IoT Security is going to matter in a big way soon enough, though the devices are small their impact is certainly bigger and the implementation of securing IoT has to be done at multiple levels to ensure that connected networks, data, systems and devices are protected. Let us look at some of the steps needed to implement.
Any one thinking of implementing IoT has an underlying concern how to make sure networks, data and devices are secure. Risk of IoT incidents has many data security, IT managers and networking managers worried that it would high impact. IoT devices are going to be present even in the most restrictive environments, thus the question, as per Industry experts isn’t if, but how you are going to allow these devices to connect to and interact with your networks, systems and data.
Big Question – How do we cope with this eventuality?
1. IoT security: small is big
When it comes to IoT, small becomes big and important. Organizations should focus on an aspect often neglected aspect of — the source code. The IoT devices by sheer size need that the footprint of the software is minimal and therefore source code is generally written in languages like C++, C#, therefore, rendering it is prone to problems like memory leaks or buffer-overflow vulnerabilities. Network resistance of such issues is low and provides an easy walkway for attackers.
These kinds of issues when it comes to a network become big and generally get overlooked while analysing security threats. The only way is to ensure that the code is well tested and more importantly, tested for security. There are testing tools also available in the market which help to test IoT devices. Additionally, one can use techniques like stack cookies or canaries to help build heuristics within the application to detect the stack overflow situations and to terminate on detection.
2. Device Aware Access Controls
In an IoT ecosystem, controlling access is quite a security challenge when the assets, products, people are all connected. Such control needs to be available at the network level. This calls for the organizational level identification, agreement and definitions of what are acceptable behaviors and activities that a particular class of objects connecting to the network, can perform. Thus it may not authorize one IoT device to access certain information of another IoT device.
Access controls for connected devices like connected assets and devices for Asset Tracking, connected process of process automation etc. within an organization where IoT systems are deployed is very crucial. Access to the network for these devices must be planned carefully. Thus a security system similar to that of Pub or a Bar where you are checked when entering inside but once you are inside then you are a free bird with complete access — is not going to work when designing access control standards for IoT networks. The access control will need to be much aware of what devices are together and what are the access or permissions being sought out in the context. Thus the context and devices together would define what is acceptable and what is not!!! Thus defining what is normal and acceptable helps build a baseline and it can be monitored for anomalies and exceptions so that the alarms can be raised before there is any damage done.
3. Identity Spoofing
Obviously the only way a hacker can stay in the game is by staying ahead. The fact the population of IoT devices is exponentially increasing so is the opportunities available for the hackers to gain access. Since these are new access points that are getting added into the network thereby for a hacker these are equal to as many vulnerabilities into the network.
One needs to plan access control policies, which are based on application context and possibly even specific to individual devices. The easiest way for a hacker, is to behave like the device by spoofing the identity of the device instead of try to hack in to the security implementation. It has, therefore, become very essential for organizations that the process of identification and authorization be, very smart to ensure there is no such kind spoofing happening. Thus it is needed to have organization-wide unique id for each device at least within in the organization.
4. Control connections for IoT devices
The ability of IoT devices should be limited by allowing them to connect using networked firewalls and device-specific access control. By ensuring that the IoT endpoint devices are never able to initiate network connections or to talk to internal systems (using bluetooth or WiFi or other protocols like ZigBee), the attacker will be severely limited in the ability to use IoT devices as a point of attack to hack into the network. Though this will not rule out attacks but it will definitely limit the ability of hackers to freely move within networks.
Another option available is by forcing that IoT should connect through proxies or jump hosts. This strategy allows the algorithms to inspect the network traffic coming from IoT devices or the ones sent to them. This way too one can establish a point of checking where one can check if this payload is supposed to be sent to the IoT device sent.
5. Network Segregation
Typical enterprise wireless networks need security to follow the WPA2-Enterprise/802.1x standard. The current wireless networks of IoT devices are not of this standard. It is therefore advisable not to mix both these networks. It is, therefore, better to put these devices on their own wireless network with only internet access available. This would need the creation of a virtual LAN and have the traffic routed through a firewall.
This is will also help in logically segregating the devices into areas or maybe some other logic division or grouping. Bluetooth Low Energy devices use a concept of a combination of major ID and minor ID. So, for example, if we have to segregate the network department wise, we could allocate a major Id to the department and minor id’s to all the devices within the department. So if a warehouse could have an id 5003, the device id could be 5003–001.
The above list of measures is not an exhaustive list or a sure shot method of prevent or avoiding an attack but definitely these measures will bring down the risk to a great extent.