Your Company’s IoT Journey: A Security Primer
Your Company’s IoT Journey: A Security Primer
September 24th, 2020
Many companies are considering implementation of IoT solutions to improve operations by tracking inventory, improving customer interaction, or monitoring energy usage. IoT solutions consist of devices that communicate on a network, such as cellular or Ethernet. The devices must send data to backend platforms to be useful. Just as cybersecurity is a concern for typical corporate systems such as servers, laptops, and corporate networks, security should also be a priority for IoT solutions.
When planning an IoT solution, the following questions can help identify potential cybersecurity risks.
Is the IoT device protected from physical tampering?
An IoT device is part of your company’s operations and should offer protection from unauthorized physical access. Whether an IoT device is publicly accessible or located inside a controlled facility, they should be designed for tamper resistance. Determine if the device has the following:
- Tamper-resistant case make opening a device difficult or impossible
- Tamper-evident seals provide indication of attempted unauthorized access
- Unused physical connectors should be physically blocked or logically disabled
Have default usernames and passwords been changed?
Some IoT devices have the same default password for each device of the same type. Default manufacturer’s passwords are an entryway for hackers and have been the root cause of many device infections. Infected devices can become part of a botnet and used by hackers for attacks against specified targets. Malware can also permanently disable devices. These unusable devices must then be replaced at a considerable cost.
- Choose devices that have a unique default password from the manufacturer
- Change all default passwords and use a complex passphrase if possible
Do you have a plan for a device inventory?
Whether your IoT solution supports thousands of IoT devices or just a few, maintaining an inventory is critical for lifecycle management. Just as a business keeps an inventory of equipment, such as forklifts, trucks and computer systems, any company deploying IoT devices should track them. Here are a few basic parameters that should be maintained for every device.
- Device type
- Device documentation
- Deployment date to track end of life for device and/or battery
- Patch level for firmware
- Device location
Have the applications and firmware been tested to identify cybersecurity vulnerabilities?
IoT devices include firmware, operating systems, and applications. Just as a computer, server, or laptop needs to be secured, so do IoT devices. Security testing looks for known vulnerabilities in the application and firmware, including open source software. Testing can determine if the system is hardened, with unnecessary services and capabilities turned off. Security testing also looks for stored keys, passwords, hashes, and certificates that might be used by an attacker.
- Ask the device manufacturer to provide results of security testing done by an internal or third-party security tester
- Ensure that all unnecessary services are shut down
- Verify that the firmware and application is updated with all applicable security patches
- Verify that any open source software is up-to-date and still supported
- Check that the firmware has no hardcoded secrets
- Understand the device manufacturer’s approach to security patches
How is your IoT device connected to your company?
Often IoT devices support simple connectivity over the public Internet. This type of connection, without the use of a secure gateway, is risky. In particular, applications that require connecting to the device from the Internet can expose devices to hackers, who constantly scan IP addresses to identify possible infection targets. Private connectivity is more secure than the public Internet.
- Avoid connections to the public Internet where possible
- Use private connectivity, such as a Virtual Private Network where possible
- If the device connects to the cloud, makes sure data is encrypted in transit and at rest
- Use a security mechanism, such as a gateway, to separate the IoT device connection from less secure networks
Does your device require a connection to the public Internet?
Avoiding direct connection to the public Internet is the best security practice. However, when connection to the Internet is unavoidable, other techniques can be used to improve security. Outbound only Internet connections are preferable to avoid common threat vectors caused by inbound traffic. Security can also be improved by limiting access to only trusted sources, such as through the use of a whitelist.
- Restrict connections to the device from the Internet
- Only allow communication initiated from the device and directed out to the public Internet
- To manage the device, applications should use techniques to establish an Internet connection from the device such as message tap, cloud registration, or a scheduled check in
- Public Internet connections should be secured by allowing only trusted sources to connect to the device
Does your IoT device need to be updated over the network?
The proposed IoT solution should consider how IoT devices will receive any required firmware and application updates. The process for updates is often directly tied to how the device communicates with the source of any updates. Some updates may be required to fix vulnerabilities in the firmware and applications. Device manufacturers must have processes to track vulnerabilities for device components, notifying customers about vulnerabilities, and providing updates and patches.
- Understand how firmware will be updated on the device
- Understand the mechanism for updating or patching the application
- Ensure that the source for updates can be trusted
How does your IoT solution allow users to authenticate to a device?
Your IoT solution is an extension of your company. Access to the IoT solution should be controlled, just as access to other network connected assets should be controlled. Consider how users and services authenticate to IoT devices and applications.
- Ensure the solution supports authenticated access
- Use pre-shared keys for authenticated access where possible
- Use certificates to establish encrypted network sessions where possible
Does your IoT data require protection?
The data generated by your IoT device is your data, so be sure to protect it. Consider the data being collected by your IoT devices and how vital that data may be to your company. Also consider how the data might be used by someone with bad intentions.
- Classify your IoT data to determine which data may need to be protected
- Determine if sensitive data is stored on the IoT device
- Determine if sensitive data is stored in the cloud or in a multi-tenant environment
- Investigate privacy regulations and comply with regional directives
Do you have a plan for monitoring your IoT Devices and your IoT solution?
Monitoring IoT devices includes determining if the device is behaving as expected. Detecting unusual behavior from a device implies that a baseline of normal activity must be established. Monitoring can include tracking usage and communication patterns, such as frequency of data transmission.
- Ensure that your solution includes a method or tool to monitor device activity
- Ensure that your solution includes tools to detect anomalous network activity
- Ensure that your solution includes methods to detect anomalous application activity
IoT solutions can be effectively used to improve operations of many companies. Because IoT technologies have become more cost effective and accessible, their use is growing significantly. IoT solutions can be implemented in ways that limit risk while realizing benefits. The questions above can serve as a security primer for those considering or planning an IoT deployment. Time to get started on your IoT journey.