{"id":710,"date":"2018-05-31T02:12:18","date_gmt":"2018-05-31T02:12:18","guid":{"rendered":"http:\/\/kusuaks7\/?p=315"},"modified":"2023-08-29T16:48:46","modified_gmt":"2023-08-29T16:48:46","slug":"seven-principles-for-stronger-iot-security-part-1","status":"publish","type":"post","link":"https:\/\/www.experfy.com\/blog\/iot\/seven-principles-for-stronger-iot-security-part-1\/","title":{"rendered":"Seven Principles for Stronger IoT Security \u2013Part 1"},"content":{"rendered":"

Ready to learn Internet of Things? Browse courses<\/a>\u00a0like\u00a0Cyber Security for the IoT<\/a> developed by industry thought leaders and Experfy in Harvard Innovation Lab.<\/em><\/strong><\/p>\n

IoT security breaches are expected to reach an all-time high, according to\u00a0ChainLink\u2019s annual predictions<\/a>. It\u2019s important to differentiate between indirect attacks, using IoT devices to conduct cyberattacks against another target, and direct attacks, where the end goal is to compromise and access the IoT device itself.<\/p>\n

A high-profile example of an indirect attack was last year\u2019s\u00a0DDoS<\/a>\u00a0attack against Dyn that exploited security weaknesses in tens of millions of IoT devices to overwhelm Dyn\u2019s DNS servers, making dozens of major internet sites like Amazon, Twitter, and Netflix unavailable.<\/p>\n

Unfortunately, the market rewards time-to-market and lower prices over robust security for many classes of IoT devices, especially low-end devices that are commonly (and often unknowingly) hijacked to create a cyber-attack, such as IP cameras, home automation systems, home gateways, connected printers, baby monitors, and so forth. Some high-profile cases may garner negative media attention, but usually with little impact on the consumer\u2019s ultimate decision to buy.<\/p>\n

With direct attacks, the goal is access to the IoT device \u2013 and by extension the sensors, machines, and environment that the device is connected to. As such, this type has the potential to be even more disruptive and destructive. Criminals, terrorists, and malicious foreign governments may use connected devices to cause havoc or harm, such as hacking into a home security system to rob or kidnap someone or holding a city hostage by taking control of its traffic light or\u00a0power system<\/a>. In theory, this should create more motivation to secure these devices; however, too often a lack of resources or attention is given, even for high-value targets, making cyberattacks still very common.<\/p>\n

The IoT Security Imperative<\/em>\u00a0asserts that manufacturers and deployers of IoT devices and systems (especially potential targets for direct attacks) have a moral obligation to vigorously and comprehensively address security. The following principles can serve as guideposts to enable stronger IoT security.<\/p>\n

    \n
  1. Use a multi-layered approach<\/strong>\u00a0\u2014A central tenet is to have multiple layers of security, so if one layer is compromised, the intruder confronts additional layers. In an end-to-end IoT system, each component should be designed to assume that the communication channel and other components have been compromised. Further within each component, there should be multiple layers of security to the extent that resources allow it. A multi-layered approach also includes physical security on devices and for facilities.<\/li>\n
  2. Design in security from the start<\/strong>\u00a0\u2014Rather than a \u2018bolt-on\u2019 afterthought approach, security should be designed into every component and process from the start using\u00a0secure by design principles<\/a>, such as hardening, using secure defaults, and failing securely. Security should be built into the entire product lifecycle, including security reviews during concept, design, development, testing, deployment, maintenance, and EOL.<\/li>\n
  3. Security for legacy and limited resource devices<\/strong>\u00a0\u2014Many environments do not have the luxury of start-from-scratch greenfield designs. This is true both on the device side (equipment in existing factories, buildings, ships, aircraft, etc.), as well as existing enterprise software systems. Also, some devices don\u2019t have the memory or processing power to implement encryption, let alone multi-layered security. These devices can be isolated using secure gateways and readers that support segmenting the network, quarantining compromised devices or segments, wiping and reloading, and isolating insecure devices and networks, potentially using a \u2018virtual private LAN\u2019 overlay.<\/li>\n
  4. Implement granular and scalable security<\/strong>\u00a0\u2014Complex IoT systems can have many different types of users, devices, and data. This creates several access scenarios with implications for the IoT platform\u2019s built-in security. Highly granular and flexible access control and authentication will help support potentially hundreds of types of users and devices, and thousands of access scenarios and use cases. Bear in mind the fluidity of IoT systems and networks, which constantly provision and deprovision users, devices, and data sources, often with ever-changing use cases, system connections, and even changes to the underlying architecture.<\/li>\n
  5. Protect against social engineering and insider malfeasance<\/strong>\u00a0\u2014Don\u2019t forget the people, which is usually the weakest link in a security strategy. This includes proper vetting of employees and contractors, strong security training programs (including\u00a0auditing and testing), and a broader set of insider crime prevention and anti-collusion measures, such as separation of duties, rotation of duties, regular audits, surveillance, monitoring, reporting hotline, etc.<\/li>\n
  6. Encourage robust, independent security testing<\/strong>\u00a0\u2014For starters, make it easy for anyone to report problems, and set up mechanisms and escalation to ensure that you\u2019re highly responsive to them. It can also pay to hire white hat hackers to do penetration testing, or consider starting a\u00a0bug bounty program<\/a>\u00a0to incentivize people to report vulnerabilities.<\/li>\n
  7. Prioritize security investments<\/strong>\u00a0\u2014Often security loses the battle for limited resources that could instead be used to serve customers better, grow the company, get the product out sooner, and meet other strategic goals. A strong business case needs to be made for security, and investments need to be ranked by priority since not all will be funded. Higher value targets require more robust security, but at the same time, the biggest vulnerabilities may be the most mundane. Piggybacking on other investments and looking for low-cost wins should be done whenever possible.<\/li>\n<\/ol>\n

