IoT security – who’s responsibility is it?
Often, people are considered the weakest link in a security chain, as they are fooled into revealing passwords or choose passwords that are easily decipherable. This is a misconception that can lead some business owners or IT professionals to believe that IoT, given its near total level of automation, is inherently secure. Nothing could be further from the truth, because nothing is inherently secure.
IoT environments are a labyrinth of opportunities for cyber criminals, and this year that labyrinth is expected to grow in size by 15% (year-on-year) to reach 20 billion devices, according to IHS Markit. To put that into context, the total number of unique mobile subscriptions globally stands at 4.9 billion (according to the GSMA). IoT dwarfs P2P mobile use in terms of connections and, subsequently, in terms of its potential for breaches in security, says Sanjay Khatri, global director of product marketing, Cisco IoT.
The IoT value chain is long and complex, with every element being both essential and interdependent. Every link in the chain represents a potential vulnerability and, just like every other industry, no one provider can cover all of the IoT security vulnerabilities.
This fragmented landscape means that IoT security takes a village.
Building the IoT security village
The device manufacturer is arguably the most obvious chain to the IoT link. These firms are not necessarily the manufacturer of the ‘things’ being connected but rather they are specialist manufacturers of the elements such as communications modules and sensors that enable the things to be connected.
Establishing responsibility for securing the things is crucial. The party with technical responsibility may be different from the party that end-users consider responsible. Ultimately though, the end user-facing firm will own responsibility, as they are in the firing line if things go awry.
End users are likely to view the hardware provider as the responsible party, but problems are more likely to exist in the software. Developers need to include strict controls for authenticating user access and IoT software must have robust fraud detection and prevention mechanisms to protect both the device and the data.
Vulnerabilities also exist at the network level as devices connect to the internet via cellular, Wi-Fi, Bluetooth, LPWAN or even satellite. In the case of cellular, there is a certain level of security already built-in. Cellular connectivity uses global standards such as ciphering keys and encryption algorithms on the SIM itself to securely transmit and receive data. Cellular IoT also allows device data to be parsed into private networks to isolate it from other network traffic.
Cloud platform providers will also play a pivotal role in the development of a fully functioning IoT security landscape. Some, such as IBM, Microsoft and Salesforce, will be focused on securing the data generated by connected devices in the cloud. While IoT platforms will manage, monitor and secure the connectivity of deployed devices.
Securing the device
The level of risk involved with a device will vary depending on the context of how the it is being used. Security layers such as authentication, user access, application access, device lifecycle management, and data encryption should all be considered to safeguard connected devices.
There is often a cost/benefit trade-off between protecting everything and paying for everything and this can be quite pronounced for devices where large numbers are in use. Furthermore, device data has different levels of sensitivity. Understanding what and how many devices are in use, and the type of data being collected are critical first steps in building the appropriate device security strategy.
Network and data protection
If devices are gateways, then networks represent the connectivity highways over which data is transported to cloud applications delivering IoT services. Protecting this highway is just as important as keeping devices secure – because while the devices might be secure, there are a myriad entry points on any network. There are numerous options for securing a network and the strategy used will depend on the type of connectivity, networks and device usage.
Wireless connectivity, such as Wi-Fi or cellular, and fixed line connections each have their own set of security protocols. Device data should always be encrypted and parsed in secure private networks rather than sent openly over the internet. Additionally, network authentication allows users to verify and authorise devices on both the network and applications within the network.
IoT stems from connecting devices via secure networks to the cloud, therefore the importance of robust cloud security cannot be over-emphasised. When protecting cloud infrastructure, organisations should consider both digital and non-digital security practices. Adhering to standards such as ISO/IEC 27001 can provide a critical part of an overall strategy for ensuring information security.
In addition to securing the overall environment, businesses must get granular with controls for the IoT applications themselves, specifically with role-based access and anomaly detection. With role-based access organisations should implement identity management and access control lists to ensure that applications in the cloud are giving the right access to the right people. Anomaly detection ensures the IoT platform can not only detect anomalous or suspicious behaviour, but also automate the remediation of any anomalies as well.
The IoT security checklist
Forecasts for IoT growth are huge, however, with massive reward comes massive risk. Businesses throughout the value chain need to take a holistic view of security village which, of course, is easier said than done.
To help focus your IoT security strategy, be sure to:
- Evaluate the end-to-end identification and authentication of all entities involved in the IoT Service (i.e. gateways, endpoint devices, home network, roaming networks, service platforms)
- Ensure all user data shared between the endpoint device and back-end servers is encrypted
- Store and use ‘personal’ and regulated data according to local privacy and data protection legislation
- Utilise an IoT connectivity management platform and establish rules-based security policies for immediate action on anomalous behaviour
- Take a holistic, network-level approach to security
The author of this blog is Sanjay Khatri, global director of product marketing, Cisco IoT