kras99 - stock.adobe.com
IoT and industrial IoT devices are generally designed to be small and low-cost, using the minimum software and resources necessary to perform a single task, usually without human interaction. Security is often an afterthought. The lack of built-in security in many IoT and IIoT devices puts everyone and everything at risk -- from individuals and businesses to critical infrastructures and government agencies.
As a result, many organizations have deployed IoT devices without fully understanding their weaknesses and the effect those vulnerabilities might pose on overall network security. Consumers, meantime, either lack the knowledge or the motivation to change default passwords and settings before connecting IoT devices to their networks. They're also likely to be unaware if their device has been hacked; a successful attack is unlikely to noticeably degrade performance or service.
Absent IoT hardening, IoT attacks can yield severe repercussions. The 2016 Mirai botnet DDoS attack, for example, affected more than 600,000 IoT devices, among them routers and IP cameras, and took down dozens of major internet sites, including Amazon, Netflix and Airbnb. More troubling was the 2015 investigation that illustrated how easy it was for hackers to take over a Jeep's controls even as its driver sped 70 mph on a St. Louis highway.
Top IoT device security weaknesses
Organizations need to harden IoT devices and the platform they run on to avoid having their devices infected, hijacked and used in a cyber attack. Without the proper IoT hardening, IoT devices are prone to the following weaknesses:
- Absence of device authentication. Without authentication, unauthorized devices can access a network and act as an attack entry point.
- Lack of visibility. Without authentication or a unique identifier, it is difficult to track, monitor and manage IoT devices.
- Embedded passwords. While default or hardcoded passwords can make installation and remote access simpler, it also makes access easier for hackers.
- Patching and upgrading. There are often no easy means to patch or upgrade software running on IoT devices, leaving devices with known vulnerabilities exposed to hackers.
- Physical access. IoT devices are often installed in easily accessible locations, making it possible for hackers to damage them or to remove components such as memory cards. Others are in physically remote or inaccessible locations, making them difficult to manage.
Because many of these vulnerabilities stem from design and manufacturing flaws, it's important that organizations and individuals consider only those products that can deliver a secure operation. It's also important to avoid devices with superfluous features, such as unnecessary USB ports, which can expose the product to unwanted attack vectors.
How to harden IoT devices
IoT hardening is critical to protecting IoT devices and preventing security issues. The following are must-have IoT hardening actions.
Shortlist only those devices that securely authenticate themselves before joining a network. Unique identifiers make identification and monitoring easier and help prevent rogue devices from joining the network. Integrated SIM devices embed identification features directly into the hardware itself, reducing the chance of unauthorized access. Store device IDs and authentication keys in a secure location; a compromised key can jeopardize the entire network.
Deploy IoT devices that require users to create a strong password at the beginning of the setup process. This avoids issues with embedded or default passwords.
Tamper-resistant elements and an ability to detect physical tampering increase a device's security and the security of the data it stores and processes. Ensure monitoring systems trigger alerts when tamper signals are received. These features are particularly important when IoT devices are deployed in remote or unsecure locations.
Secure boot, data storage and transmission
Secure and encrypted storage and boot functionality provided by a cryptoprocessor, such as a Trusted Platform Module chip, improves the security of a device and the IoT infrastructure it resides on. For legacy or constrained devices that do not have or cannot support these features, consider field and cloud edge gateways as an option to securely connect these devices and send data over the internet.
Scalable secure updates
Keeping the software and OSes running the IoT network up to date and protected is a well-understood standard practice; however, updating IoT devices is not so easy. Using USBs or other manual processes to update IoT devices works but does not scale. Automate patching and updating whenever possible. Over-the-air IoT hardening is an efficient way to distribute cryptographically assured configuration, firmware and application updates to IoT devices equipped with an onboard cryptoprocessor. Devices that support these features might initially be more expensive than their basic counterparts, but easier maintenance and stronger security make them more cost-effective in the long term.
A network segment dedicated to IoT means security controls running IoT-specific rules. Threat intelligence feeds containing the latest indicator of compromise signatures for IoT devices help machine learning-based defenses preemptively identify issues picked up by IoT sensors in the field. In the event an IoT security incident occurs, traffic can be quickly blocked or quarantined if it is on a separate network segment.
Enforce security policies and procedures that cover the entire IoT device lifecycle, from commissioning and maintenance to decommissioning and disposal at end of life. Include any sensitive data that might still be stored on the device. Classify and list every IoT device in the asset inventory and network architecture diagrams, ensuring their interconnectivity and communication paths are understood and correctly monitored, managed and audited like any other network device. This reduces mean time to detect and unexpected downtime. Establish incident response procedures and review and test them regularly. For organizations that lack necessary staffing, use IoT-specific cloud-native security monitoring and analytic platforms.
Regulations still aren't enough
Although regulations and baseline security recommendations that put more focus on IoT security are emerging, manufacturers' quest to innovate their products continues to dwarf efforts to keep IoT devices secure. Compliance alone does not guarantee safety and there is still too little incentive for device manufacturers to invest in better security for low-cost devices.
Until there is a global entity to define and enforce IoT security standards, it is up to development teams, organizations and individuals to play their part in making these devices less vulnerable to attack and abuse. By choosing only secure devices, buyers can put pressure on manufacturers to expand the security features of their products to provide the end-to-end security and trust that smart utility grids, smart factories, smart vehicles and smart homes rely on.