DOC RABE Media - Fotolia


Don't forget IoT physical security when planning protection

Organizations must take steps to ensure the physical security of IoT devices, including preventing access to hardware components and ensuring only authenticated access.

When IT professionals talk about IoT security risks, most think about software and online hack attempts. But hackers are resourceful and use any method necessary to gain access to devices and networks, including physical device access.

IoT physical security should be a consideration for all admins because devices provide another entry point onto a network. Hackers can physically open an IoT device to gain access to the inner components, ports, pins and circuitry and then connect to the entire network.

When organizations implement IoT devices into a corporate setting, admins must be aware of the security methods existing in the devices before deployment. IT managers should ensure their device security strategy includes physical security options and features appropriate for the organization, such as disabling the device when attackers tamper with it. The type of physical security needed for each device depends on the device type, where it's placed in the network and what type of data it processes or transmits.

To beef up IoT device security posture and strategy, IT teams should consider adding physical security options. Even adding basic security such as a lockbox or closing off unused ports can significantly harden devices.

As more devices are added to a corporate network, physical security may become a higher priority and require regular review and maintenance. But first, look at existing devices to see what can be done to secure them physically before making any further investments.

Protect assets

Physical security risks of IoT devices

IoT devices are extremely versatile and can be deployed extensively in organizations. Intel market researchers predicted there will be 200 billion IoT devices deployed by the end of 2020. Without taking a few security precautions before installing devices, organizations risk exposing them to hackers.

Depending on where organizations deploy the devices, they may be vulnerable to physical attacks. Criminals can steal the devices and bring them to a private location to hack them. They crack open their cases to scan or probe the interior hardware -- such as circuit boards, ports or chips -- without anyone noticing. Manufacturers sometimes make it easy for hackers to gain access to IoT devices with the helpful stickers they place inside cases or on the bottom of devices with default passwords, IP addresses and other information. Hackers can read off that information to gain device access.

Device protection can be as simple as placing the device in a secure case, blocking access to physical ports and securing it in place so it cannot be removed by unauthorized personnel. Beyond this, organizations can use more advanced physical security measures to protect their IoT devices regardless of their location.

IT managers should ensure their device security strategy includes physical security options and features appropriate for their organization, such as disabling the device when attackers tamper with it.

Advanced measures for IoT physical security

After organizations put initial basic measures in place, IT teams can use these advanced tactics to increase the physical security of their IoT devices.

Deploy only authenticated devices. Attackers can tamper with devices at any point in the supply chain. Perform visual checks of all antitampering packaging and seals before device implementation. Return any devices with evidence of tampering to the manufacturer.

Secure the device in a tamper-resistant case. At a minimum, place a lock on the device enclosure. With the right tools, attackers can even defeat locks. Consider placing IoT devices inside secure cases specifically made to prevent tampering.

Enable only authenticated access to the secure devices. Ensure that only authorized personnel have the required keys or access codes to physically access the devices. Use role-based access mechanisms similar to those used for any software application or service. For example, Intel uses a software-based IoT platform to manage physical and virtual device access.

Disable the device upon tampering. Add a function that would disable the device whenever it's tampered with, such as an electrostatic discharge or short circuit if an enclosure is opened. This will disable or destroy critical components inside the device if it's stolen or breached. Another option is to add a switch or fuse to the enclosure that cuts device power if the case is tampered with and sends an alert to a monitoring application.

Prevent probing of conductors. Conductors can carry data or analog signals inside IoT devices but are often ignored in security strategies. Attackers can probe conductors through a simple testing instrument that is readily available to anyone. Bury conductors inside the layers of a multilayer circuit board and only design non-sensitive conductors to reach the board's top layers.

Prevent access to any hardware components. Most manufacturers print their names and model numbers on their parts for easy identification. Hackers use this information to identify components with existing vulnerabilities, which they then target.

To prevent access, IT admins can try several tactics:

  • Encase components in nonconductive epoxy to stop hackers from probing pins on components.
  • Remove unnecessary components so they cannot be removed and used to reverse-engineer access.
  • Embed components directly into the circuit board substrate, so hackers would have to destroy the board itself to gain access.
  • Hide or remove any manufacturer-placed markings wherever possible.

Manufacturers must ensure physical security of IoT devices

Consumers are not the only ones responsible for ensuring their IoT devices are physically protected. Manufacturers need to do their part, too. Manufacturers can offer more secure devices with built-in physical protection measures, such as embedded components and lockable exterior cases. They should also provide secure shipping of devices in tamperproof containers to give organizations a way to verify that the devices are secure when they receive them. Manufacturers that have these measures maintain high consumer confidence in their products and brand and reduce the physical security measures customers would need to design and implement on their own.

Next Steps

Follow a 6-phase roadmap to secure cyber-physical systems

Dig Deeper on Internet of things security

Data Center
Data Management