Best Practices for Secure Remote Management of IoT Devices
By Michela Menting
Remote working today is not limited to enterprise laptops and corporate liable smartphones. There is a plethora of IoT devices that can form part of modern enterprises that also need to be managed, and especially today when office premises are being vacated en masse by employees for COVID-19 quarantine. While IoT device management can be undertaken from any remote location, many companies that manage devices on site in private company networks have not considered how to secure remote management that will go through public networks.
The following is a guide to some best practices to ensure secure remote management of IoT devices in any scenario.
Ensure that your company has security policies for IoT devices in place; this will help frame how security is deployed and managed, including by authorized personnel, through authorized channels and at authorized times. In addition, these policies should include privacy protection (if the data collected is about people) as well as risk and threat management.
2. Organizational measures
Lay down processes for how devices should be managed throughout their lifecycle (and not just at one moment in time). This should include incident handling and vulnerability management too. Further, measures should be put into place to effectively train users and managers of IoT devices on security, as well as define processes for third party’s interaction with the devices.
3. Technical practices
On the device side, ensure that you can securely configure the device remotely, and that you are able to apply any software or firmware updates securely over the air if needed. Make sure you can leverage any embedded secure hardware to reinforce trust and integrity for the device. Secure boot and roots of trust can help to support a strong security foundation. On the network side, ensure that you have proper authentication and authorization measures in place, as well as access control mechanisms for secure communications channels. This includes communication between devices, and not just between devices and users, so look not just at IP-based connections, but also other communication protocols and understand how security can be used and implemented. Leverage gateways and firewalls for better network security. Reinforce any monitoring capabilities for better visibility into real-time events. This goes hand in hand with ensuring business continuity and recovery processes are in place in case of an adverse or malicious event.
On the data side, ensure that data is secure in transit and at rest, regardless of where it emanates or ends up (IoT device, backend, laptop, smartphone, cloud). This is especially important if the data is subject to regulations such as GDPR or HIPAA. There are many great resources available online, whether from international organizations, consortiums and foundations or from vendors themselves. Standards and specifications may be nascent in the IoT security space, but there is a dynamic drive to address the issue and existing resources include, but are not limited to:
- Hardware (EMVCo, TPM, Trusted Execution Environment (TEE), SIM, eUICC)
- Transport (Cellular, NFC, Bluetooth, RFID, ZigBee)
- Lightweight cryptography (ISO/IEC 29192, SHA, AES, ECC, HIP-DEX, IKEv2)
- Firmware/software (UEFI, HCE)
- Critical and functional safety (IEC 61010, IEC 61508, ISO 26262, ISO 13849)
- Infrastructure (Datagram Transport Layer Security (DTLS), 6LoWPAN, IoT6)
- Semantic (JSON, RESTful, SENML)
- Data protocols (Constrained Application Protocol (CoAP), MQTT, AMQP, DDS, Lightweight M2M (LWM2M))
- Authentication (OAuth, OTrP)
- Device management (OMA-DM, TR-069)
- Multi-layer frameworks (Thread, IEEE P2413, AllJoyn, IoTivity).
Further reference architectures and guidelines in the space abound, and include efforts from ENISA, IoT Security Foundation, the Alliance for Internet of Things Innovation’s (AIOTI) High Level Architecture (HLA), CSCC Cloud Customer Architecture for the IoT, IIC Industrial Internet of Things Security Framework, and the Industrie 4.0 Reference Architecture Model. It is important to ensure that companies follow the latest on these efforts for their specific technology implementation to ensure they are implementing robust, end-to-end IoT security. Ensure the latest is in place, and on a continuous basis will help minimize risk and protect valuable enterprise assets.