How to secure your IoT devices

The issue of IoT security has been prevalent since the first things were being connected. This special report by IoT Now’s Antony Savvas considers how security technology has evolved and whether it is up to the job.

The report looks at the market itself and what issues the industry has to address, including expert opinions on common security mistakes when planning and deploying an IoT project, IoT security best practices, IoT security by design, device-level and edge network security, communications security and cloud security.

The urgency needed to tackle problems is perhaps illustrated by a report from SonicWall, with the security vendor’s Mid-Year Threat Report finding that worldwide IoT malware attacks were up 50% year-on-year in the first six months of 2020.

An overview of the IoT security market

The global Internet of Things (IoT) security market by value is expected to grow from US$12.5bn in 2020 to US$36.6bn by 2025, at a compound annual growth rate (CAGR) of 23.9%, according to research house MarketsandMarkets.

This forecast – from July 2020 – sits somewhere in the middle of a variety of analyst forecasts for the IoT security market. Technavio, in May 2020, said the market will actually grow by a whopping US$80.94bn during the period of 2020-2024, at a CAGR of almost 37%. Technavio said 2020 will see around 33% growth in IoT security spending when compared to 2019.

Both analysts say key factors driving IoT security growth are rising security concerns around
critical infrastructure, increasing ransomware attacks on IoT devices, increasing data risk in IoT networks, growing IoT security regulations and the increasing adoption of cloud-based services.

Industry players in the market are high in number, and range from hardware and software providers to system integrators and providers of professional deployment and security management services. Companies involved include Cisco Systems, IBM, Intel, Infineon, Symantec, Siemens, Gemalto, Fortinet, Zingbox, Mocana, Centri, Armis, Forgerock, Newsky, Cyber X, Eurotech, Icon Labs, Digi International, SecureRF, Altran, CA Technologies, MagicCube, Thales, Qualys, Karamba Security, Claroty, Trustwave, Sectigo, Dragos Security and Broadcom.

What are the major IoT security challenges?

A lack of standardisation for the security of IoT solutions is a major challenge. “Currently, there is no globally accepted set of technical standards for IoT, especially in terms of communications,” says MarketsandMarkets. “With heterogeneous IoT networks and their protocols, it becomes difficult for devices connected in one IoT system to communicate with devices in another.” This, in turn, results in inefficient data management and reduced interoperability mechanisms, said the analyst. “The inability of such IoT networks to have a common platform, uniform standards and extensive authentication certificates can result in reduced security.”

Kevin Restivo, IDC research manager for European enterprise mobility, says: “While IoT is
one of the fastest growing markets in ICT. The ecosystem is a complex mix of technologies and services: server, storage, analytics, IT services, security and a range of other technologies.”

He confirmed that security fears lead when it comes to market inhibitors. Restivo adds: “A lack of coordination between operations and IT is very much an inhibitor to secure deployment. Everyone wants to protect their fiefdoms or they’re simply not able or willing to cooperate. “IT is often left behind during the project and security planning, budgeting and piloting. That lack of coordination can really stall the successful deployment of industrial Internet of Things initiatives.”

On the compliance side there have been governmental initiatives in IoT security, but there are concerns that it is consumers that are being prioritised, not businesses, which doesn’t address a joined-up problem from past experience. For instance, in July 2020, UK digital infrastructure minister Matt Warman revealed that internet-connected gadgets will have to come pre-set with a unique password, or require the owner to set one before use, as part of plans for tighter UK cyber-security laws. Peter Margaris, head of product marketing atSkybox Security, argues that while it’s good to see a government prioritising security, warnings about IoT security risks and best practices should be extended to the business environment. He says: “In 2016, we saw the Mirai botnet take advantage of insecure IoT devices and turn its power against the internet itself. It didn’t just affect select consumers, a single business or even a single sector – it disrupted the online world.

Therefore, any new law must go beyond the consumer remit. A basic code of practice for all is the very minimum that should be put in place by governments to help prevent a repeat attack.”

