BACKGROUND IMAGE: iSTOCK/GETTY IMAGES
The Internet of Things has exponentially complicated the task of keeping IT infrastructure secure. With uncountable things being distributed both virtually and geographically, each new end point is a potential entryway into an organization's network. This isn't a security architecture the typical IT team is used to thinking about. But it's time to take IoT security vulnerabilities seriously before the risks of doing nothing and the cost of doing something both reach an all-time high. Here are some of the areas where enterprises will have to start thinking differently to secure their systems.
Recognizing IoT security vulnerabilities
Steve Ball, Senior Director of Product Management at Senet, pointed out that IoT security can't be tacked on as a layer of bubble wrap at the end of development. That's not news to the security community, but it's a message that still gets lost in translation when talking to business decision-makers and even experienced DevOps engineers. "IoT security is a hugely important topic. People rush to solutions before considering issues like this." Last October's distributed denial-of-service assault served as a prime example of what can happen if manufacturers don't perform due diligence in architecting security into their products and addressing IoT security vulnerabilities. The Mirai malware infected half a million devices and carried out a massive DDOS attack by turning IoT devices into botnets.
Why? Because it was so easy to do. "DDOS attackers are exploiting completely unprotected resources including routers and cameras with default passwords and logins. It's the fault of the designers and manufacturers. They should be building in security from the beginning." This means no more admin1234 passwords. For starters, connected devices that have a login should require users to create a unique login and password during device setup rather than allowing a factory default to persist in the system.
Within Senet's own IoT products and services, a variety of security aspects are considered in the protocol. For example, edge devices are pre-provisioned with unique identifiers and keys to be allowed to join the network. Data that is transacted is encrypted. The company also relies on third party auditing of specifications to find opportunities for improvement. Making security a priority and getting a second set of eyes on the problem is a good start in making IoT more secure.
Hardware and software must work together
Louis Grantham, Manager of Channel Marketing Engineering at STMicroelectronics, says hardware itself is actually making other processes more secure. "If you take a look at credit cards today, they have more security with secure micro controllers like the one's we've developed at ST." These chipped cards safeguard electronic payment processing in ways that couldn't be accomplished with a magnetic stripe. These days, IoT hardware can be designed with dedicated tamper resistant components that contain RAM, CPU, a crypto engine, and other features to make security easier to design into the system, eliminating potential IoT security vulnerabilities.
But it's up to system designers to think about how they are using the hardware to take advantage of security. For example, Grantham pointed out that hardware with connectivity such as Bluetooth, WiFi, and Sub GHz always offers the capability for two-way communication. But it is technically possible to configure an IoT endpoint that only sends information to the network rather than sending and receiving. It might be a simpler design, but it would preclude the ability to do remote maintenance, updates, and shut down for more comprehensive IoT security. That kind of one way street can spell trouble.
Having detection systems in place to monitor devices remotely is essential for mission critical systems. That's the opinion of Ranga Vadlamudi, Azure Data Solution Architect at Microsoft. Enterprises need to be asking foundational questions about security: Where is it deployed? How can it be controlled? "You can't afford for IoT devices to be compromised in mission-critical applications. You need to have remote monitoring and the ability to shut off rogue devices. This is one of the top aspects of designing solutions."
IoT and cloud security go hand in hand
Kevin Saye, Microsoft Technical IoT Specialist, revealed that being in the cross-hairs isn't necessarily a bad thing when it comes to being more secure. Being aware of the threat level makes it a no-brainer to put a high priority on safety. Keeping a handle on this ever-changing issue comes with the territory for industry giants like MS. "When it comes to security, Microsoft is at an advantage because Azure is such a compelling target. This means we are responsible for understanding and dealing with security risks before our customers do, ensuring all devices and gateways take authentication seriously."
What does this have to do with addressing IoT security vulnerabilities? "As a software and cloud services provider, we don't actually make devices. However, we do write SDKs and provide a Windows version for IoT. It's similar to our other Windows products and leverages the security posture of the O/S, applying it to devices."
Wide dispersal requires a broader view of security
From the sensor on location to the communication process to cloud storage, IoT requires an end-to-end approach to withstand threats. According to Kevin, enterprises are missing something when it comes to security for IoT. "They need to look at these devices differently. They may not have the classic firewall and are dealing with assets NOT behind the firewall. They need to learn to defend themselves. That includes determining what data is allowed, etc." With IoT gaining rapidly in popularity in the enterprise space, IT will have to go beyond the wall to find solutions to keep their connected infrastructure secure.
IoT security vulnerabilities
These IoT platforms make IoT-as-a-Service easy.
Are you wondering how to pick the right platform for IoT development?
Why not create revenue streams with your IoT and IoTaaS application?