IoT Security – a quick review of threats and solutions

With great power comes great responsibility – this classic tenet ominously resonates every time when rapid development of a technology outpaces the security it needs. And such is the case of IoT. As the market continues its insane growth – from 8.4 billion connected devices in 2017 the number is expected to reach 20.4 billion by 2020 – so grows the need to protect the systems.

In evil hands, malicious toolsets can become powerful tools making it possible to pull down whole production plants using extensive automation with IoT devices. It is estimated that IoT security spending will grow from a $703M market in 2017 to almost a $4.4B by 2022.

Who Provides IoT Security?

The Internet of Things security market is young and there is a number of innovative startups and renowned companies seeking to capitalize the potential of the new tech.
Crypto Quantique is a UK-based company producing a quantum-driven secure chip (QDSC) – a solution which combines quantum physics and cryptography. It makes some lofty promises about their system, which can be offered as an integrated part of the development processes or retrofitted in IoT devices. The chips, by harnessing the power of quantum processes, generate numerous unique, unclonable and tamper-evident cryptographic keys. Importantly for IoT’s inherent limitations, there is no need to store the keys on the device, and there is no possibility of data leaks.
Cisco, the Internet of Things giant focuses on the data encryption aspect as the foundation of IoT security. Their innovative solution uses elliptic curve cryptography, and a fast Galois/Counter Mode authentication process.
Bayshore Networks offers active protection of IoT networks. Their automated Learning Engine sends timely alerts of possible threats.

BlueID is a company that provides a platform for secure, cloud-based identity maintenance and access control. What makes it perfect for Internet of Things is the fact that it works independently of the network: BLE, NFC, RFID, WiFi, or 2G/3G/4G.

Why Is IoT Security So Important?

IoT devices may be more susceptible to security threats than regular internet devices. There are a couple of reasons for that:
  1. Many points of exposure. The number IoT devices, applications, systems and end users is growing exponentially, making it a very complex and vast system.
  2. Each Internet of Things device can be hijacked to become a new attack point. This translates to a higher probability of attacks.
  3. Increased impact of attacks: IoT devices are present in new areas where they interact with many different, often critical systems. Severity of attacks could range from damage of property to loss-of-life, e.g. in the case of hijacked IoT-enabled implants.
New threats from across the stack: a complex technology stack means completely new threats (i.e. due to new hardware, communication protocols, and software elements). This requires constant oversight of knowledgeable maintenance.

Which Areas Should IoT Security Cover?

Considering the above, IoT security involves the seamless integration of three elements: secure devices working over secure networks, sending protected data.

Secure Devices

By the way Internet od Things systems are designed, some devices may need to operate unattended for very long stretches of time. And due to irregular updates and patches, such devices are more susceptible to attacks. Making sure they are tamper-proof and resistant to attacks is an important endpoint-hardening measure which involves a layered approach, i.e. implementing multiple obstacles designed to protect the device and the data it transfers from unauthorized access.
Companies operating IoT devices should be aware of known vulnerabilities, such as TCP/UDP ports, serial ports, open password prompts, places to inject code such as web servers, unencrypted communications, and radio connections.
It is also critical to carefully manage the identities of IoT devices to ensure trust when devices attempt to attach to a network or service.

Network security

Relevant network security measures for IoT should include: access control, firewall, IPS, IDS, and end-to-end encryption.
Networks which IoT devices are connected to should be secure, which involves implementing strong user authentication processes and access control measures. For example, workers should be encouraged to use strong passwords to prevent against brute force methods.
On top of that, organizations should use two-factor authentication, whereby a password is used alongside another authentication factor, i.e. a code provided to the user via a text message.
For IoT applications, it’s a good idea to use context-aware authentication (or adaptive authentication). This involves the use of contextual information and machine-learning algorithms to constantly evaluate risks without impacting the user’s experience.
Strong encryption should be in place as an additional layer securing networks against network-based attacks. Communications occurring between devices can potentially be hacked, and both IoT and IIoT involve a multitude of network protocols used both at network layer and transport layer.

Protecting the data

Companies also need to secure the data transferred to and from Internet of Things devices. Failure to protect sensitive, personally identifiable information may result in loss of business or financial penalties imposed by regulatory authorities.
People may be another weak link in ensuring protection of data. Strong security policies and comprehensive training programs should be in place for employees involved in the IoT/IIoT environment.

Summary

Although Internet of Things security is clearly becoming a priority, many device manufacturers or companies using IoT networks are not giving it enough consideration. When building systems and selling devices they don’t make sure their devices are patchable, which may render them non-compliant or completely obsolete from the security point of view.
Before investing in IoT networks, it is essential to evaluate the security capabilities of the devices in terms of security future-proofing.