So, let’s look at the main issues and considerations around IoT security deployments.

Common security mistakes when planning an IoT project

In the rush to adopt an IoT security strategy it is understandable that many organisations can get it wrong, particularly if there is a shortage of experts on the pay roll. Deral Heiland, IoT research lead at cyber-security firm Rapid7, says: “Some of the biggest security issues around IoT are caused by not following manufacturer’s guidelines or general security best practices during deployment.” This includes not changing administrator default passwords, exposing technology directly to the internet, and using weak account passwords or passwords that are identical to other systems and accounts. “One of the most common issues is failure to properly segment networks – flat networks where every device can see every other device creates a serious risk to the organisation,” said Heiland.

Common IoT deployment mistakes:

• Use of hardware and software without built-in security and privacy features

• Allowing transmission of unencrypted data

• Lack of tools and processes to plan device updates

• Hard-coded credentials

• No integrity check of the software and OS installed

• API tokens not encrypted

• Lack of proper authentication and authorisation systems

Device-level and edge network security Ben Carr, chief information security officer at Qualys, says: “Organisations and their partners have to ensure device-level security is optimised. At the most basic level it starts with knowing what devices you have in the environment and how they are configured.” “While asset management has been a core component of general IT, in many cases IoT devices have not been well accounted for,” he adds. “For those building IoT devices they need to say clearly what the boundaries are for connectivity and communication from the device itself, and they need to implement security controls from the beginning.” There are three areas to consider, says Carr: how the devices behave normally; the security perspective, such as security controls and configuration; and third, the maintenance of the device and how updates can be applied securely and how they will affect the operational nature of the network.

By looking at these three elements, we can get a better picture of those IoT devices and how to manage their security. Sadly though, many devices, even today, are designed and deployed without any security planning or management in place.

How to secure communications between IoT devices

Strong encryption is critical to securing communication between devices, says Jerry Nicolas Ponvelil, director of technology at Altran. Data at rest and in transit should be secured using cryptographic algorithms. This includes the use of key lifecycle management. “Protecting an IoT network includes ensuring port security, disabling port forwarding and never opening ports when not needed; using antimalware, firewalls and intrusion detection/intrusion prevention; blocking unauthorised IP addresses; and ensuring systems are patched and up-to-date,” says Ponvelil. “If this is not done properly, it may result in compromised security in the cloud network and applications.”

Carolyn Crandall, chief deception officer at threat management and hacker deception vendor Attivo Networks, said: “Using secure communications protocols prevents eavesdropping and interception attacks. Using blockchain to store and validate transactions between devices can increase communications security as well. For organisations using patch management servers, it can be useful to interweave decoys and in-network hacker lures that can alert on attempts to discover or exploit these systems.”

Cloud security threats are escalating

We all know about the proliferation of the cloud and how it is increasingly connected to the edge where the majority of IoT devices are located, so how do we secure this interconnectivity?

Cloud security has a number of critical components, including access control; traffic filtering; security configurations; data protection; virus protection; and other incident monitoring, response and prevention elements. Nigel Hawthorn, data privacy expert for cloud security at McAfee, says: “Cloud security threats are continually escalating, with our research recently revealing a 630% increase in external cloud attacks between January and April 2020.

Cloud and data security should therefore be front and centre in informing any enterprise’s cybersecurity approach – even more so as increasing numbers of organisations adopt IoT devices and accelerate towards cloud only.”

He adds: “A shared responsibility model of security has a key role to play here – cloud security requires a layered defence where businesses address each part of the stack of responsibility individually, yet they all interact together as a complete framework. From service providers to enterprises and individual users, everyone is accountable in some way, and with the shared responsibility model, businesses can ensure that everyone plays their part.”

“A good way to illustrate this is to think about a family renting a car,” he explains. “The manufacturer is responsible for the build quality and the airbags working, the rental company takes ownership of servicing and keeping the car roadworthy, while the driver is ultimately responsible for driving the car safely and carefully. Everyone does their bit.”

