Contact

No Internet of Things without strong cyber security

No Internet of Things without strong cyber security

The concept of IoT holds great potential: By connecting millions of devices to the internet we can save time and money and become more efficient, we can offer our customers more convenience, better service and much more. But there is no grand vision without a snake pit of problems. With the Internet of Things comes the Internet of Threats. We need to protect our new network-aware systems and devices. There will be no Internet of Things without a strong focus on cyber security.

Some security experts compare the current state of IoT security with Asbestos. They predict that in a few years time, we will look back asking ourselves “What were we thinking?” Others draw parallels to the World Wide Web of 1994-95, arguing that IoT will be a security train wreck for years, before we eventually figure it out.

Messages like these may paint too gloomy a picture of the challenges within IoT but nevertheless, cyber security is crucial not least because of the close interaction with the physical world. IoT threats can go far beyond the well-known, conventional Internet threats like credit card theft. They could disable home security systems, manipulate navigation systems on connected vehicles, disrupt smart medical devices, or knock out entire energy systems.

IoT is speeding up

At MicroDoc we have a broad range of experience and a long track record in IoT security. We continue to experience significant demand for customer inquiries and projects in the IoT cyber security domain.

It’s no wonder because IoT is coming at us at a rapid speed. We are connecting more and more devices and systems to the Internet, whether they are industrial control systems, cars, cameras, door locks, fitness trackers, or medical technology. By 2020, the number of installed IoT devices is forecast to grow to nearly 31 billion worldwide. And IoT threats are increasing simultaneously: Experts predict that in 2020 more than 25 per cent of enterprise attacks will involve IoT.

Increasing awareness

Luckily, awareness of the importance of IoT security is increasing. For instance, it was a wake-up call for the IoT business, when in 2016 the Mirai botnet succeeded in enslaving millions of devices, including IP cameras and routers, turning them into centrally controlled botnets for Distributed Denial of Service (DDoS) attacks. Currently there are still Miria variants, like Mukashi out there constantly scanning the web for vulnerable IoT devices, looking for weakly protected machines with factory-default credentials or common passwords.

Moreover, in June 2020 the largest independent consumer body in the UK, revealed that 3.5 million cheap wireless cameras produced in China and distributed worldwide could potentially be hijacked by hackers.

New security agenda

So, the picture is quite clear: IoT sets a whole new agenda for cyber security. It is not enough to take security concepts and standards from the world of modern administrative IT and adapt them to this new domain. Furthermore, we must keep in mind the closeness of IoT to the physical world as well as the increased complexity and multi-layered nature of many IoT ecosystems. All this requires a multi-level approach to security.

For the sake of clarity, let us divide IoT projects into two distinct categories each of which requires different approaches. The First category is developing a complete new IoT product from scratch and the second category is adapting a legacy system to the new world of IoT.

Greenfield projects

Developing new IoT products is straightforward when seen from a security perspective. Starting from scratch gives you the advantage of incorporating security into an early stage of your design. You can do security-by-default by integrating it from the very beginning and keeping and eye on patches, updates, access control, user authentication, etc.

Additionally, greenfield projects allow for a holistic security approach that effectively manages IoT complexity. This involves securing every layer: protecting edge devices and gateways, encrypting data throughout its lifecycle (at rest and in transit), and securing the application layer.

Risk assessment

Another important approach is risk assessment. It helps you channel your security effort into where it is most needed and where it will make the biggest difference. Risk assessment means finding vulnerabilities and threats, estimating the likelihood of the threat to become reality, finding ways to mitigate attacks, and more.

It is crucial that risk assessment is done for the complete end-to-end value chain of an IoT product or service, bearing in mind that it’s more complex than conventional digital services. An IoT solution will typically be blending technologies, devices, software, connectivity, data storage, etc., so there is much to consider. For example, a device with robust hardware security may still be vulnerable if the associated application is poorly designed. Similarly, a flawless device and app combination can still be compromised by security gaps in the chosen cloud storage provider.

Risk assessment is becoming a cornerstone of IoT development, mandated by emerging standards and legislation that require a holistic, risk-based approach to security. This strategy enables organizations to optimize resource allocation and direct their security budgets toward the most critical vulnerabilities.

Legacy systems

A whole new challenge comes, when we want to adapt older systems to the modern IoT world. Bringing systems developed 20 or 30 years ago into the new world of IoT requires a lot of considerations regarding security.

