HOW TO ENSURE SECURITY FOR INTERNET OF THINGS (IOT) DEVICES

Nuclear facilities can be damaged overnight by compromising IoT infrastructure. We have already seen an early avatar of this in the form of Stuxnet.

Internet of Things is a revolution that has suddenly captured our imagination. As a technology, IoT is unique since it has a role to play in consumer, enterprise and industrial worlds. At the consumer level, the adoption of IoT for areas including home monitoring & control, wearable tech, and connected cars has already started. At the enterprise level building management, fleet management, hospital management, retail, telecom, and energy sectors are already adopting it for various benefits.

All of IoT is not new. Operational technology (also called Industrial IoT) has been long adopted by Power Grids, Oil & Gas, Utilities, Nuclear Plants and Traffic Control. So, in the industrial world, there are more benefits accrued with increased connectivity between SCADA networks and IT. IoT facilitates integrating the physical world with virtual to implement use cases with immense benefits. Life saving devices embedded in human body and managed from outside without the need for complex surgical procedures is one such example.

Ubiquitous use of a technology in wide ranging areas brings forth risks that range from significant to catastrophic. Nuclear facilities can be damaged overnight by compromising the IoT infrastructure. We have already seen an early avatar of this in the form of Stuxnet.

Similarly nation state attacks are expected to target IoT used in power grids and other utilities. Smart cities can get paralyzed in minutes if the IoT infrastructure that automates the processes here get compromised. IoT risks are complex since IoT technology stack has many new components including IoT sensors, protocols, gateways, and management platforms.

In addition to this, IoT uses many leading edge technologies including cloud, mobility, and big data. IoT security therefore includes many new risk areas that cybersecurity industry is still learning to resolve including cloud & mobility. As an example, there are many IOT protocols in the market today including Zigbee, CoAP, Advanced Message Queuing Protocol (AMQP), Digital Data service (DDS), and Message Queue Telemetry Transport (MQTT).

These protocols are either new or derived for IOT from an earlier version used for generic purposes. As a result, they are vulnerable unless special effort is taken to secure them. Zigbee is an extensively used IOT protocol though it was originally conceived for low power wireless use. Users can easily search and get tools to crack the Zigbee protocol (http://tools.kali.org/wireless-attacks/killerbee).

IOT management platforms on the other hand have web interfaces and related protocols enabled. Therefore, they are exposed to common web application attacks. The impact of such web based attacks on IoT management platform is high since it can be used to subvert millions of sensors for a malicious purpose. Imagine impact of power grid sensors taken off the grid with a successful web based attack on the IoT management platform.

Securing the IoT world means securing the different components on which the IOT solution is built on. This includes the cloud that it leverages, the IOT protocols & sensors which are part of the solution, the related IT infrastructure and mobile devices that act as sensors.

One of the bigger challenges in securing IoT entails changes required in the IoT sensors and protocols that have evolved from more functional requirements. By design they are not built with secure features. The processing power and capacity of these sensors do not provide us enough room to build security features, So, we are often left with trying to build a fence around the sensors which is not easy given the scale of millions of sensors that could be involved in a specific IoT solution.

At a tactical level, every IOT project can follow these security measures:

o   Build security into IOT architecture with relevant components: Doing so will provide around the box security till the time IOT protocols can be secure by design. This requires adhering to fundamentals including authentication, access control, and encryption.

o   Build monitoring controls at different levels: This step covers IOT gateways, IOT management platform, IT infrastructure, and cloud monitoring to ensure that attacks are caught early.

o   Detailed security assessment and penetration testing: These tests are imperative for secured IOT infrastructure before roll out and on a periodic basis.

At the macro level, securing IOT infrastructure requires collaboration between industry, and academia, government for "secure by design" roll out of IOT protocols. Such initiatives are still at nascent stages but have started. As an example, OWASP published the top ten IOT issues to consider. There should be certification of the safety of IoT products and components from central authorities backed by government, This can be treated very similar to car safety and certification that we are all used to. IoT security movement has started but there is still a long way to go. Good news is that we can still do things to enhance the barrier to attacks while we wait for industry to accelerate the act.