A recent global study revealed that IoT will “soon be widespread”, as 85 percent of businesses plan to implement IoT by 2019, driven by a need for innovation and business efficiency.
The research questioned 3,100 IT and business decision makers across 20 countries, including the US, the UK, France, Germany, Italy and Spain to evaluate the current state of IoT and its impact across different industries. But the report, commissioned by WiFi systems vendor and Hewlett Packard Enterprise subsidiary Aruba, cautioned that connecting thousands of things to existing business networks has already resulted in security breaches for the majority of organisations.
The study found that 84 percent of organisations have experienced an IoT-related security breach. More than half of respondents declared that external attacks are a key barrier to embracing and adopting an IoT strategy. So where are we with IoT security standards and how can companies mitigate the risks now?
Chris Kozup, vice president of marketing at Aruba, says: “While IoT grows in deployment, scale and complexity, proper security methodologies to protect the network and devices, and more importantly, the data and insights they extract, must also keep pace. If businesses do not take immediate steps to gain visibility and profile the IoT activities within their offices, they run the risk of exposure to potentially malicious activities.”
A growing problem – the IoT hacks that hit the headlines
2010: Stuxnet virus vibrates centrifuges in Iran nuclear plant
2011: Hacker takes wireless control of insulin pumps
2014: Hackers manage to commandeer hundreds of webcams and baby monitors
2015: Researchers remotely take over and crash a Cherokee jeep/Attack on Ukrainian power grid leaves 225,000 people without power
2015: Plane flight controls hacked via in-flight entertainment system
2016: Smart thermostats are hacked to host ransomware/Mirai botnet spreads DDoS attacks using compromised IoT devices, including CCTV cameras and printers
The move to standards
A major problem for those deploying IoT systems is that we are not there yet with universal security standards, making it difficult for organisations to ascertain whether the hardware, software and outside help they are bringing in are working to and maintaining effective security. As bodies including including the International Organisation for Standardisation (ISO), the International Electrotechnical Commission (IEC), the European Telecommunications Standards Institute (ETSI), and mobile industry association the GSMA, among others, work on the security standards needs of users, it is important that organisations show careful due diligence as part of their IoT roll-out plans.
Another major issue for security standards for IoT devices is the differences between the industries they are used in, so relying on a single set of standards is difficult. A connected coffee machine has different requirements than a pacemaker, which has different requirements than a car, and so on. As a result, some industries are moving ahead with their own initiatives. The Industrial Internet Consortium came up with its own framework for Industrial IoT security towards the end of 2016, and in the automotive industry, the Society of Automotive Engineers made some progress with the release of its Cybersecurity Guidebook for Cyber-Physical Vehicle Systems. In addition, the Healthcare industry alliance HITRUST is aiming to improve protection of medical devices with the release of its Common Security Framework.
While such bodies do this, other industry partnerships are springing up to help kick-start the move to improved IoT security standards. For instance, the prpl Foundation and the IoT Security Foundation (IoTSF), two not-for-profit organisations backed by technology vendors, chip makers and other organisations, are co-operating on projects that put “security by design” into the IoT.
John Moor, managing director of the IoT Security Foundation, said: “There are many challenges ahead and industry must work together to agree on ethics as well as standards. Both IoTSF and prpl agree that security must be forged into the design of embedded computing devices, and therefore collaborating on joint projects and complementing each other’s work can only be viewed as a positive for society as a whole.”
The need for truly embedded security is highlighted by prpl in response to recently discovered IoT flaws in Samsung SmartCam security cameras. Cesare Garlati, chief security strategist at the prpl Foundation, said: “The Samsung SmartCam security failures are typical of ones that we see time and again in IoT, namely a lack of knowledge or expertise when it comes to embedded connected devices. This was demonstrated by the fact that these SmartCams were designed with an embedded web server that had been disabled, yet the actual service behind it was still running – and its TCP port left open [which could be used to spread attacks by hackers].”
Garlati went on: “In addition, the service itself was allowed to run in root mode, which defies the security controls built in by Linux that would make sure it is not possible to attack one service to control the entire service. This should have been picked up in the testing phase of development, but again, clearly that is another area that was overlooked.”
No quick fix
Scott Crawford, research director, information security at analyst 451 Research, warns however that much of the valuable work around IoT security currently being done is based on voluntary guidance which might not be adopted by manufacturers. Crawford says: “In many cases, device manufacturers have little to no economic incentive to build security into their devices, especially in consumer IoT.
“To account for this, more aggressive compliance requirements may be necessary. Agencies such as the US Federal Trade Commission (FTC) are already demonstrating their willingness to get more aggressive, as with the FTC’s recently well publicised suit against D-Link for (in the FTC’s words) “failing to take reasonable steps to secure their routers and IP cameras”.
Taking account of all these factors, organisations deploying IoT must look closely at what is happening in their industry when it comes to security, ask the right questions of their IoT technology providers and, where possible, get involved in the process of setting the right standards through trade bodies and the industry ecosystems that are rapidly emerging.
Microsoft has published an IoT Security Essentials guide which is aimed at the whole supply chain:
IoT hardware manufacturers and integrators must:
- Specify hardware to minimum requirements so a device is not capable of doing more than it needs to
- Ensure all hardware is tamper-proof, with no internal or external USB ports, for instance
- Equipment should be built around secure hardware such as Trusted Platform Module (TPM)
- Ensure there is a secure path for firmware upgrades
IoT solution developers must:
- Follow secure software development methodology
- Ensure any open-source software you choose has an active community addressing any security issues that may arise
- Integrate with care: check all interfaces of components for security flaws, paying particular attention to superfluous functionality that may be available via an API (application programming interface) layer
IoT solution deployers must:
- Ensure all deployed hardware is tamper-proof – particularly where left unsupervised or in public spaces
- Keep authentication keys safe after the deployment. Any compromised key can be used by a malicious device to masquerade as an existing device
IoT solution operators must:
- Keep the system up to date with the latest operating systems and drivers
- Protect against malicious activity by securing device operating systems with the latest anti-malware capabilities
- Audit the IoT infrastructure often for security-related issues
- Physically protect the infrastructure from malicious access
- Protect cloud authentication credentials by changing passwords frequently, and not logging on from public machines