IoT Security is going to matter in a big way soon enough. Though the devices are small, their impact is certainly bigger and the implementation of securing IoT has to be done at multiple levels to ensure that connected networks, data, systems, and devices are protected. Let us look at some of the steps needed to implement them.
Anyone thinking of implementing IoT has an underlying concern about how to make sure networks, data, and devices are secure. The risk of IoT incidents has many data security, IT managers, and networking managers worried that it would have a high impact. IoT devices are going to be present even in the most restrictive environments. Therefore, the question, as per industry experts, isn’t “if,” but “how” you are going to allow these devices to connect to and interact with your networks, systems, and data.
The Big Question: How do we cope with this eventuality?
1. IoT security: small is big
When it comes to the IoT, small becomes big and important. Organizations should focus on an often neglected aspect — the source code. IoT devices by sheer size need that the footprint of the software be minimal and therefore the source code is generally written in languages like C++ or C#, which means it is prone to problems like memory leaks or buffer-overflow vulnerabilities. Network resistance to such issues is low and provides an easy walkway for attackers.
These kinds of issues when it comes to a network’s becoming big and generally gets overlooked while analyzing security threats. The only way is to ensure that the code is well tested and, more importantly, tested for security. There are also testing tools available on the market that help to test IoT devices. Additionally, one can use techniques like stack cookies or canaries to help build heuristics within the application to detect stack overflow situations and terminate them on detection.
2. Device-Aware Access Controls
In an IoT ecosystem, controlling access is quite a security challenge when the assets, products, and people are all connected. Such control needs to be available at the network level. This calls for organizational level identification, agreement, and definitions of what are acceptable behaviors and activities that a particular class of objects connecting to the network, can perform. Thus, it may not be possible for one IoT device to access certain information from another IoT device.
Access controls for connected devices like connected assets and devices for Asset Tracking, the connecting process of process automation, etc. within an organization where IoT systems are deployed are very crucial. Access to the network for these devices must be planned carefully. Thus, a security system similar to that of a pub or a bar where you are checked when entering inside, but once you are inside, you are a free bird with complete access, is not going to work when designing access control standards for IoT networks.
The access control system will have to be very aware of what devices are present and what access or permissions are being sought in the context. Thus the context and devices together would define what is acceptable and what is not!!! As a result, identifying what is typical and acceptable aids in the creation of a baseline that can be monitored for anomalies and exceptions, allowing alerts to be raised before any damage is done.
3. Identity Spoofing
Obviously, the only way a hacker can stay in the game is by staying one step ahead. The fact that the population of IoT devices is exponentially increasing means the opportunities available for hackers to gain access are also increasing. For a hacker, since these are new access points that are being added into the network, for a hacker, they are equal to the number of vulnerabilities in the network.
One needs to plan access control policies that are based on application context and possibly even specific to individual devices. The easiest way for a hacker is to behave like the device by spoofing the identity of the device instead of trying to hack into the security implementation. It has, therefore, become very essential for organizations that the process of identification and authorization be, very smart to ensure there is no such kind of spoofing happening. Thus, it is needed to have an organization-wide unique id for each device, at least within the organization.
4. Control connections for IoT devices
The ability of IoT devices should be limited by allowing them to connect using networked firewalls and device-specific access control. By ensuring that the IoT endpoint devices are never able to initiate network connections or talk to internal systems (using Bluetooth, WiFi, or other protocols like ZigBee), the attacker will be severely limited in their ability to use IoT devices as a point of attack to hack into the network. Though this will not rule out attacks, it will definitely limit the ability of hackers to freely move within networks.
Another option available is to force the IoT to connect through proxies or jump hosts. This strategy allows the algorithms to inspect the network traffic coming from IoT devices or the ones sent to them. This way, too, one can establish a point of check where one can check if this payload is supposed to be sent to the IoT device.
5. Network Segregation
Typical enterprise wireless networks need security to follow the WPA2-Enterprise/802.1x standard. The current wireless networks of IoT devices are not of this standard. It is therefore advisable not to mix both of these networks. It is, therefore, better to put these devices on their own wireless network with only internet access available. This would require the creation of a virtual LAN and having the traffic routed through a firewall.
This will also help in logically segregating the devices into areas or maybe some other logic division or grouping. Bluetooth Low Energy devices use the concept of a combination of a major ID and a minor ID. So, for example, if we have to segregate the network department-wise, we could allocate a major ID to the department and minor IDs to all the devices within the department. So if a warehouse could have an id of 5003, the device id could be 5003–001.
The above list of measures is not an exhaustive list or a sure-shot method of preventing or avoiding an attack, but definitely, these measures will bring down the risk to a great extent.