IoT in oppose to other technologies where security parameters are addressed before or parallel to development; IoT has been already deployed and now developers have started discussions on security concerns and needs for security in IoT.
Cyber hackers have transformed from a bunch of freelance hackers into a professional team that work from organized workplaces and with all modern equipment required for professionally hacking business. Increase in financial frauds, privacy breaches into famous systems that were known for their firewalls have shook up the stalwarts of the industries to rethink on security as major concern and prime threat to any ongoing business.
All IoT data theft and privacy breaches were diagnosed long after the crime happened. This is a big challenge all IoT stakeholders should understand and bring measures that will provide hacking information and data theft alerts immediately to enable suitable actions against the crime. Getting intimations late means more vulnerability and affecting more and more customers, which can be averted with early detection and immediate action
There is no silver bullet to take care of all cyber threats occurring in IoT (or in that sense in any ecosystem). Solutions that can take care of IoT needs to be implemented at the beginning of the deployment anticipating the threats, in the process or during IoT operations as and when situations arise and while forming new devices or things. Similar to any other security solutions IoT will also need to keep library of updates.
Today due to increasing attacks of cyber-crimes on networks; many security solutions that provide authenticity of software, protection to intellectual property, software verification technologies, data encryption, firewalls, access controls, etc. are in place.
Similar practices with significant re-engineering can be used for IoT. Foundation of IoT is based on lighter devices and lighter protocols, wavelengths, etc. and therefore use of available security solutions also need to be lighter which will occupy less space.
The approach security solutions providers are taking about IoT is based on bottom up technique of starting securing entire IoT cycle from physical devices to data analytics. There will be stages and efforts will be to secure each stage according to its type of operation and characteristics.
To secure elements in IoT a typical layering structure is considered which exposes each layer and its functionality and measures to curb potential and futuristic attacks at each level.
Securing Device: Securing device through its entire lifecycle is one of the key solutions to avoid further threats to IoT. There are various stages and steps through which a device can be secured throughout its lifecycle.
Secure Booting: Secure booting is one of the initial steps of securing device. It is applied when the power is first introduced to device to verify authenticity and integrity of the software. It is done by using cryptographically generated digital signature. This is the foundation of securing device and building trust I first place.
Use Access Controls: Next to secure booting are access controls which help in limit the privilege of using device or provide role based access control to the users. These are built in operating system either as mandatory or role based controls. In case where any component is compromised access control makes sure that intruder will have minimal access to other systems as possible. Device-based access control mechanisms are analogous to network-based access control systems such as Microsoft Active Directory and compromised information will remain limited to those credentials assigned to the access holder. It is onus of network administrator to properly plan and execute access controls to minimal possible levels.
Authenticate Device: Device authentication mechanism can be introduced prior to its plugging into the network for receiving or transmitting data. It is especially required when devices are not monitored under human control. Authentication allows device to access a network based on credentials designed by network administrator and stored in a secured storage area.
Use regular updates and Patches: Regular supply of software updates and patches helps device to be less vulnerable to newer threats developed by hackers. During developing updates and patches the administrators should take few cares. The devices in IoT are in thousands and are tiny to small objects and thus it is advisable to develop updates and patches that will not break or stop working of these devices for updating. Most devices have key role in mission critical functions and cannot afford to distract from the activity. Also, the updates and patching should conserve and use limited bandwidth and avoid irregular connectivity of an embedded device and absolutely eliminate the possibility to compromise device functionality.
Adding firewalls and IPS: Devices use different protocols to communicate with each other. These protocols are different from common IT protocols which vary from applications and also by vendor. This is where industry specific protocol filtering and capabilities for deep packet inspection become necessary to identify malicious pay loads hidden in non IT protocols. This is highly required for devices that are situated in remote or inaccessible places to filter the specific data destined to terminate on that device with optimal use of available limited computational resources.
Using Secure Communication Protocols
IoT sensors and sensing devices are connected through various types of protocols. Securing these protocols help securing sensing devices from vulnerabilities.
Cryptographic protocol or encryption protocol is an abstract or concrete protocol applies cryptographic methods, such as sequences of cryptographic primitives to perform functions related to security.
Some commonly used communication protocols in IoT use various mechanisms to secure themselves.
- ZigBee Alliance is a non-profit association of organizations that create open, global standards that define the IoT in the use of consumer, industrial and commercial applications. ZigBee was conceived in 1998, standardized in 2003 and revised in 2006.It is based on an IEEE 802.15.4 which operates at 2.4 GHz.
ZigBee devices transmit data over distance of 10 to 100 meters depending upon power output and environmental characteristics. However, ZigBee devices can transmit data over long distances by passing data through a mesh network of intermediate devices.
ZigBee networks are secured by 128 bit symmetric encryption keys and are typically used in low data rate applications that require long battery life and secure networking. ZigBee has a defined rate of 250 kbit /s, which is best suited for intermittent data transmissions from a sensor or input device.
- Wi-Fi network is secured by configuring network name (SSID) and latest security technology of Wi-Fi Protected Access 2 (WPA2) for the gateway and client devices on network. Almost every new generation Wi-Fi certified devices implement WPA2. Other methods include use of AES, TKIP and WEP encryption, EAP methods for layer-2 authentication.
- Bluetooth and BLE are secured using secure paring, enforcing authentication of Bluetooth devices and turning off discoverable mode when not required.
- IPv6 over low-power wireless personal area networks (6LowPAN) protocols are secured with 802.15.4 link layer encryption and Access Control List (ACL)
- Cellular communication protocols such as GSM and 3G use Cipher Key generating algorithm and generating integrity key. GSM also uses Authentication algorithm (A3) to protect from unauthorized service access and to avoid intrusions GSM uses Temporary Mobil Subscriber Identity (TMSI). 3G uses USIM authentication for secure connection.
