefits of incorporating IoT in their operations.
Below are 10 steps that a chief information security officer should take to ensure his IoT systems are secure.
1. The board of directors need to understand the security risks that face IoT systems. This understanding should make them ready to fund measures aimed at managing and managing the risks.
2. Integrating international security standards into the systems is important. Sectoral guidelines and government legislation should also be considered.
3. There needs to be a record of all IoT systems and their inventory
4. Frequent risk assessment on all the inventoried IoT systems is paramount. The assessment will allow mitigation policies and procedures to be formulated.
5. All IoT devices on the network should be identifiable and proper access and permission management policies are in place.
6. Only devices whose security can be ascertained and guaranteed should be used. These devices should be checked and updated regularly.
7. Only trustworthy suppliers should be engaged. The suppliers should offer support for the whole life cycle of an IoT system.
8. An incident response plan is very crucial. It should be reviewed and tested regularly.
9. All the devices on the IoT system should be visible to the monitoring systems, and any unusual behavior should be picked up immediately.
10. A safety-first approach to IoT incidents is always be exercised when responding to IoT incidents. There should be balance between the approach and rapid and effective action though.
Jack Fitzpatrick is an Information Security and Compliance Thought Leader with over 30 years experience. Along with speaking and writing, he enjoys spending time with his wife and children in Atlanta, Georgia. You can connect with Jack HERE