Internet of Things (IoT)-connected devices have become an integral part of daily life. The IoT is quickly growing as more and more devices are attached to a global network. Many IoT devices’ data and applications are highly sensitive and should be accessible only to authorized individuals. These applications are the computer programs that use real-time/near real-time conditions to ensure they do not fail, and they use consumption data to analyze and predict the future with artificial intelligence algorithms.
IoT security should include more than just the IoT device itself. IoT devices have minimal security and many flaws. Many feel that IoT manufacturers are not prioritizing security and privacy. But, despite the security challenges, the spread of IoT is not stopping. Thus, it is a must for security practitioners and users to learn about it to provide more security.
IoT is a collection of devices attached to the Internet that gathers and exchanges data using nodes and controllers. IoT can be defined as a network of uniquely identifiable physical objects or “things” that have the capability to sense and interact with themselves, with their external environment or both. Through controllers and cloud processing, these devices may have the ability to think and act autonomously and gather information for various reasons. The characteristics of many “things” are:
The goal of IoT is to improve the quality of life and provide benefits to consumers and enterprises. IoT helps to achieve the following:
In this context, IoT deployment can be categorized into five types:
IoT systems include hardware and software that communicate with each other using a wide variety of protocols. There are five core building blocks that are fundamental to IoT devices:
There are many challenges facing the implementation of IoT. IoT security is not just device security, as all elements need to be considered, including the device, cloud, mobile application, network interfaces, software, use of encryption, use of the authentication and physical security. The scale of IoT application services is large, covers different domains and involves multiple ownership entities. There is a need for a trust framework to enable users of the system to have confidence that the information and services are being exchanged in a secure environment. The most frequent weaknesses in the data security of IoT applications, as stated in the Open Web Application Security Project (OWASP), are due to:
IoT application security and end point security are the biggest concerns. Poorly secured IoT devices and applications make IoT a potential target of cyberattacks. Application developers or manufacturers that create IoT products are not mature from a security standpoint. However, security is a critical dimension of every IoT design. Integrating security in IoT impacts both hardware and software design from the beginning. The technologies to secure devices and connectivity are changing very quickly. It is challenging; security is not just an add-on to existing systems, but an integral part of them. The scope of security should be end-to-end to support the device from the very beginning.
Because many IoT devices are small with limited processing, memory, and power capabilities and resources, most current security methods, such as authentication, encryption, access control and auditing, are too complex to run on IoT devices.
IoT devices are being used in urban areas where physical security is difficult to establish or achieve due to the density of structures and complex infrastructure, and this makes it easy for attackers to have direct physical access to the IoT devices. Additionally, denial-of-service (DoS) attacks can weaponize IoT devices and recruit them as part of a massive zombie army. Insecure IoT databases or data stores are also a serious matter to consider.
IoT devices have a long shelf life and may possibly outlive support for the device, and outdated devices might be used in circumstances that make it difficult or impossible to reconfigure or upgrade, thus leaving them vulnerable to cybersecurity threats. Additionally, improper data disposal practices without adequate wiping is a serious concern.
IoT devices have built-in functions such as microphones, cameras and night vision, and are the eyes and the ears of the device. These devices passively collect petabytes of data, sometimes without user knowledge, that can fall into the wrong hands, affecting user privacy. Undisclosed collection, distribution and use of data, and failure to provide clear, comprehensive disclosures regarding data collection, use and sharing, especially when such practices may be unexpected, places the collector in potential violation of various governance and data privacy laws.
IoT products often ship with insecure default credentials. This could include hard-coded passwords that cannot be changed and shared passwords across a family of devices, making it simple for attackers to compromise these devices. Many IoT devices have built-in default usernames and passwords. Malware seeks out IoT devices and generally tries to attack devices by using the default username and password. Once accepted, the malware is able to take over the device to participate in coordinated botnet attacks.
Generally, multiple layers of administrative, technical and physical controls are used to protect organizational assets against risk. This creates an organized defense that is intense and strong. Commitment and support from senior management are important for successful establishment and continuance of an information security structure. IoT’s significant potential requires management’s attention.
Manufacturers and vendors must include security in the design process. The most effective strategy for securing IoT is to focus on the fundamentals. IoT device manufacturers, IoT connectivity architects, IoT platform developers, IoT application developers, IoT service developers and IoT experience designers should work together to get this done. It is critical for all those who take part in developing IoT to add security features during the design phase of their IoT solution development. The best efforts to prevent attacks include designing for security, embedding firewall features to add an additional layer of defense, providing encryption capabilities and including tamper detection capabilities. If manufacturers do not thoroughly test their devices, consumer trust and safety may be at risk. It is important to ensure that security is purpose-built into every aspect of the ecosystem that is running a particular IoT product, service or device. 11 When building products for IoT, vendors should always employ good practice and aim for confidentiality, integrity and availability (the CIA triad). The main difference in IoT security compared to traditional IT security is the number of devices, the purpose of usage and the physical condition of the devices. And, perhaps, the main issue is that IoT device manufacturers still do not think of their devices as computers.
