Editor's note: the author is staff member at Internet2.
Software and hardware companies often trade off security in favor of the other aspects of running their business. Internet-of-things developers are particularly susceptible to making these tradeoffs because of financial pressures to keep the cost of their products low. Each manufacturer makes these decisions for itself during IoT development, but enterprises and users are the ones affected by their insecure IoT devices. There is a long history of nontraditional IT systems being insecure, and as IoT devices deployment grows, the more critical the problem becomes.
The Cloud Security Alliance's (CSA) Internet of Things Working Group released a report, "Future-proofing the Connected World: 13 Steps to Developing Secure IoT Products," to serve as guidance for IoT developers and manufacturers on security controls that should be incorporated throughout their development of IoT products. This tip will look at the IoT device security guidelines from the CSA and enterprise responses to manage IoT security.
Cloud Security Alliance report on IoT products
The document starts with an explanation of why security and privacy are important to IoT devices. It references several high-profile security incidents involving compromised IoT devices, such as vulnerabilities found in baby monitors, hackable pacemakers and other medical devices, and distributed denial-of-service (DDoS) attacks being launched with the help of IoT devices.
The document provides CSA's top five security considerations for IoT developers to base their engineering practices on:
- Design a secure software update process.
- Use authentication, integrity protection and encryption in product interfaces.
- Enlist an independent security assessment of IoT products.
- Maintain the security of companion mobile applications and gateways.
- Implement a secure root of trust for device root chains and private keys.
The Guidance for Secure IoT Development section provides the steps to secure IoT devices. The steps, beginning with having a secure development methodology and concluding with performing security reviews, cover secure software development practices and how to maintain hardware security. It has an overview of different programming languages and operating systems used in IoT devices to help an internet-of-things developer start out with security in mind.
The CSA is not the only group working on IoT security: The U.S. Department of Homeland Security, the IoT Security Foundation and many industry-specific groups, like Internet2 for higher education, are also focusing on the issue. Enterprises and industries should review the different guidelines to determine how it fits within their security program.
Enterprise responses to manage IoT security
The CSA guidance is focused on IoT developers, not on the enterprises adopting IoT. But an enterprise could use the report to develop a checklist based on its environment to use when evaluating IoT devices. Prior to procuring an IoT device, enterprises should ask their vendor for the security documentation on how security was incorporated into their IoT development, with reference to the steps included in the CSA guidance. Enterprises need to ensure they have compensating controls in place to manage the risk from the devices or not procure insecure IoT systems. Some of the technical checks could be performed by third parties in the security evaluations done for the vendor, or for enterprises to ensure the security of the IoT devices.
As part of the security evaluation, an enterprise should assess the vendor's IoT development practices. Additionally, an enterprise should investigate the architecture used by the IoT device and how it fits into the enterprise's architecture, as well as find out the type of data collected by the devices to determine the potential privacy effect and security requirements. Next, evaluate the specific technical implementation aspects of the system, including communication protocols, supporting services or software, API security, secure updates, authentication and authorization, secure key management and logging. For example, an enterprise could determine that an IoT device must be able to log into a centralized security information and event management product used for managing logs across the enterprise so it can be monitored.
Once the IoT device has been procured, an enterprise should include it in its existing security program, with the necessary adaptions to account for the device's limitations. The enterprise might want to scan its network or monitor outgoing traffic to look for unknown IoT devices. Once unknown devices are identified, they should be treated like other unknown devices consistent with enterprise security policies, like only allowing internet access.
The enterprise might want to place approved IoT devices on a separate network to limit the access to the internet or internal systems, but this will depend on if integration with any internal systems is necessary. It may be difficult to set up network segmentation for IoT devices because of device mobility, so minimally preventing inbound access from the internet will help prevent direct attacks from botnets or other attackers. But this will not stop an internal system from attacking one of the IoT devices. For approved devices, minimally changing default passwords is a necessity, but ensuring automatic updates are enabled will keep the device updated.
As alarming as this sounds, IoT security and privacy can have a significant effect on modern society. While the Dyn DDoS attack was a disruption to the internet, the impact was not as serious as it could have been, since Dyn had planned for possible DDoS attacks. Had Dyn not been as prepared, the effect could have been more significant.
Future planning is needed for securing the IoT ecosystem to reduce the number of devices unwittingly participating in DDoS attacks and other security- and privacy-related issues. While any one standard for securing IoT devices is not necessarily the best or most comprehensive, using the CSA guidance as a baseline for IoT development and deployment will improve the general state of security and potentially prevent future attacks.
Find out if government legislation is necessary to secure IoT
Read about the Industrial Internet Consortium's IoT security guide
Learn about important IoT security testing steps your enterprise should take