    Security tends to be an incident-driven priority, meaning it doesn\u2019t get much attention until after a major incident. It takes good \u2018marketing skills\u2019 (i.e. selling internally) to get the executive team to invest in it\u00a0before<\/em>\u00a0the fact. And a certain kind of person who can find satisfaction in being the unsung hero who\u00a0prevented<\/em>\u00a0the disaster from happening in the first place.<\/p>\n

    Additional resources<\/h3>\n

    There are some good existing resources on securing different components of an IoT system. For cloud-based components, the\u00a0Cloud Security Alliance<\/a>\u00a0offers\u00a0Security Guidance for Critical Areas of Focus in Cloud Computing<\/a>. For devices, in addition to the\u00a0IoT Security Compliance Framework\u00a0(from ISF), the\u00a0Trusted Computing Group<\/a>\u00a0has their\u00a0Architect\u2019s Guide: IoT Security<\/a>\u00a0and\u00a0Guidance for Securing IoT Using TCG Technology Reference Document.\u00a0For more, also see IoT Security Foundation\u2019s\u00a0Vulnerability Disclosure Best Practice Guidelines<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"

    IoT security breaches are expected to reach an all-time high. It’s important to differentiate between indirect attacks, using IoT devices to conduct cyberattacks against another target, and direct attacks, where the end goal is to compromise and access the IoT device itself. With direct attacks, the goal is access to the IoT device – and by extension the sensors, machines, and environment that the device is connected to. As such, this type has the potential to be even more disruptive and destructive. Criminals, terrorists, and malicious foreign governments may use connected devices to cause havoc or harm. Seven principles can serve as guideposts to enable stronger IoT security.<\/p>\n","protected":false},"author":298,"featured_media":3800,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"content-type":"","footnotes":""},"categories":[195],"tags":[93],"ppma_author":[1882],"class_list":["post-710","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-iot","tag-internet-of-things"],"authors":[{"term_id":1882,"user_id":298,"is_guest":0,"slug":"bill-mcbeath","display_name":"Bill McBeath","avatar_url":"https:\/\/secure.gravatar.com\/avatar\/?s=96&d=mm&r=g","user_url":"","last_name":"McBeath","first_name":"Bill","job_title":"","description":"Bill McBeath, Co-founder of ChainLink's research group, is Chief Research Officer at ChainLink Research and leads it’s research efforts, as well as the procurement, strategic sourcing, design collaboration, and online marketplaces practices. With more than 20 years of experience in a variety of roles as a business and technology researcher and consultant, high tech executive, and software architect, he is recognized as a leading expert in extended-enterprise business models."}],"_links":{"self":[{"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/posts\/710","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/users\/298"}],"replies":[{"embeddable":true,"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/comments?post=710"}],"version-history":[{"count":4,"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/posts\/710\/revisions"}],"predecessor-version":[{"id":31903,"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/posts\/710\/revisions\/31903"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/media\/3800"}],"wp:attachment":[{"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/media?parent=710"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/categories?post=710"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/tags?post=710"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/ppma_author?post=710"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}