Quite understandably the companies responsible for these systems want to give their customers access to the new business opportunities coming from IoT. As an example, manufacturers of ship engines and other heavy duty ship equipment are looking for ways to bring their machinery online, thus creating new possibilities for service and maintenance. But enabling these legacy systems in terms of access and connectivity to the internet from everywhere and from a wide range of devices means exposing them to a new world of security risks. Connecting to the Internet means connecting to potential cyber threats.

Low level of security

This is particularly challenging, as these legacy systems are “born” with an exceptionally low level of security, both in terms of the way they have been developed and the way they are maintained. Now they have to be aligned to the modern cyber security world and to meet state-of-the-art requirements for patching, updates, password protection, etc. That is a major challenge.

Probably the companies responsible for these legacy systems are not in the habit of issuing security patches because they were never required to do so. Patches were released when there was a requirement, such as for new functionality.

Making legacy systems that were never intended to work with any kind of security comply with modern security requirements is a complex task. But it has to be done because all the advantages coming from connectedness will turn into threats if we are unable or unwiling to ensure confidentiality, integrity and availability of these systems.

IoT vulnerabilities

Patching

Patches are not released with the same frequency as commonly done in the IT world. That leaves vulnerabilities in the system for a long time before patches are sent out to fix the problem. Or worse: Some devices are not designed to receive patches/updates at all

Weak Passwords

Some IoT devices have only 4-, 5- or 6-digit passwords, and this lack of complexity means they are easily breakable. Furthermore, many devices lack the option to modify administrative credentials, leaving them vulnerable to exploits using default usernames and passwords that are widely documented online.

Communication

Is communication from the device encrypted, and if yes, is encryption strong enough? Is it encrypted both in transit and at rest?

Faulty software

When you develop your IoT product, it may be a good idea to reuse software developed by others. However, you have to check that the software you are reusing is without security flaws, and that you are using the newest version of that code.

End-of-life

What happens if the component or device you are using reaches end-of-life and is not supported by the supplier anymore?

Privacy protection

Do you have any data about your user stored on the device? What about third party integrations?

Only one layer of security

A single layer of defense is inherently insufficient. Robust protection requires a ‘defense-in-depth’ strategy, employing multiple, redundant security layers to safeguard critical data and system integrity.

The need for security standards

The vast majority of IoT devices or devices used in ICS (Industrial Control Systems) do not follow or have not been designed to follow security standards or guideline. This means that we’ll need to “pave the road while we drive it” (i.e. design and implement security during the implementation, instead of during the design of the products or early in the products’ lifecycle).

Some security standards already exist like IEC 62443, while others will soon be developed on a European level from ENISA (The European Union Agency for Cybersecurity) and ISO (International Standardization Organization), for example. These will become available in the years to come.

More pro-activity needed

Luckily, awareness regarding cyber security is rising. The media is publishing cybercrime stories on an almost daily basis, and manufacturers and service providers face considerable pressure from both customers and government regulators if they are found neglecting their security responsibilities.

But still, we see more reactivity than pro-activity. All too often security experts or tech-savvy users are the ones that find and publish security flaws. Only then do manufacturers fix the problem and by that time the damage has already been done and possiblly considerate damage at that.

In the coming years, we will be witnessing numerous incidents in which IoT devices are used for cyber-attacks or in which customer data has been compromised. The companies affected will react in retrospect, but ideally it should be the other way around. With high security standards and heightened awareness, we will – hopefully soon – get to a point, where reacting in retrospect is rare and where heightened awareness will keep incidents to a minimum.

Well-known dilemma

However, the well-known dilemma between convenience and security will continue to challenge companies, developers as well as cyber security experts. The old saying about password complexity also applies to IoT security: the longer and more complex, the more secure, but the more tiresome as well.

On the one hand companies and customers want convenience and ease-of-use. They want devices and services available at their fingertips without the hassle of security procedures. On the other hand, we have the security experts pushing for confidentiality, integrity, and availability. The tricky thing is to find the balance between these two considerations.

But when you consider this dilemma more closely, you will find that there is no getting around security. While the primary drivers for IoT adoption are often efficiency and convenience, security soon emerges as the critical enabler. By prioritizing protection, organizations gain the confidence to pursue their core objectives: streamlining operations, reducing costs, and delivering outstanding service.

Need help securing your IoT ecosystem? Learn about our Certificate Dashboard for automated certificate management, or contact our security experts to discuss your IoT security requirements.