We have seen a dramatic transformation in both life and work in recent years as a result of new technology, from smartphones to the Internet of Things, with the prospect of bringing an additional 20 billion connected things online by 2020, according to Gartner.
We’re truly entering the era of the Internet of Everything, where connectivity is a given. The pace of technological change and adoption seems to be accelerating leaving us with no time to analyse or even bother ourselves with the massive amounts of data being shared between devices over the internet. In our haste to install apps, we click on “Agree” without a second thought about how or with whom we are sharing the information being gathered by our devices.
All these factors have implications for IoT security. Here are three of our top concerns:
- Standards: There are no specific, universal security standards for IoT devices. Yes, there are some cyber security standards, but they aren’t applicable to all connected devices.
- Device design: IoT devices usually have a very small memory footprint and low processor capacity with limited room for onboard hardware to provide protection against security threats.
- Vulnerabilit: It’s easy for hackers to exploit the features, connectivity and functionality of IoT devices, making the devices vulnerable to nefarious data collection, sharing and monitoring.
The security of our personal devices, such as smartphones, can be managed up to a point with passwords, fingerprints, voice recognition and even iris and facial recognition. But when it comes to larger IoT systems like connected cars, smart hospitals, smart infrastructure and smart cities, is it reasonable to believe these systems can be managed by device security alone?
The answer, of course, is “no.” And that’s where managed security services come in.
Here I’d like to discuss:
(a) The threats to the IoT ecosystem that can harm a device’s functionality.
(b) The typical security provided by manufacturers and service providers.
(c) Specialised managed security services and tools that can help assess and manage threats, spanning connected-device security, network security and cloud-application security.
1. Threats and vulnerabilities in the IoT ecosystem
Devices cannot function alone in an IoT environment. They always need to sense, communicate and act. Threats can come from any of the channels through which they are connected to the internet. These threats can cause damage ranging from a device malfunctioning all the way to the shutdown of the entire service. For mission-critical services like surveillance, energy management, infrastructure management and health services, such a shutdown would be catastrophic. Indeed, a malicious attack on a single camera, sensor or network endpoint in the ecosystem can derail the entire service, causing problems for the users of the service
2. Device, network and cloud security provided by OEMs and service providers
Endpoint manufactures and cloud service providers take good care of device security, based on service priority and criticality criteria. These include:
- Secure Boot: The device will verify the encrypted digital signature, with the authorised boot image in the flash. This is a first-level authentication and will enable only trusted devices to come up in the IoT ecosystem.
- Authentication: Most IoT devices carry out self-authentication, before starting the data exchange. They follow similar user-authentication and network-access protocols as used by the normal network user. The data will be stored in secure storage devices and will not be shared with the outside world.
- Access Control: There are role-based access controls that go down to the operating system level. The access will be provided to very specific areas of the system where the device has to work. Any access beyond the permitted boundary will be automatically cut-off by the software.
- Firewalls and protocols: There are specific industry communication protocols for various domains. For example, thermostats communicate to the smart grid with a different protocol than an energy meter. Firewalls give the required controls and protection for IP traffic.
- Over-the-air or software patches: The software upgrades delivered over the air or as patch releases will be carried out in a fully controlled environment. Remote access to the device will be limited and controlled by multilevel access control and authentication.
- Cloud security: Cloud providers, both public and private, provide secure access, identify management and monitoring services for applications as well as data security.
However, even though device manufacturers, and network and cloud service providers are diligent in their efforts to secure smart devices so they can be added and operated in an IoT ecosystem, the devices are still vulnerable to threats. Addressing these vulnerabilities requires managed security services.
3. Managed Security Services
Managed security services perform the following tasks:
- Continuously monitor and respond to security threats with minimal response and recovery time.
- Perform regular vulnerability scanning and penetration testing of the network and applications.
- Set up security monitoring tools and processes with DevOps to reduce zero-day vulnerabilities and attacks.
Commonly used tools for managed security services
|Vulnerability scanning||Nmap, Wireshark, KisMAC, Skipfish||IBM AppScan, Nessus, Qualys, HP WebInspect, Nexpose|
|Penetration testing||BlackTrack Linux, Kali Linux, Paros Proxy, Core Impact, Zed Attack Proxy||IBM Appscan, HP WebInspect, Burp Suite, Metasploit|
|Application security||Charles Proxy, hashQ, WebScarab||Burp Suite, Veracode MARS, IBM Appscan, HP Fortify|
|Threat modelling||Microsoft SDL, STRIDE,Trike threat modelling tools||Microsoft threat modelling tool|
It is imperative to have a well-managed and operational security service to protect the connected devices and data in the IoT ecosystems. And it is equally important to have a fool-proof recovery system to ensure uninterrupted service and business continuity.
There is a growing need in the industry for managed security services that will surely help us to build a secure connected world for generations to come.