1(630)802-8605 Ravi.das@bn-inc.net

Everyone loves IoT devices for their smartness, convenience and utility. However, there are a range of questions around security and privacy that need solutions.

  • Are you sure about how secure are they?
  • Do they offer privacy for the data they collect from us?
  • Are they vulnerable to hacking?
  • What happens if you lose your IoT device like wearables and they are hacked for mining personal data?
  • Does the vendor of the device give us guarantees about building secure devices? Are they following a common IoT security standard?
  • Do we have an industry standard for secure IoT devices?
  • Do we have definitive answers for these in today’s threatscape scenario?

Honestly, answers are hard to come by. If at all, they come in bits and pieces. Only few IoT device manufacturers care about secure IoT. Otherwise, literally we are staring at the Internet of Insecure Things!

IoT Security Challenges

 

Both industry and consumers are gung-ho about the convenience and utility offered by various IoT devices. However, the challenges are serious from security and privacy risk perspective. Here’s a list of the key ones:

  1. Large distributed device sprawl

 

  1. Very large attack surface area

 

  1. Variety of data in transition

 

  1. Physical accessibility of connected devices

 

  1. Number of vendors for devices

 

  1. Nature of devices making it easy to simulate/fake them

 

All the above points are self-explanatory and doesn’t require any further elaboration. The key point here is the lack of widespread adoption of a common IoT security standard across the OEM players and awareness of such emerging standards.

The newly released NISTIR 8228, Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risk1 publication is a step in the right direction. However, awareness and adoption of these considerations by the players in the IoT ecosystem remains to be seen.

IoT Security Risks

 

This popular picture from the Internet captures the different security risks for IoT devices across many applications.

IoT Security Principles

IoT Analytics2 has classified the key security principles as below:

  1. Secure Device (Hardware) – Users and Devices

Here user could represent a person, device, system or application. Building in security at hardware level is critical. As devices are built to last 10+ years, the security challenges that could evolve over a long period of time need to be reasonably tackled. Device intelligence and edge processing are the key security principles at the hardware level and these could be achieved through different security components like secure booting, chip security, device identity and authentication, controls for data at rest, etc

  1. Secure Communication – Gateway and Connection

Device initiated communication and message control principles are to be followed by having end to end encryption, firewall, IDS, IPS and access control.

  1. Secure Cloud – Cloud and Applications

Identification, authentication and encryption (to protect against insecure communication) are key principles relating to secure cloud and these could be achieved by unified threat management (UTM) solutions, platform and application integrity verification and controls for data at rest.

  1. Secure Lifecycle Management – Remote control and update of devices

This is a vast area that needs to be managed with an array of security components – risk assessment, auditing, activity monitoring, updates and patches, secure decommissioning, etc. Security monitoring of IoT devices should cover device physical protection, data protection, security zoning, IoT network protocols, device and user identity and device authentication.

Privacy Considerations

With different privacy regimes coming into effect, the privacy requirements for IoT devices collecting, processing and storing data got a lot more stringent. Here’s a brief list of key considerations for privacy in IoT devices:

  1. Go Minimal:

Collect as minimal data as possible suiting the requirements.

  1. Consent:

Obtain explicit consent before collecting personal data by stating the specific purpose and consent should be freely given and unambiguous

  1. Pseudonymise:

Replace personal data with an identifier

  1. Be Transparent:

Inform upfront as to the need for collecting personal data

  1. Access Authorization:

Ensure access to personal data is authorized only for the purpose for which it is collected and consent obtained

  1. Monitor:

Keep monitoring the health of data collection processes and ensure it is used for the purpose for which it is obtained

  1. Give Customers Control:

Provide control to the customer and ensue their rights are upheld – right to be forgotten, right to stop processing and data portability

To ensure privacy requirements are in-built, it is critical that IoT device manufacturers and software developers adopt privacy by design in their development processes with stringent testing and quality checks before release.

Endspeak

While there is no single silver bullet that would fix all IoT security issues, yet following the security best practices, adopting secure by design principles and robust awareness around the security risks by the stakeholders will go a long way in addressing the security issues and help delivering reasonably secure IoT devices.

Note: Picture copyright with respective owner

Written By: Ram Kumar

References:

    1. https://www.nist.gov/news-events/news/2019/06/considerations-managing-internet-things-iot-cybersecurity-and-privacy-risks

     

    1. https://iot-analytics.com/