Everyone loves IoT devices for their smartness, convenience and utility. However, there are a range of questions around security and privacy that need solutions.
- Are you sure about how secure are they?
- Do they offer privacy for the data they collect from us?
- Are they vulnerable to hacking?
- What happens if you lose your IoT device like wearables and they are hacked for mining personal data?
- Does the vendor of the device give us guarantees about building secure devices? Are they following a common IoT security standard?
- Do we have an industry standard for secure IoT devices?
- Do we have definitive answers for these in today’s threatscape scenario?
Honestly, answers are hard to come by. If at all, they come in bits and pieces. Only few IoT device manufacturers care about secure IoT. Otherwise, literally we are staring at the Internet of Insecure Things!
IoT Security Challenges
Both industry and consumers are gung-ho about the convenience and utility offered by various IoT devices. However, the challenges are serious from security and privacy risk perspective. Here’s a list of the key ones:
- Large distributed device sprawl
- Very large attack surface area
- Variety of data in transition
- Physical accessibility of connected devices
- Number of vendors for devices
- Nature of devices making it easy to simulate/fake them
All the above points are self-explanatory and doesn’t require any further elaboration. The key point here is the lack of widespread adoption of a common IoT security standard across the OEM players and awareness of such emerging standards.
The newly released NISTIR 8228, Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risk1 publication is a step in the right direction. However, awareness and adoption of these considerations by the players in the IoT ecosystem remains to be seen.
IoT Security Risks
This popular picture from the Internet captures the different security risks for IoT devices across many applications.
IoT Security Principles
IoT Analytics2 has classified the key security principles as below:
- Secure Device (Hardware) – Users and Devices
Here user could represent a person, device, system or application. Building in security at hardware level is critical. As devices are built to last 10+ years, the security challenges that could evolve over a long period of time need to be reasonably tackled. Device intelligence and edge processing are the key security principles at the hardware level and these could be achieved through different security components like secure booting, chip security, device identity and authentication, controls for data at rest, etc
- Secure Communication – Gateway and Connection
Device initiated communication and message control principles are to be followed by having end to end encryption, firewall, IDS, IPS and access control.
- Secure Cloud – Cloud and Applications
Identification, authentication and encryption (to protect against insecure communication) are key principles relating to secure cloud and these could be achieved by unified threat management (UTM) solutions, platform and application integrity verification and controls for data at rest.
- Secure Lifecycle Management – Remote control and update of devices
This is a vast area that needs to be managed with an array of security components – risk assessment, auditing, activity monitoring, updates and patches, secure decommissioning, etc. Security monitoring of IoT devices should cover device physical protection, data protection, security zoning, IoT network protocols, device and user identity and device authentication.
With different privacy regimes coming into effect, the privacy requirements for IoT devices collecting, processing and storing data got a lot more stringent. Here’s a brief list of key considerations for privacy in IoT devices:
- Go Minimal:
Collect as minimal data as possible suiting the requirements.
Obtain explicit consent before collecting personal data by stating the specific purpose and consent should be freely given and unambiguous
Replace personal data with an identifier
- Be Transparent:
Inform upfront as to the need for collecting personal data
- Access Authorization:
Ensure access to personal data is authorized only for the purpose for which it is collected and consent obtained
Keep monitoring the health of data collection processes and ensure it is used for the purpose for which it is obtained
- Give Customers Control:
Provide control to the customer and ensue their rights are upheld – right to be forgotten, right to stop processing and data portability
To ensure privacy requirements are in-built, it is critical that IoT device manufacturers and software developers adopt privacy by design in their development processes with stringent testing and quality checks before release.
While there is no single silver bullet that would fix all IoT security issues, yet following the security best practices, adopting secure by design principles and robust awareness around the security risks by the stakeholders will go a long way in addressing the security issues and help delivering reasonably secure IoT devices.
Note: Picture copyright with respective owner
Written By: Ram Kumar