Securing and Protecting Data
Securing and protecting sensitive data and private information is mandatory for IoT business and that is the key to run it successfully. Data generated in IoT can be categorized into two broader categories as sensitive and not so sensitive or general data. Also, not all data is equally sensitive or general and therefore IoT companies have to specify it in its policy with clear demarcation and meaning and defining sensitive data. In almost every country medical records, financial information and personal information is treated as sensitive data. Also, there are compliances such as Health Insurance Portability and Accountability (HIPPA), payment card industry (PCI), etc. which have strict privacy policies.
Securing data from breaches and hacking stringent measures are suggested by experts such as authorization, authentication, encryption and password protection. Encrypting data and giving due diligence for securing data in storage from CPUs to datacenters is utmost priority as any one unprotected computer at work can open avenue for hackers with all computers and storage in the network.
Nature of IoT set up is prone to provide open gateways to hackers at various points. Thus to protect data IoT users must need to develop a verified chain of trust. For this experts suggest use of various security mechanisms and protocols including Public Key Infrastructure (PKI) system for securing communications between the Internet-connected devices, Secure Socket Layer (SSL) protocol implementation for IoT to encrypt communication over the network, Transport layer Security (TLS) and using light weight advanced cryptography. Build strong access control of all data during capture, transit and storage.
Most of the times companies assume that the data is safe in their internal storage; however, any one computer open in a network can help hackers to reach internal storage and thus securing data at rest is equally important as to secure data in transition using logical and physical access control.
Convergence of IT and OT Security Policies
Convergence of Operational Technology (OT) with IT is on the cards for some years. Still in early adoption the concept is accelerating across various industry sectors. In the past IT and OT were treated as two distinct domains of a business. OT is used to control, monitor and operate physical devices, processes and events in the enterprises. IT was focused on managing and processing information and communication within the enterprise.
Developments such as virtualization, software defined infrastructure and cloud services has fazed the difference between the two distinct technologies and experts in the industry started thinking of bringing these two distinct technologies closer to converge with each other.
IoT is one of the great enablers to bring this convergence in practicality. IoT is enabling applications that require both IT and OT to perform. OT is static and IT is dynamic in nature and IoT is the combination of both.
There are certain reasons why IT and OT convergence is necessary for IoT.
Rapid changes in Infrastructure Technology
In the past investments in IT infrastructure was done citing long term usability like 15-20 years, however today the pattern is changing. The infrastructure needs are becoming flexible and scalable to dynamic workloads and shifting business priorities. Emergence of virtual infrastructure and software defined everything has changed the definition and process patterns of OT and the patterns are shifting in line with IT.
Increased demand for connectivity
Instant access to information is the priority and key feature in demand from consumers globally. Consumers take it for granted. Over the past decade number of internet users have explode, data transmission in form of text, audio and video has increased thousand folds than a decade ago, OTT, social media and gaming and increasing number of smartphones and tabs all together have changed the standards of connectivity. In IoT the business is based on connectivity and timely delivery of data to destination. This is another prime cause of convergence of OT and IT.
Standardization of Network Security Policies
Standardization or bringing company security policy on single platform to run IoT is necessary for any enterprise. Today Operational technology (OT) and Information technology (IT) lag in commonality and synchronization in many enterprises. Networks in OT are always considered to be isolated and distributed. The security is also distributed rather centralized. And therefore there is lack of standardized security protocols for OT. One will need to consider this fact during convergence of IT and OT for IoT.
Securing Mobile Device and Mobile Applications
Smartphones and Tablets are mostly used mobile devices in IoT. These are found ideal as a control hub and as communicator between things and cloud. Mobile devices are used to generate and give commands to connected devices and also it connects to cloud to send data for further storage and process. This is done through downloading appropriate application on the smart device.
This brings security of mobile devices and mobile application as one of the priority. This is the time where security experts are becoming serious on securing mobile devices more than they are at present. IoT has changed the way mobile devices were designed to operate few years ago. Today mobile devices have proven their importance and usability in IoT and therefore current security standards used for mobile devices will soon become obsolete.
On mobile device applications, device and operating system are vulnerable for attacks by hackers and IoT exposes mobile device to a network of interconnected devices adding to difficulty level and need for securing mobile devices, cellular and IT protocols used in mobile device and applications downloaded and used by devices.
It can start with simple step of setting Personal identification Number (PIN) to the mobile device. The next will be timely updating security software and leveraging security functions such as encryption, adding password to Wi-Fi, keeping Bluetooth off when not in use, taking due care while downloading third party applications from SSL/TLS websites and adding remote wipe and lock. In future we can see
However, there is need for serious efforts and focused security solutions for mobile devices as current security standards will not help mobile devices to cater growing IoT business.
2014 was a bad year for cloud services when it comes to security. Hackers focused on clouds and targeted high profile companies including Apple, Sony, Samsung, etc. But, experts say it was nothing against what we would expect in 2015. Clouds have become hacker’s paradise and there is a serious need to look into tightening security around clouds.
Experts in cyber-security are doing research on possible threats, challenges and solutions on securing cloud data. Clouds are main resource for IoT to store data and use clouds for third party applications such as Big Data Analytics, measuring events, sending and receiving commands and data, etc.
There are various measures taken to secure cloud. Some of the key security implementations include develop access control lists (ACLs) to define permissions attached to the data objects; add encryptions at transport layer to protect data in transmission, include web application firewalls to protect intrusion from outside, encrypt storage to avoid malicious attacks, to avoid vulnerabilities against operating systems and software provide securities such as hardening of server and controlling physical access through authentication and passwords.