7 Key Considerations to Ensure the Security of Your IoT Devices
The Internet of Things (IoT) can bring operational efficiencies, new business insights and satisfy needs that we didn’t even know we had. But ensuring the success of an IoT deployment depends on securing the system. In this blog, we’ll focus on the security of the connected devices themselves, and in subsequent blogs, we’ll dive into connection security and data security.
Infusion pumps. Building heating and air conditioning systems. IP cameras. Control systems for a dam. The examples of connected devices that have been compromised and used to launch attacks on enterprise and industrial operations is growing.
What Makes Connected Devices So Risky
IoT devices can’t be managed to the same degree as laptops, tablets, smartphones and other traditional endpoints.
IoT devices are designed to do a very specific job—and to do it well. But since they are purpose-built, often have minimal computing power, and can’t run traditional endpoint security software or be remotely scanned. They’re often installed in private, remote or unattended locations where they’re easily accessible—and thus subject to curious or malicious hands. They’re connected to both wired and wireless networks, which exposes them to the usual range of cyberattacks.
Once a single device is compromised, similar devices can then be compromised more easily. An attacker may launch a Denial-of-Service (DoS) attack, causing business disruption and network outages. Or a compromised IoT device may provide an entry point for an attacker to move about the trusted IoT network in an attempt to steal sensitive data or cause further damage.
7 Considerations to Assess Device Security
Consider how well the device is designed for security:
- Physical security. Assess the security of the device case itself. Does the device open so the internal components are accessible? If so, can the chips be removed for further analysis by an attacker? Depending on the deployment, you may consider epoxying chips to the circuit board or embedding the circuitry in resin.
- Open ports. Any device with an open port that’s connected to a network can be hacked. Beyond network connections, are there USB ports, SD cards or other storage that can be accessed? Can ports be disabled if they’re not needed?
- Secure software by design. Is the device designed for secure software execution? If the device uses secure boot techniques and securely executes applications, then attackers can’t tamper with the processor and system integrity. Increasingly, hardware-based security support is embedded into the chips to ensure system integrity, secure storage and to protect anonymity, which is important if the device handles personally identifiable information.
- Administrator access. Legitimate user credentials are used in most breaches, according to Verizon, so make sure your administrator passwords are airtight. That includes changing the default password (you’d be surprised). Make sure the remote admin connection to the device is secure, using a secure protocol such as SSH rather than telnet.
- Encryption. Connected devices often lack the muscle to run the usual encryption algorithms, but lightweight encryption algorithms designed for resource-constrained platforms like IoT devices are emerging. Elliptic curve cryptography is the next generation of public key cryptography, and provides a more secure foundation than first-generation systems like RSA. The NSA has published two new algorithms—SIMON, which is optimized for hardware, and SPECK, which is optimized for software. Also, keep in mind that some IoT devices, such as smart meters, are designed to last for many years, and the device may outlast the usefulness of the encryption employed.
- Software updates and vulnerability management. Can the device software or firmware be updated when vulnerabilities are discovered? Make sure the update process is secure so that attackers can’t perform their own malicious updates.
- Real-time device discovery and monitoring. Despite the fact it is not possible to control or manage a device if you don’t know about it, research shows that 70% of enterprise IoT security professionals don’t monitor devices in real time. You need a way to identify every single device on the network to create a real-time inventory of your IoT devices. While different connected devices may behave in very different ways, the common thread is their network presence. Make sure you have tools to continuously monitor devices and profile changes in their behavior.
Securing your IoT devices not only mitigates the risk of attack but it also lowers support and field maintenance costs, such as patching and remediation. Securing and monitoring connected devices also may be required for compliance, such as PCI, Sarbanes-Oxley, healthcare and energy industry requirements.