In part one of this series, we outlined the three tiers of the IoT security architecture and three key security challenges IoT devices pose. Now we will move on to explore three specific examples of the security challenges IoT deployments can pose and underline the importance of thinking strategically to head off IoT security threats, says GH Rao, president – Engineering and R&D Services (ERS) at HCL Technologies.
IoT security problems can impact on deployments in several ways. For example:
- The pitfalls of quarantining: Traditional ways of quarantining will lead to other issues and would be detrimental in critical situations. For example, medical IoT devices are interesting in that they almost directly impact lives. A critical condition may trigger the device to send an atypical pattern of data transmissions that can trigger a traditional security system to quarantine the device and prevent the data from reaching the doctor. In turn, this may deny the person from receiving the appropriate mitigation action. Enhancements beyond monitoring to time-sensitive corrective actions, like implanted drug delivery devices, can prevent the doctor or nurse from remotely administering the dose in time if the device was erroneously quarantined by a traditional cybersecurity system.
- A sheep in wolf’s clothing: A sensor network monitoring quality at a water supply source might only communicate when conditions change. If central controlling systems expect to receive data only in variable bursts, spotting malicious communications from spoofing or hacked devices could be very difficult. Malicious devices can replay legitimate communications to trick threat detection systems using pattern profiling into acceptance as legitimate devices, then probe the centralised systems and applications for vulnerabilities as a trusted device.
- Legacy integration challenges: Another security challenge stems from the many legacy systems that are still in use within organisations. How can a company securely and efficiently link its 50-year-old mainframe and associated applications, which send unencrypted credentials and/or data using legacy protocols, to a new IoT infrastructure that draws from the cloud? New security tools will need to be deployed that can bridge such gaps and ensure that any data exchanged by the IoT network and existing systems remain secure at all times.
- Physical threats: Since many sensor devices are in the field for extended periods of time, often in remote areas, they are susceptible to physical threats like tampering, which in turn enable additional threat vectors. For example, a hacker could use the physical device to confuse the central system using false positives and false negatives, or infiltrators may gather data from the sensor and sell it on. The whole system or other sensors/devices could be compromised through gaining access to a single sensor and Denial-of-Service (DoS) attacks could be used by hackers to blackmail money from the owners company. Detection of such threat vectors is particularly difficult as it exploits the core trust model of conventional cybersecurity.
A new strategy is required
It’s clear that IoT projects will require IT teams to take a very different approach to security. Conventional perimeter-based approaches will have serious limitations, and deployment of sophisticated monitoring tools on endpoints will not be able to address all the vulnerabilities.
For this reason, existing security tools are unlikely to be appropriate for rapidly growing IoT networks. New suites of trust models, detection heuristics, adaptive remediation techniques, and tools will have to be sourced, deployed and managed.
The sheer scale of IoT devices will also require near real-time remediation when a threat is detected. This will require significant changes to threat detection-response technologies and procedures so that security staff can remain informed at all times without being deluged by inconsequential alerts.
On the regulatory front, an IoT specific risk and governance framework would also be required with specific policies and guidelines for successful rollout of IoT deployments. Government agencies will have to work with the private sector to ensure that suitable guidelines and laws are in place to guide deployments. As IoT devices permeate ever more areas, particularly sensitive places such as schools, hospitals, and homes, making sure security guidelines are followed will be vital.
IoT has the potential to revolutionise the way many organisations function and transform the services and products they can deliver to their customers. By paying attention to factors such as security early or investing in Secure by Design refactoring, the infrastructures created will be able to deliver on the large promises the technology offers without compromising on safety and security.
The author of this blog is GH Rao, president – Engineering and R&D Services (ERS) at HCL Technologies