I had the opportunity to participate in a panel discussion on the Internet of Things (IOT) and Cybersecurity at CyberSEED recently. CyberSEED is a unique platform pioneered by Comcast Center of Excellence for Security Innovation at the University of Connecticut to bring together cybersecurity leaders, business leaders, government and universities. In this blog, I have shared the key ideas that I discussed in the panel on IOT security and the broader linkage to cybersecurity initiatives.
The Arrival of the IOT Era
IOT is a revolution in the making. It is possibly the only technology that has enterprise, consumer, and industrial use cases. The industrial use cases are also called Operational Technology or Industrial Internet of Things. Now use cases are growing in number by the day, increasing their possibility of influencing our lives in the years to come.
At the consumer level, the adoption of IOT for areas including home monitoring & control, wearable tech, and connected cars has already started. At the enterprise level, adoption is active for building management, fleet management, hospital management, retail, telecom, and energy sectors. Operational technology has been long adopted by Power Grids, Oil & Gas, Utilities, Nuclear Plants and Traffic Control. With increased connectivity between SCADA networks and IT in these organizations, industrial internet is becoming a reality.
The Risks of IOT Implementations
Despite the huge positive impact IOT has over the lives of individuals, employees and customers, the risks which accompany this technology can act as a significant hurdle in adoption. Security issues in IOT are especially a concern as they have the power to cause physical destruction, harm lives and also cause financial impact.
IOT risk factor is unique since it brings together many leading edge technologies including cloud, mobility, and big data in addition to IOT sensors, gateways, and management platforms. IOT security therefore includes risk areas that cybersecurity industry is still learning to resolve including cloud & mobility. IOT security also includes unknown risk areas in the form of IOT sensors, protocols, gateways, and management platforms. Add to this the regular IT systems that IOT platforms integrate with and you get a complex mix of risk areas that should be protected. If we plot these areas as a combination of attacks (known/unknown) and threat actors/attackers (known/unknown), we can quickly see that there are some key areas where we are fully in the red and some where we have an understanding of attacks & attackers.
Here is a quick look at a set of illustrative risks in the IOT spectrum:
- There are many IOT protocols in the market today including Zigbee, CoAP, Advanced Message Queuing Protocol (AMQP), Digital Data service (DDS), and Message Queue Telemetry Transport (MQTT). These protocols are either new or derived for IOT from an earlier version used for generic purposes. As a result, they are vulnerable unless special effort is taken to secure them. As an example, Zigbee is a common IOT protocol now though it was originally conceived for low power wireless use. Users can easily search and get tools to crack the Zigbee protocol (http://tools.kali.org/wireless-attacks/killerbee).
- IOT management platforms have web interfaces and related protocols enabled. Therefore, they are exposed to common web application attacks, including SQL injection, cross site scripting, parameter manipulation. The impact of exploiting such weaknesses in an IOT management platform is high since it can be used to subvert millions of sensors for a malicious purpose.
- IOT management platforms are also hosted in cloud infrastructures. Any adversary who knows how to exploit the cloud on which IOT is hosted can get direct control of IOT management interface. The thousands of consumers who are subscribed to an IOT provider for home monitoring and control can be subject to burglary if the cloud on which this provider is hosted gets compromised.
- Mobile devices also run software that enables mobile to function as an IOT sensor. Mobile devices can also run apps which interact with other IOT sensors. However, mobile device compromises can also lead to breach of IOT components on mobile.
IOT will further complicate the cybersecurity challenges that we already have on hand, including the challenge of detecting unknown attacks (please refer to my earlier blog http://paladion.azurewebsites.net/big-data-for-proactive-cyber-threat-prevention/).
In this context, IOT security means securing the different components on which the IOT solution is built on. This includes the cloud that it leverages, the IOT protocols which are part of the solution, and the related IT infrastructure and mobile devices.
At the macro level, securing IOT infrastructure requires collaboration between industry, and academia, government for “secure by design” roll out of IOT protocols. Such initiatives are still at nascent stages and will take time to mature. Open Web Application Security Project (OWASP) has taken the lead though, publishing the top ten IOT issues to consider (https://www.owasp.org/images/7/71/Internet_of_Things_Top_Ten_2014-OWASP.pdf).
Recommendations for IOT Environments
Overall, it will take time for the ecosystem to reach maturity in terms of products, protocols and industry standards. Even at a mature stage, many of the risks discussed in this blog will need to be managed with diligence by the enterprise rolling out IOT projects. On a pragmatic note, I suggest that the following top three activities be carried out by any enterprise rolling out IOT solutions to achieve meaningful security:
- Build Security into IOT Architecture With Relevant Components – Doing so will provide around the box security till the time IOT protocols can be secure by design. This requires adhering to fundamentals including authentication, access control, and encryption.
- Build Monitoring Controls at Different Levels – This step covers IOT gateways, IOT management platform, IT infrastructure, and cloud monitoring to ensure that attacks are caught early.
- Detailed Security Assessment and Penetration Testing – These tests are imperative for secured IOT infrastructure before roll out and on a periodic basis.
About the Author
Vinod Vasudevan is a co-founder and CTO of Paladion. He has over 20 years of experience in the technology and information risk management domain. He is responsible for establishing the company’s technology, services vision, and leading all aspects of the company’s technology development. As the CTO at Paladion, Vinod has serviced large enterprise organizations across the globe for setting up of integrated risk management systems and for stream lining system based operations.
He regularly presents in leading global forums and conferences. He sits on the expert panel of industry consortiums. He is the lead author of the book “Application Security in the ISO 27001 Environment” from IT Governance, UK. Vinod is also the co-author of "Enhancing Computer Security with Smart Technology" published by Auerbach. He is a CISSP and a PCI QSA.
Vinod Vasudevan is a co-founder of Paladion and has over 17 years of experience in technology and information risk management domain. As the CTO at Paladion, Vinod has serviced large enterprise organizations across the globe for setting up of integrated risk management systems and for stream lining system based operations. He has held key positions with global firms including Microsoft. He is the co-author of “Application Security in the ISO27001 Environment” and “Enhancing Computer Security with Smart Technology”. He has also authored several papers. He sits on the expert panel of industry consortiums.