A lot has been talked about IoT security on the internet. Security leaders making resource and budget commitments still need to know if this is a security challenge for real as well as current industry solutions and needed security enhancements for the future. IoT security strategy has been in our ‘wish-list’ for years but now I feel the time is appropriate enough to work and come up ready with a strategy.
What is IoT and what are the security challenges?
Historically we cared about securing devices used to access and transact on the internet like the workstations, servers or the storage devices. Everything ‘else’ that connects to the internet like the cable modems, internet routers, cameras, thermostats, cars, smart home controllers, etc. are called the ‘things’; aka IoT devices. These devices have an operating system, compute, device drivers and networking stack to connect to the internet to be managed or provide operational metrics. In many cases these devices have vulnerabilities ready to be exploited, easily guessable root password, non-secure administrative interface, lack of a strong password policy and inability to do operating system or firmware upgrades. All of these are big security risks that were overlooked while purchasing these devices to meet certain personal or business goals. IoT security caught the attention of the security world in October 2016 when the DNS provider Dyn got hit by distributed denial of services attack by a botnet called Mirai which was made of IoT devices. The sheer volume of the attack was good enough to bring down the provider and cause availability impact to many major internet websites like Twitter, Reddit and Spotify to mention a few. An excerpt taken from Dyn’s blog that analyzes the attack states the attack volume was 40-50 times more than the normal traffic even after the mitigations provided by Dyn and upstream services provider to scrub non-legitimate traffic. It clearly shows the volume and power of the botnet consisting of IoT devices and the kind of damage it can do to the internet. It changed the attention on the security aspects of IoT by the industry as the adoption and growth of the IoT devices exceed billions.
"The industry should move towards building a common IoT communication standard and access protocol"
What are the IoT security best practices?
Securing IoT devices should be no different than securing servers or endpoints. We don’t have to reinvent the wheel. It’s like the flu season advisory from the center of disease control, stick to the basics and you will be fine -we can protect our IoT assets by going back to the security basics as listed below
• DONOT use default password
• DONOT keep non-SSL web interfaces open for administrativepurpose
• DONOT leave unnecessary ports or servicesopen
• DONOT purchase or keep IoT devices in the network without firmware or operating system upgrade ability
• DO scan your IoT infrastructure for open passwords and vulnerabilities
• DO upgrade firmware to mitigate security risks
• DO change the default passwords
• DO segment IoT from rest of the network
• DO Protect against OWASP top 10 attack vectors like SQL injection, Cross Site scripting, etc.
• DO monitor access to IoT segment and generate alerts as deemed appropriate
Regulations in IoT space
The problem in IoT space is the lack of standardization for ensuring minimal security assurance or even a standard communication protocol. Every manufacturer builds their own solution to address a certain real-world business problem, security is often not baked into the devices and usually an afterthought. Agencies like NIST and others provide the ‘guidelines’ for consumers on protecting their IoT assets but there is no mandatory ask for the manufacturers to maintain a minimum security baseline in the devices. California became the first US state to come up with an IoT security bill that needs to be implemented by the manufacturers by 2020 but a lot of vagueness around the wordings on how to achieve it.
Nevertheless, it is certainly a step in the right direction to regulate the IoT space. As we learn more, the regulations can be more prescriptive which will ensure the secure production and usage of IoT devices. Here is an excerpt from the Senate bill number 327 covering IoT
“This bill, beginning on January 1, 2020, would require a manufacturer of a connected device, as those terms are defined, to equip the device with a reasonable security feature or features that are appropriate to the nature and function of the device, appropriate to the information it may collect, contain, or transmit, and designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure, as specified.”
A ‘reasonable security measure’ stated in the bill is a legal way of covering things not known now but not prescriptive enough to defend the position in case a manufacturer fails to secure a device and still claim to have used “reasonable measures.”
Asks for the future
We will need tools leveraging artificial intelligence and machine learning to differentiate and alert on ‘malicious’ IoT behavior as opposed to its approved usage. The vendor community should be pushed to use concepts like unikernel which embeds a single purpose-built process with the operating system that does not allow forking or creating child processes, access to the shell or installing any other software component in that operating system that bot-masters can try to install software and control the device. The industry should move towards building a common IoT communication standard and access protocol. Security leaders from the consumer community should be driving the manufacturers to come to a common ground and follow a standard set of protocols. Regulations should be more explicit on security measures to be followed by IoT manufacturers. Ability to upgrade the operating system, generate alerts, integrate with security operations center, monitor behavior, rotate passwords and compartmentalizing IoT network will be some of the minimum asks before installing IoT in the network.