The proliferation of IoT is multi-faceted. On the one hand, it enables a new wave of automation. On the other hand, it poses serious security challenges for enterprise security. Since many IoT devices are expected to function in an open environment outside corporate perimeters, it opens new ways to carry out an attack. Here are some important aspects that we need to consider when planning for IoT security.
Inadequacy of current setups
The current standard approach to IT security assumes that critical assets are inside a multi-layered protected environment that can be guarded using various tools and techniques. On the industrial side, the OT systems try to defend by additionally using air gapping techniques. However, when IoT enters the picture, both approaches look inadequate because now critical assets are not within the layered walls but can very well be in public places and remain unprotected. Also, air gapping is no longer an option for systems that are expected to be constantly connected to the internet.
New threats emerging from the advent of IoT
The whole ecosystem can be classified into four areas:
- The IoT hardware and its surrounding ecosystem
- The connectivity between the premises/edge and the cloud
- The cloud infrastructure endpoints
- The end-user application software stacks, web, and mobile.
Common motives behind attacks on IoT systems include:
- Data theft and data corruption
- Leveraging devices for botnet-type DDoS attacks (on the same or different organizations)
- Spying, wiretapping, etc. monitoring-type activities
- Breaking into the main network for further exploitation.
While aspects of cloud infrastructure security and application software security are more generalized and much explored, the other two aspects of IoT hardware and data transport present unique challenges.
Until recently, sensor-connected hardware was buried deep within industrial systems and equipment, isolated from the external world, and a kind of niche domain. It was air-gapped from the main network to ensure safety and security.
However, since electronics manufacturing is very inexpensive today, this sensor-connected hardware is everywhere. Something that once was niche is now being used publicly. And while it started a whole new industry, it also created the following risks:
- Too many standards from many competing organizations make it difficult to implement and integrate with the surrounding ecosystem. This makes security implementation cumbersome.
- The hardware, for example in smart cities, is in open public places and that leads to multiple challenges.
- IoT hardware is generally resource-constrained in terms of power, memory, processing capacity, etc. This makes it difficult to run sophisticated algorithms.
- The huge number of devices scattered across many locations, both stationary and mobile, creates unique challenges in device management and security operations.
- End users are not yet fully aware of the security aspects of IoT devices.
Networking and transport-related challenges
The second aspect concerns connectivity between the hardware endpoint and the data destination, which is typically somewhere in the cloud. Although sensor systems are capable of sending data directly to the cloud over the internet, there is often a hub/edge/gateway that collates data between multiple IoT systems and sends it to the cloud. The security of this hub plays a very important role since it can expose multiple devices to attack at the same time.
Major risks in this area can come from:
- Unsecured protocols and other trade-offs resulting from device limitations and software development challenges in embedded programming
- Unsecured hub/gateway/aggregator devices that often have unsafe defaults set by manufacturers
- Unsecured/vulnerable computing infrastructure that processes/aggregates data from multiple hubs.
Gartner predicts in this article that the financial impact of attacks on the cyber-physical system will exceed USD50 billion by 2023.
According to F–Secure, in the first half of 2019, 2.9 billion attacks on IoT devices were recorded on honeypots globally. That’s a 300% increase compared to H2 2018. Versions of Mirai botnet still dominate the IoT landscape and are a major factor behind increasing DDoS attacks.
According to this Forrester report, 67% of enterprises in North America have experienced security incidents involving IoT devices. At the same time, only about 21% of security professionals feel that their current security controls are adequate.
Attack frequencies are so high that it takes just five minutes for an IoT device to face attacks after it connects to the internet, according to this NETSCOUT Threat Intelligence report.
The way forward
These aspects call for a new, converged approach to security. Along with the traditional aspects of layered security, some additional aspects would come into the picture in the case of IoT systems that combine IT and OT under a single umbrella:
- Secure architecture assessments to help ensure that the software and hardware aspects are hardened properly and that security is built into the system.
- Enterprise threat landscape assessments to cover the business, functional, technical, and infrastructure aspects to identify current security vulnerabilities
- It starts with selecting a vendor for your IoT devices, keeping in mind the defaults set and built-in security features
- Secure development practices that make the best use of available device capabilities for the protection of onboard data and use secure transmission protocols
- Ability to track and manage software and hardware versions of tens or potentially hundreds of thousands of devices in the field
- Ability to analyze a huge amount of data flowing in leveraging AI-ML if needed to identify and isolate rogue devices.
While we can see individual solutions to these aspects, there is a deeper need for a comprehensive solution.
One such solution is Capgemini’s Secure IoT/OT Services platform, which offers end-to-end security for IT and OT systems and covers all the above aspects. This solution is complemented by the GenX DecSecOps platform, which ensures safety on the software development side and the X-IoT platform, which makes it possible to securely ingest the huge amount of incoming sensor data.
Our experts can also help ensure safety through a gamut of services that will help you not only defend against but also proactively prepare for and monitor and mitigate new threats as they emerge. A team of cloud experts can smoothen the process of tightening IoT security if you choose to leverage the IoT services provided by cloud providers such as AWS, Azure, Google, or IBM.
The challenge of IoT security calls for an all-encompassing approach such as this and it calls for an expert implementation partner to ensure complete success.
Please contact us with questions about this article.
To find out more about how we can help you, visit our cybersecurity services page.