Cybersecurity and the Internet of Things
By Robert Muehlbauer
Any IP-based device is part of the IoT, whether it’s a surveillance camera, door controller, loudspeaker or even a refrigerator. Most IoT devices offer non-proprietary and open standards that allow users to integrate them with other devices, systems and software without restrictions. This is where the true value of the IoT comes in, namely the data these devices generate, which can be mined and analyzed to provide deep insights and intelligence.
In order to be effective, IoT needs to have flexible data models, real-time triggers, be highly scalable, flexible open architecture, data visualization, device management, multi-connect support and end-to-end security.
Open standards allow devices from previously disparate categories to be used together and accessed via a single management console. This not only makes security and other systems easier to use but also provides enhanced situational awareness and overviews of incidents.
The Value of Data
Today, data is akin to oil in the 18th century: an immense, largely untapped, and very valuable asset. Also similar to oil, those who recognize the fundamental value of data and can learn to extract and use it, there will be tremendous rewards. Data on its own can be valuable but when analyzed to provide deeper insights and intelligence, it is even more valuable.
In our digital economy, data is the key to smooth functionality of everything from the government to small local companies. Without data, progress would grind to a halt. And the more sources of data you can mine, and the more data streams you can blend, the greater the value. Therefore, as more and more devices are brought online and integrated with others, the value of data only continues to grow.
The Challenge of Rapid Growth
Depending on the definition of “things” you choose to apply, there are between 6 million and 14 billion connected devices worldwide – not including smartphones, computers and tablets. With annual growth rates ranging between 14 and 29 percent, there will be anywhere from two to six connected “things” for every person living on earth by 2020. At the same time, the number of connected devices will also eclipse the number of smartphones, tablets and computers by a landslide.
When you think about the potential monetization of the data generated by as many as 50 billion connected devices, the total is staggering. For example, many respected industry research firms have estimated the IoT’s impact on the global economy to be in the hundreds of billions in the coming years. And where there’s money to be found, there are also likely those who’d like to help themselves to a piece of that very large pie.
While the benefits of the IoT are undeniable, the reality is that each device that is connected to the network introduces another point of risk to the overall IoT ecosystem. Therefore, it’s essential to secure all IoT devices, since the entire ecosystem is only as strong as its weakest link. Consider the Mirai botnet, which was used to compromise some manufacturers’ IP cameras and launch large-scale DDoS attacks. Today, hackers have built and updated the Mirai code to create derivative malware, so its legacy is still compromising networks today.
Many of the vulnerabilities of IoT devices can be mitigated using recognized security best practices, but unfortunately many products available today fail to incorporate even the most basic security measures.
Guidelines for Securing the IoT
One of the primary challenges to securing the IoT is a lack of comprehensive standards. This is due in large part to the complex ecosystem consisting of a wide range of devices from a large number of manufacturers. It is complicated by the fact that securing the IoT, by definition requires securing standard, scalable, interoperable systems.
With this in mind, when it comes to determining the best way to secure IoT devices, one of the top sources for best practices is the Department of Homeland Security’s Science and Technology (S&T) Directive. Under the directive, the situational awareness of IoT industrial applications and devices must provide three key capabilities:
- Detect: The ability to know what IoT devices and components are connected to a given network or system.
- Authenticate: The ability to verify the provenance of IoT components and prevent and detect spoofing
- Update: IoT security programs must include the ability to securely maintain and upgrade these components
The directive spells out specific requirements and forbids any Internet-connected devices purchased by the U.S. government from utilizing hard-coded or unchangeable usernames and passwords. The guidelines also require vendors to ensure their devices are, at the time of purchase, protected from any known vulnerabilities. Devices must also be able to be patched regularly to protect them from future vulnerabilities.
Additionally, all firmware updates must have an effective authentication mechanism, such as a secure digital signature to prevent unauthorized updates. Finally, devices must use only non-deprecated, industry-standard protocols and technologies for communication, encryption and interconnection with other devices or peripherals.
Meeting DHS Standards
The best way to ensure strong cybersecurity in IoT devices is to ensure that security is built into the device from the start. That means working with manufacturers who recognize the risks and have taken steps to protect their products.
One example is to look for products that incorporate strong device hardening features, meaning they offer appropriate security features and can be hardened and updated through firmware, and that policies are in place to mitigate risk from vulnerabilities. Many manufacturers provide a hardening guide to help security professionals and end users navigate the various security features and determine which are appropriate for a particular application.
Some manufacturers protect devices through the distribution channel using a secure boot feature, which halts the boot process if any foreign code is introduced to the device. Another key feature is signed firmware, meaning that when firmware is downloaded from the manufacturer, it is digitally signed. In the unlikely event that someone can reverse engineer or tamper with firmware, digital signatures prevent it from being loaded on the device.
Finally, it is important to choose products from manufacturers that stay on top of known vulnerabilities and provide patches and updates to address those risks.
Our nation cannot afford a generation of IoT devices deployed with little consideration for security. The consequences are too high given the potential for harm to our critical infrastructure, our personal privacy, and our economy.
The IoT will only continue to grow, and mitigating risk to the entire ecosystem requires deploying devices only after careful consideration of the potential risks. Given the potential outcomes from cyber breaches, the consequences of a breach are simply too high. Therefore, the best advice for securing the IoT may be that any “thing” that cannot be managed under the DHS key capabilities should not be connected to the Internet.