IoT Security: Key Challenges, their Force Multipliers and Mitigation Approach
IDC forecasts that the spending on IoT devices would reach $1.2 trillion in 2022 at 13.6 CAGR.
Gartner predicts the total number of connected devices to reach 25 billion by 2021.
Statista claims that the number of IoT devices that are connected presently are in the range of 23 Billion and expect this number to reach 30 billion by 2020 and surpass 75 billion by 2025.
The numbers vary with each survey however, all the surveys/reports/forecasts on connected IoT devices firmly emphasize a single fact - that the growth of IoT devices in the coming times is going to be exponential.
So, what does it translate into? Well, the answer is, Many Things! For starters, these numbers highlight that the quality of life will improve, connectivity and communication would be simplified, technology will be adopted at a faster rate, consumer experiences would be superior and business potential for tech applications and adoption would be immense. However, all these things can only materialize if the IoT devices, solutions, and the related services are built on a strong foundation of Security.
IoT Security Foundation
While adoption of IoT for business and process modernization has begun at a rapid pace, fundamental challenges remain around safety, reliability, information confidentiality & integrity and privacy protection. It is thus imperative that IoT providers start building-in security into components that constitute IoT systems so that the standalone solutions, as well as their integration with the legacy systems, can overcome the security lacunae that may compromise the user safety.
The high-level components that comprise IoT systems are listed below. These are also the security checkpoints that IoT providers need to take into consideration to ensure a strong IoT security foundation.
Device or Equipment: Physical devices, endpoints, e.g. sensors, ECUs, smart meters, smart devices, etc. get connected to other devices and endpoints across networks to collect/provide information about themselves and their associated environment.
Gateway or Hub: Enables these devices to connect to the outer world via Ethernet, RFID, wireless, Bluetooth, etc.
Network or Transport Channels: Facilitates the connectivity and transmission of information from devices/gateways, e.g. IP network, GSM/CDMA, satellite networks, among others
Facilitation: Provides the ability for the devices to send data/information across gateways/network for further storage, processing, analysis, e.g. cloud computing, big data, etc.
Consumerization or Application: Allows end user/customers to consume information on to their smart devices like tablets, smartphones/television, and laptops.
IoT Security: Risks and Challenges
The next logical step after identifying the IoT system components is to do a comprehensive risk assessment that identifies all the weak links through which a system’s security can be breached. This can only be done if one performs a root-cause analysis of the various factors that can culminate into a security threat. Few of these are as follows:
Data exposure: Sensitive or personal information like patient data on EHR/EMR if they are connected to ECG, ventilator, etc., GPS location of a vehicle to target a person, sniffing, eavesdropping, waylaying.
Extensive dependence on software and applications: Most of the attacks are targeted towards application, especially web applications - Injections, XSS, CSRF etc.
Unauthorized remote access: Remote diagnostics/monitoring, remote maintenance of devices, equipment carries the risk of interception and tampering, if not done using secure communication thereby leading to MITM (man in the middle) attacks.
Unidentified, unauthorized and invalidated devices: Unique identification of the user, devices, authentication and access control of devices which may not have an OEM supplied unique ID - these could lead to identity spoofing, phishing, rogue devices, impersonation, etc.
The attack surface has increased: Extensive leverage of open networks e.g. internet and public cloud combined with data logging media such as sensors, web applications, USB, Wireless, Bluetooth, Zigbee, and GSM.
Legacy systems (out of date OS/software) no longer supported by OEMs: Software updates, security patches mostly become a forgotten concept on legacy devices especially where vendor no longer provides support making them entry points for sabotaging customer networks leading to DOS attacks, malware infliction points, and ransomware.
IoT Security: Threats, Attacks and Prevention
To put it simply, the threat perception has increased manifold with the ever-pervading role of technology and IoT systems are no strong than their weakest components. Hence every component of the system needs to be monitored closely and secured individually to avoid a security compromise. While there is no silver bullet to immediately counter security threats, best practices such as following the Compliance, Integrity, Availability (CIA) triad and implementing a methodical approach such as Defense-in-depth go a long way in nipping the attacks in the bud by building a layered defense system to counter the attack.
The layered approach addresses component security of the system at each stage – the same stages that we listed earlier from physical device to gateway to network to facilitation through to Application or consumerization.
Read LTTS Whitepaper on Security Considerations for IoT to learn in-depth about the best practices to counter IoT risks at each layer.
The Need for IoT Security: The Larger Picture
The scale and impact of IoT security breaches go beyond financial frauds and has the potential to harm human lives and culminate into societal disruptions. As the famous quote from Spiderman goes, “With great power comes, great responsibility.” IoT, its advent, and its growth is one such power that mankind has devised but at the same time it is the responsibility of each and every IoT system creator, product designer, solution builder, and service provider to ensure that their integrity with the consumer and with the consumer’s information is well preserved and rated second to none.
With inputs from LTTS Whitepaper Security Considerations for IoT.