Security is critical to any successful software implementation. Especially recently, security breaches have received more and more press, and major data breaches have become PR nightmares for the companies involved. If there’s anything that these high profile security breaches have taught us, it’s that security cannot be an afterthought for your organization. So what do you need to know before launching an IoT initiative? Below is a list of the top four security problems in IoT and their potential solutions.
Problem 1: IoT may increase your attack surface. Any device you add is another potential entry-point for a hacker. A hacker could potentially compromise / seize control of one of your devices, and could attempt to use it to access your systems.
The Solution: Use a pessimistic security strategy. All devices and service accounts need to be configured to have the minimum amount of permissions possible to perform their tasks. Only allow access for what is necessary. This can be configured in device-to-device firewalls, in your service account security settings, and in on-device firewalls.
Problem 2: Devices cannot always be stored in secure facilities. In some cases, you may need an IoT device to monitor something outside of your secure buildings. How do you prevent physical tampering? How do you stop someone from walking up to your devices and plugging in a USB drive to install malicious software?
The Solution: Monitoring, logging, and operating system-level security. Any actions that the device takes can be logged. Device up-time, down-time, and overall health should be monitored. Device operating systems should be configured for secure boot, which will require all software to be signed and validated when starting up to ensure authenticity. Any software that cannot be validated should not be allowed to run, which will prevent malicious programs from running.
Problem 3: IoT devices are autonomous – nobody is present to enter credentials. IoT devices might be asked to execute commands on demand. Since they are designed to be autonomous and not require user interaction, the devices need to decide whether a command should actually be executed or not.
The Solution: Treat devices like external users. All devices should be required to connect to your network just like any external user – with an authentication method that can prove that the device is who / what it claims that it is. Be careful not to share one account for all of your devices however; the goal is to establish accountability or traceability. Pair this with a pessimistic security strategy as discussed above.
Problem 4: Not many standards exist in IoT. As an emerging technology, many devices and their packaged software use their own ports and protocols. How do you deal with all of these different approaches in your IoT implementation in a secure manner?
The Solution: Use accepted standards where possible, and add device-level security. Sending data from a device to your infrastructure can be done using standards that have emerged from service orientation (REST for example). For non-standard protocols or non-standard ports, the software itself is the only thing that really knows how to detect suspicious packets / data. IoT devices need to have their own security layer to identify and reject suspicious or abnormal requests. Server-to-server firewalls will be required as well, but an on-device firewall will also be a must.
Security cannot be an afterthought. IoT is an emerging technology, which means security will not be guaranteed with out-of-the-box enterprise implementations. Remember to consider security early on in the process of launching an IoT implementation, and always consider your “what if?” scenarios. Emerging technology does not have to be frightening, but it does need to be strategic.
About Michael Pumper
Mike Pumper is a senior consultant at Sogeti since 2011. Through working with clients, Mike has gained experience in a variety of topics at many levels of expertise. He started his career at Baxter Healthcare as a Java / Spring developer, working closely with the business to develop a portal application. Mike started at National Merit Scholarship Corporation late in 2011 as a technical lead and solution architect, overseeing a small team that created a critical internal Java / Spring application that is still in use by the business today.
More on Michael Pumper.