IoT security by design

On IoT security by design, which has been promoted in the IoT industry for a number of years now, Altran’s Ponvelil says: “IoT manufacturers – from product makers to semiconductor companies – should concentrate on building security in from the start, making hardware tamper-proof, ensuring secure upgrades, providing firmware updates/patches and performing dynamic testing. A focus should be on secure software development and secure integration. Hard-coded credentials should never be part of the design process. Organisations should require credentials to be updated by a user before the device functions.” He adds that public key infrastructure (PKI) and 509 digital certificates should play critical roles in providing the trust and control needed to secure data exchanges and verify identity.

Alan Grau, vice president of IoT/embedded solutions at Sectigo, said: “It is absolutely paramount that properly authenticated device identity is in-built into devices at the point of manufacture. In the absence of a clear legislative agenda, manufacturers have been able to churn out devices lacking authentication, with often only static credentials as a barrier for cybercriminals.” Grau says PKI needs to be in-built so it cannot be tampered with further along the supply chain by malicious actors. Only if the chipset is authenticated and protected by certificates from the foundry stage of manufacture, will it remain secure across the device lifecycle, he says.

Basic security design guidelines for manufacturers, developers, integrators and users have recently been published by both the US National Institute of Standards and Technology (NIST) and the European Telecommunications Standards Institute (ETSI) and are seen as a big advancement in promoting security by design.

The NIST guidelines are the NIST IoT Device Cybersecurity Capability Core Baseline (NISTIR 8259A) and the ETSI effort is ETSI European Standard (EN) 303 645.

The IoT Security Foundation, which is a global non-profit supported by the likes of Samsung, Huawei, Vodafone, BT, Centrica and Arm, has also published useful guidelines such as its Secure Design Best Practice Guides and the IoT Security Compliance Framework.

5 rules for IoT security best practice

Arthur Fontaine, solution manager at RSA Security, says he has five rules for best practice:

1) Identification: “You should make sure that each individual endpoint can be discovered, identified and classified,” he says. Security teams need to be able to see which endpoints are present at an IP address and then detect specific information about the device, such as where it was manufactured, its model and serial number and what version of firmware it runs. “This can be achieved with modern edge platforms like the EdgeX Foundry, an open-source project hosted by the Linux Foundation,” he says.

2) Conduct a thorough risk assessment: “It is not enough to simply get an IoT deployment up and running and then forget about it,” says Fontaine. Risk assessments should be carried out continuously. The risk profile of IoT deployments changes over time, affected by activities such as adding and removing devices, changes to access policies, the discovery of new vulnerabilities and firmware and software updates applied to devices. Third-party risks may also arise if IoT data needs to be shared between the enterprise and external service providers.

3) Make sure the integrity of data is protected: “Sensitive data such as production information or customer records is often processed via IoT devices,” he says. This data is subject to the same privacy controls as other data but may be overlooked or even completely isolated from control systems, causing significant risk for organisations.

4) Understand who is accessing the devices: “Protecting access to and from devices is an important part of ensuring the overall operational integrity of the connected environment,” said Fontaine. Businesses should authenticate all users to ensure they are who they say they are, can only access what they’re allowed to, and that their credentials have not been compromised. Emerging standards such as FIDO IoT can be helpful in creating the appropriate IoT identity foundation.

5) Combine monitoring with access policies: Fontaine says: “The magnitude of IoT deployments is often an Achilles heel when it comes to security and risk, but this scale does offer one advantage – an abundance of operational data and use data about the devices.”

With this data, security teams can apply analytics and machine learning techniques to profile devices, baseline their normal behaviour, and detect and alert on anomalous activities. It’s clear that IoT is getting serious about security but approaches remain immature in contrast to the well-established security practices of mainstream IT. The risks are different in IoT and this is starting to be reflected in the solutions and approaches that are coming to market. These will accelerate over the coming years and IoT security will start to resemble the wild west less.

This report first appeared inside IoT Now magazine.

Subscribe now to access free reports, webinars, and a quarterly digital magazine.