Towards More Enterprise Security for IoT

Written by

Internet of Things (IoT) devices will bridge the gap between the physical and digital worlds to improve the quality and productivity of life, society, and industries. Based on a research done by Business Intelligence, the enterprise IoT sector will have an estimated 9.1 billion IoT devices connected by 2019 which will make it the largest sector of the three main IoT sectors (enterprise, home, and government).

The upside is that we are able to do things we never before imagined. But it’s becoming an increasingly attractive target for cybercriminals. Gartner predicts that more than 25 percent of identified attacks in enterprises will involve IoT by 2020.

Enterprises should consider investing in IoT devices that have built in security features to strength the protection and integrity of the device. For example, the device needs to force the user to change their default password to a stronger one before they start using their devices. Moreover, sensors should have built in computer chips that integrate security at the transistor level, embedded in the processor that provides encryption and anonymity. All critical sensors should be configured to only run signed code at firmware and application levels to be sure malicious attacks don’t overwrite code after it is loaded.

In order to automatically authenticate trusted activity among networked sensors, enterprises can configure their IoT network to use a Blockchain model to help in preventing the man-in-the-middle attacks.

From the transport side of things, anyone capable of eavesdropping on the IoT communication might access the information exchanged since data might be in transmitted in plain text.  Companies can apply a DTLS variant of TLS to encrypt data in low-power devices that operate intermittently between sleep cycles.  

IoT connected devices collect personal information, user behavior, and location data over time that might allow companies to digitally monitor our private activities. This collected data might be exploited in different ways, ranging from simple advertisement spamming to tracking user routers and habits to create a behavior profile. Companies should follow data minimization privacy principles to collect only the data needed for a specific purpose and then safely dispose of it afterward.

Collecting and retaining large amounts of data greatly increases the potential harm that could result from a data breach.

Privacy should be established during communication where devices should communicate if and only when there is a need. In 3GPP machine type communications after a period of inactivity, the devices will detach from the network in order to avoid unnecessary collection of location information. Finally, privacy should be protected at data storage by only allowing the least possible amount of information stored and information is brought out on the basis of urgency and need to know.

Standards bodies and industry experts must begin formulating suitable guidance and identifying the right security and privacy rules in order to establish solid trust. Few standards or best practices are being drafted for IoT security design and testing such as the National Institute of Standards and Technology’s Guidelines for Smart Grid Cyber Security.

The next logical step is to extend these drafts to IoT governance. The difficulty is that the high number and heterogeneity of technologies and devices in the IoT require even more specific governance solutions and approaches that are more complex. IoT users should also be given clear and simple notice of the proposed uses of their data and a way to consent.

Many IoT devices are intentionally designed without any ability to be upgraded, or the upgrade process is impractical. Wireless update capabilities must be built into the IoT devices before they leave the factory. Such over the air update capabilities, including application and firmware updates, are crucial to maintaining a strong security posture. Recently, TESLA incorporated over air the update process where it completed a software fix over the air after an alert from the National Highway Traffic Safety Administration that a charger plug needed to be fixed because it caused fire.

However, for smaller IoT devices, other challenges prevent these over the air updates from happening because of constrains in resources and processing power. One of the suggested solutions to tackle these constrains is called the Mobile Alliance-Device Management Software Component Management Object (OMA-DM-SCOMO) standard. This standard supports multiple communication elements by the IoT device to help deploy smaller software updates for certain type of application or firmware images.

What’s hot on Infosecurity Magazine?