The Most Important IoT Security Considerations
Posted by Mike Kevin on May 28th, 2018
With technology making giant leaps, security has also become an important consideration. In case of the Internet of Things (IoT), different devices take the personal details of the user in many cases. Thus, there are security concerns that need to be addressed by various stakeholders. Though security has always been a concern due to theft of money and intellectual property, IoT adds new dimensions of public safety, productivity, environment, and many others. Pertaining to the intense rate of adoption of IoT and latest IoT trends of leveraging technologies like cloud and mobility, security has gained greater importance.
Security is vital for anyone who wants to implement IoT -type network in their business. The IoT app development company in Dublin has identified certain security points that need to be given due consideration while implementing IoT. All aspects are of equal importance, and any breaches along the gamut from the data server to the remote device lead to failure. The major security points and their security considerations can thus be explained as follows.
Device or equipment
What is included: These are the physical devices or endpoints, such as the sensors, washing machines, smart meters, etc. that are connected to other devices or endpoints across the network. They collect/provide information about their associated environment or themselves.
Security issues: Multiple weak points may be present in the security system of the devices or equipment used in IoT such as in their physical security, operating system security, data security, or network security. Devices are vulnerable to tampering and theft physically, and that makes everything, including, the operating systems, local data, and network connections, accessible to the thief. In the worst scenario, the thief may even recover data and network configurations, usernames and passwords. This will incur expenses as well as the outage. The device may also be taken offline temporarily, and malware may be planted on it before replacing it, and the user may be completely unaware that the device is compromised as the target may be other assets that can be acquired by infecting the user’s data centre or network through the malware.
Security considerations: Organizations need to adopt ways to secure devices and equipment by tightening best practices. Some of the ways for achieving this are:
- Ensure adequate physical security such as security guards, CCTV cameras, access cards, visitor logs, secure zones, etc. to prevent unauthorised access
- Disable connectivity with external devices like USB drives and enable usage only after review, scanning, and approval
- Disable direct internet access for sensitive devices/endpoints, when not needed
- Disable or block unused services such as open ports and insecure protocols
- Boot securely using keys and secure firmware
- Enable authentication support for the device when connecting
- Ensure that the firmware upgrades are secure and authenticated
- Use connection whitelisting rather than blacklisting
- Exchange keys securely
Gateway/hub and network/transport channels
What is included: The gateway includes the ethernet, wireless, Bluetooth, NFID, etc. that enable the connectivity between devices and outer world. The network performs the function of facilitating connectivity and information transmission from devices/gateways. Some examples include IP network, satellite networks, etc.
Security issues: Gateway and network security form the weakest link in the data transfer and communications chain in IoT implementations. Most of the hacks, cracks, and compromises are due to some network shortfall as is the least risky and most paying method of compromised data hacks. Even virtual private networks (VPNs) are susceptible to man-in-the-middle (MITM) attacks, so just encrypting the network traffic does not make it 100% safe or secure.
- For gateway security, the organisation needs to ensure that the IoT/M2M gateway is secured from intrusions and malware by using appropriate mechanisms such as ACLs, IPS, filtering, etc.
- For network security, leverage appropriate security mechanisms that isolate sensitive information bearing segments such as IDS/IPS, firewalls, network ACLs, etc. Check for the assurance certifications such as ISO 27001, SSAE/ISAE SOC reports, privacy seals, etc. of the service provider.
- For remote access security, only privileged users like administrators, clinicians, maintenance personnel should be allowed strong authentication (e.g. MFA) from outside the company network. For regular employees secure communication channels such as VPNs-S2S, C2S should be used, and the access should be disabled when no longer needed.
- For WiFi communications security, secure configurations should be used, and encryptions and authentications should be enforced.
Operating system (OS)
What is included: This includes the operating system used as the platform for the applications and devices.
Security issues: OS is a very weak link in the entire security spectrum and is the prime target for hackers. It includes the use of encryption of filesystems, patches, strong passwords, antimalware software, antivirus software, and intrusion protection monitoring. Hackers exploit the vulnerabilities in OS code to own a system and bring it under the control of the malicious actor. As most likely, it won’t be possible to trace the date of the hack, it is not possible to restore from before that point. Moreover, the backups may not be old enough to perform a good restore. The amount of data loss and the time spent on the restore of the system from its crippled to fully operational form, make oS hacks and compromises very costly.
- Be cautious, proactive, and paranoid for enhancing the security of the OS
- Reimaging or formatting of the OS and applications is needed for fixing the malicious actor. There is no use of relying on backups as the system that is compromised may have been backed up for a long time before the compromise was detected.
- Keep systems safe and updated using services like Patch Tuesday provided by Microsoft avail a weekly patch bundle.
- Latest security patches need to be checked on a daily basis from software repositories provided by Linux distributions. These need to be grabbed, downloaded and installed using automated processes.
What is included: This is different from OS security as they are services that run on the OS and expose themselves via TCP or UDP (Internet protocol) ports.
Security issues: Leaving the servers unpatched and unsecured leads to a large number of hacks and compromises. As encrypted communications are not 100% effective in preventing over-the-network hacks. These ports run with elevated (root) status and when compromised provide the successful hackers with unlimited access to your system by dropping them down to the root prompt.
- Have minimum servers or service access on your systems.
- Allow connectivity from other specific hosts using the /etc/hosts.deny and /etc/hosts.allow files to secure ports on Linux hosts.
- Use firewall port address translation rules to manage the networks or hosts that may contact a particular system on a specific port number.
- Use the secure equivalents of certain protocols, if available.
What is included: Data may be at rest in the form of stored data or transmission as data in flight. This may include usernames, passwords, certificates, keys, configuration files, and actual collected data from remote sensors.
Security issues: The hacker may not be interested in the raw data itself, but the path it takes or the data it reveals may be the motive.
- Store data in an encrypted form such that the contents are jumbled to the extent that anyone who tries to collect, transfer, or decrypt it will get diminishing returns.
- Use multi-factor authentication for sensitive data transactions and transmissions.
Security is all about diligence, and lately, automated patching allows you to keep your security updated. The above security considerations in the context of IoT give you an idea of the extent of the security issues being faced. So, stay aware of the security issues that may turn up and be prepared for the actions you need to take.