In part 1 of this blog series we covered how the IoT (Internet of Things) creates a vast multi-point attack surface that can be the Achilles heel of connected devices, potentially revealing personal information when they are not properly secured. IoT device connections will grow from 8 billion in 2017 to 27 billion in 2025. This rapid growth of IoT devices must be met with “security by design” to secure sensitive information. Business and security executives must also realize that they absolutely cannot put data managed by their IoT and business systems — especially customer personal data — at risk by using poorly developed hardware and software solutions. This blog post will examine IoT vendor security practices—or the lack thereof. We’ll also look at three ways to secure IoT devices. Lastly, we will cover oversight when using professional services to secure your IoT environment.
Security Needs to be Embedded in IoT Devices
As a consumer, you really have little control over IoT device security except to choose your vendor with an eye on their security practices. The companies you are dealing with must earn your trust. People trusted Facebook, of course, and the company ended up violating that trust. People make assumptions of the devices they purchase and their use. Alexa is another good example. People are amazed to learn that Alexa records conversations, but yet they expect the device to respond every time they say “Alexa.” How can this be achieved unless it’s recording all the time? The question is what does Amazon do with this “other” data? Do they receive, store, and process it properly? Sometimes a device’s functionality is left in the hands of application developers to decide, so that’s another potential security hole. Sometimes it’s blissful ignorance, which appears to be the case with Facebook – “Why yes, we collect your personal information, but we didn’t anticipate someone doing that with it.”
Supply Chain Vulnerabilities Affect IoT
Another major arena to consider when securing your IoT infrastructure is the supply chain that coexist with your information systems. Cybercriminals can intrude into your environment through an outside partner or a third-party vendor who has access to your network, systems, and data through their sensors and devices — remote monitoring of HVAC is a classic example. Taking into consideration that most devices are manufactured in several different parts of the world; organizations in the United States have been infiltrated by supply chain attacks where a foreign government was able to compromise a manufacturer by placing “additional computing equipment” into a device. The “additional computing equipment” was used to exfiltrate classified information. The lesson is to work with trusted vendors who stand-behind their own manufacturing supply chain.
What Can You Do About IoT Security?
Put pressure on manufacturers and vendors. The truth is IoT vendors will only invest in security if the market demands it. Facebook didn’t invest very much into the security of data, and as a result they are paying the price in loss of trust instead. But I bet the budget just opened up to secure all the data they manage. If customers aren’t asking the questions, if regulators aren’t setting rules, do you think companies will spend money on securing these types of devices? So, demand transparency, demand security, ask questions, and push manufacturers and software developers to do better. If a manufacturer is reading this article I would recommend focusing on:
- Scrutinizing supply chain security
- Securing software development practices
- Designing and building security into devices
- Implementing encryption to secure communication channels
- Testing and validating security
- Utilizing the Trusted Computing Group (developed by AMD, Hewlett-Packard, IBM, Intel and Microsoft) to ensure that trusted computing concepts are employed across all personal and mobile computers and all network-connected devices
Build Security into Devices Being Deployed and Managed
While security features are often built into devices, they may not be turned on by default. When most people buy an IoT device they are happy just getting it connected and working. They aren’t concerned about securing the device by turning on encryption, changing passwords, etc. Here is where you can truly make an impact—make sure you implement security that comes with devices. Wireless systems like Zwave, for example, have the ability to encrypt communications, but since it’s an extra installation step and it complicates the setup, some people don’t bother. A big mistake. Facebook supports two factor authentication, but how many people have it turned on? That’s an easy way for your account to be taken over by a bot. There are a lot more controls around these devices from a business and critical infrastructure stand point such as:
- Segmentation of IoT devices from business systems
- Security patches are always up to date
- Logging and monitoring for intrusions
- Implement authentication and access controls
Security When Using IoT Devices
The next step in the process is how you use IoT devices. To use the Hillary Clinton example, you could have the most secure server in the world, managed by the most secure people in the world, and if you do something stupid… well you do something stupid. You need to ensure there are appropriate procedures in place. Not a big deal with home based IoT and battling your wife and kids over the TV remote—which is now in everyone’s hands on their iPhones.
But, let’s play out a scenario for critical IoT devices, where there are humans and artificial intelligence systems competing to make changes. A fighter jet crashed a few years ago when the computer was making changes overriding the human. Later it was determined that icing had stopped air flow to sensors, so the computer thought it was stalling, when in actuality it was flying correctly. The computer made the wrong choice, based on inaccurate data. We can build secure systems, but ultimately we must think through the use cases for every type of IoT device and make sure the people using the systems understand the consequences of relying on potentially fallible data.
Oversight for Professional Services for Deployment
I would treat IoT like any other IT investment. “Security by design” should be mandatory when evaluating a potential IoT platform. In fact, it should be demanded. And no, “DoD (Department of Defense) grade encryption” is not the answer to security. Reputable vendors will have, in addition to their installation guide, a guide to harden their system. In PCI they call this an Implementation Guide. NSA refers to it as a STIG (Security Technical Implementation Guide). Have your Security Assessment team conduct a review or audit against the appropriate standards to ensure it was implemented appropriately. Be sure to discuss integration with other internal systems, like authentication/LDAP, or log management. Document, document, document… procedures, training, tests, etc.
Protecting Sensitive Data as the IoT Wave Permeates Organizations
IoT is a big wave of hardware, software, and data that is going to change the way many, if not all, organizations operate, compete, and service their customers. Sensitive data that is collected and processed by IoT devices and applications will need special focus to prevent data theft and the resulting legal, financial, and customer trust penalties. When dealing with sensitive payment, personal and healthcare data, it’s best to keep it out of harms’ way with tokenization, encryption, and cloud data vaulting. Remember, no data, no theft.
TokenEx is the industry leading Data Protection Platform. Our tokenization, encryption, and data vaulting platform is protecting sensitive data for enterprise organizations worldwide. Follow us on Twitter and LinkedIn.
Dr. Jerald Dawkins is the Co-Founder of TokenEx and has extensive experience with secure coding and data security. Jerry is the author of multiple publications and presents at national and international conferences. He also holds the following certifications: CISSP, NSA IAM, and CNS 4011-4015. Jerry received his B.A. in Computer Science from Fort Lewis College in Durango, CO and his M.S. and Ph.D. Degrees in Computer Science from the University of Tulsa in Tulsa, OK.