Testing can provide assurance that the device and its protocols can cope with the ecosystem of the IoT by developing market-accepted test specifications. This helps introduce the time that it takes to get the product or protocol tested, and this helps to accept devices that can work with other IoT objects. Improving security configurability requires testing IoT web interface management, reviewing the IoT network traffic, analyzing the need of physical ports, and assessing authentication and interaction of devices with the cloud and mobile applications.
Segmenting IoT devices increases network security. So does developing IoT protocols that not only work together, but also ensure security and privacy. Unused services/ports must be shut down and closed, as these networking ports/services can expose the device to additional attack vectors. It is important to deactivate unnecessary services; these may go undetected, allowing an attacker to stealthily use them as a vector or target of an attack. It is also necessary to build in authentication between devices so that only trusted devices can exchange data. A solid password management tool to manage multiple IoT passwords must also be in place.
User awareness training encourages users and consumers to be aware of the vulnerabilities that the device may experience. When selecting an appropriate IoT device, consumers should require that the vendors have defended the device against common attacks.
User data need to be processed and encrypted to remain safe. The entire communication channel from the sensors to the service providers must be secure. Some ways to address the huge gap in security include ensuring confidentiality by providing encrypted communication streams, ensuring integrity by providing encrypted data storage and using hash integrity checkers, providing authentication methods so that the devices are communicating with known and trusted entities, and providing security updates in the form of patches and bug fixes. 12
Regulations will force manufacturers and vendors to make security a priority and provide guidelines on the expectation from IoT developers and manufacturers. IoT regulations will give a level of transparency to consumers, or packaging can reflect the level of security of the IoT device. It is essential to create an adequate legal framework and develop the underlying technology with security and privacy in mind. Regulation will force manufacturers to upgrade and secure their products. IoT applications need to have some consideration for the EU General Data Protection Regulation (GDPR). 13 The GDPR introduced a general mandatory notification regime in the event of personal data breaches. data controllers are required to report personal data breaches to their supervisory authorities no later than 72 hours after becoming aware of such a breach and, in some cases, are also required to report such breaches to affected individuals. data controllers using the IoT need to ensure that they are in a position to identify and react to security breaches in a manner that complies with the requirements of the GDPR. 14
Regular firmware updates and maintenance help protect the ecosystem and the ability of the IoT to handle virtually all functional operations. It should be possible to get updates of the firmware, the OS, or the specialized logic on stationary and mobile IoT devices. This requires maintenance interfaces to access the application runtime environment and the security settings for the apps themselves.
It is important to have monitoring systems in place when an event occurs. Once the event has been detected, a responsive action must be triggered to prevent any malicious use of the device. A back-end application should have functionality in place that can log abnormalities in the data it is receiving. Monitoring and software maintenance are essential to minimizing the impact of any device downtime due to software bugs or any other potential problems.
Practitioners should conduct a risk assessment in the IoT stack for all types of attacks in device security (endpoint security), network or connectivity layer security, cloud infrastructure security, and application security. An effective IoT framework should provide guidelines on managing IoT risk faced by organizations. Those guidelines include: 15
Applying IoT technology yields both opportunities and security risk, so the challenges with IoT devices in relation to security are huge. A careful assessment of security risk must precede any IoT implementation to ensure that all the relevant, underlying problems are discovered. Without sufficient data security and data protection, IoT will not be successful in the long run. Therefore, every IoT manufacturer is challenged to complement all phases of development processes through to the operation of the equipment with appropriate security measures. In future work, it is important to develop a framework for realizing and evaluating security risk within IoT to ensure confidentiality, integrity and availability.
Gokhan Polat, CISA, CRISC, CCSA, CGAP, CIA CISSP, CRMA
Has experience in risk management, internal auditing and information systems auditing, and now is a senior manager at EY Risk Advisory Services, Turkey. Polat can be reached at gokhan.polat@tr.ey.com or linkedin.com/in/gokhan-polat/.
Fadi Sodah, CISA, CISSP, CFR, eJPT, ICATE
Has been involved in networks, open source, infrastructure, software engineering, disaster recovery, security, system administration, audit and systems integration. Sodah can be reached at madunix@gmail.com or experts-exchange.com/members/madunix.