Keeping the peace in the Internet of Things – Part 3

Sameer Dixit, senior director, Security Consulting Spirent

Testing an Internet or cloud is necessary because the system is too complex for anyone to analyse and predict every possible form of vulnerability or failure. Apart from the physical complexity of a large network, there are many different levels to analyse, beginning with the firmware and different operating systems on the network.

Then there is a constantly evolving population of applications on the network, plus all the different protocol and security systems. In a cellular network access security can be in the SIM card, where a passcode is needed for WiFi access, where Bluetooth can either use a password or pre-shared application key, says Sameer Dixit, senior director, Security Consulting Spirent.

Next there are specific security functions such as authentication of human or machine users, and determining what level of interaction they are authorised to have when accessing the network. Finally there are questions of physical security: are the endpoints and the actual network sufficiently rugged? Are they accessible to being tampered with?

A lot of thought will go into each of these aspects but, when it comes to determining the overall end-to-end security, there is only one way to know and that is to test it. The network can be modelled accurately under laboratory conditions and tested exhaustively for functionality. Then it can be tested for performance to see if it works reliably under all normal operating conditions. It is also possible to monitor an operating network continuously for signs of trouble.

Then there is the question of how an IoT will perform under extreme or stress conditions. There are many obvious and less obvious ways these extremes can arise. Taking for example an IoT that connects intrusion alarm systems across a metropolitan district: typically these alarms use the local Wi-Fi to maintain connection with headquarters and only turn up a 3G connection if the

Wi-Fi fails. So what impact will it have on the mobile network if there is a power cut across a whole district and thousands of alarm systems are simultaneously connecting to the mobile network? How might that briefly affect other systems on the network, let alone the actual alarm response?

It demands experience and in-depth understanding of the many factors involved to be able to anticipate such problems and recommend suitable tests, but we already have test solutions readily programmable to emulate every such situation. The tester does not have to build up realistic traffic scenarios parameter by parameter – though that is certainly possible. Instead the system can record real-life traffic data and then multiply it many times to emulate traffic storms – as when some emergency causes a surge in activity.

Independently, or at the same time as the performance is being tested, the network can be subjected to any number of known malware attacks – and if it is a cloud based test solution it will be kept up-to-date with the very latest malware. Spirent also has extensive experience of “fuzz testing”, where you are not just testing for known attacks but also borderline errors that can arise when wrong data is accidentally or deliberately injected into the system.

Conclusion

There are endless opportunities offered by connecting machines to machines via an Internet of Things, but we have a lot to learn about the risks that might arise from such a complex system – especially the risks posed by deliberate criminal intentions. Key areas that will need very careful and comprehensive security measures include the automotive industry, healthcare and industrial and utility control systems.

Although the IoT adds many new factors and combinations of risks, the basic techniques for testing complex, multi-protocol networks are already well established. Sophisticated test solutions are already available, and have long proven their ability to anticipate problems and ensure security under every normal and extreme operating condition.

The learning curve may be steep, but with the help of penetration testing and security testing solutions there is considerable expertise available on the slope.

The author of this blog is Sameer Dixit, senior director, Security Consulting Spirent.

About the Author:

Sameer Dixit is a leader in cyber security with over 15 years of experience in penetration testing and security research. At Spirent, Sameer is leading the ethical hacking and security research team called Spirent Security Labs.

Prior to Spirent, Sameer has worked for leading security companies such as Trustwave-SpiderLabs and Cenzic Inc. where he led the penetration testing, vulnerability scanning and managed security testing services team.

Sameer has contributed research for OWASP, been quoted in various industry-leading security and business publications such as Security Week, Business Insider, ZDnet, SC Magazine, and more. Additionally, he has spoken at various Cyber Security Threat Summits, Universities, conducted webinars, and actively blogs on emerging Web & Mobile security trends.

Comment on this article below or via Twitter: @IoTNow OR @jcIoTnow

FEATURED IoT STORIES

9 IoT applications that will change everything

Posted on: September 1, 2021

Whether you are a future-minded CEO, tech-driven CEO or IT leader, you’ve come across the term IoT before. It’s often used alongside superlatives regarding how it will revolutionize the way you work, play, and live. But is it just another buzzword, or is it the as-promised technological holy grail? The truth is that Internet of

Read more

Which IoT Platform 2021? IoT Now Enterprise Buyers’ Guide

Posted on: August 30, 2021

There are several different parts in a complete IoT solution, all of which must work together to get the result needed, write IoT Now Enterprise Buyers’ Guide – Which IoT Platform 2021? authors Robin Duke-Woolley, the CEO and Bill Ingle, a senior analyst, at Beecham Research. Figure 1 shows these parts and, although not all

Read more

CAT-M1 vs NB-IoT – examining the real differences

Posted on: June 21, 2021

As industry players look to provide the next generation of IoT connectivity, two different standards have emerged under release 13 of 3GPP – CAT-M1 and NB-IoT.

Read more

IoT and home automation: What does the future hold?

Posted on: June 10, 2020

Once a dream, iot home automation is slowly but steadily becoming a part of daily lives around the world. In fact, it is believed that the global market for smart home automation will reach $40 billion by 2020.

Read more
RECENT ARTICLES

Silicon Labs brings AI and Machine Learning to the edge with matter-ready platform

Posted on: January 24, 2022

AUSTIN, TX. 24 January 2022 – Silicon Labs, a specialist in secure, intelligent wireless technology for a more connected world, announced the BG24 and MG24 families of 2.4 GHz wireless SoCs for Bluetooth and Multiple-protocol operations, respectively, and a new software toolkit. This new co-optimised hardware and software platform will help bring AI/ML applications and

Read more

The chaos of legacy equipment

Posted on: January 24, 2022

Legacy equipment is vital to the functioning of many manufacturing facilities. Nevertheless, with rapid advancement in automated and connected technologies, managing both new and old equipment simultaneously can be a challenging balancing act. Here Johan Jonzon, CMO and co-founder specialist in edge analytics for the industrial Internet of Things (IIoT), Crosser, shares insight into how

Read more