A recent Washington Post article discussed how security researchers at this year’s Black Hat USA conference continue to be concerned about the state of IoT security. The article included these researchers’ advice to policymakers in Washington (including the bipartisan list of Senators working on new IoT security legislation) on what they need to understand about the IoT and cybersecurity as they move forward in developing and implementing policies designed to make the IoT more secure.
I agree that the points the reporter highlights are important for policymakers to understand as they move forward – that more cyber attacks are coming, IoT devices need to be patchable, smart cities are vulnerable, and security researchers are your friends. However, there are also a few more issues I would recommend that policymakers – as well as IoT device, manufactures, solution developers and customers – should learn more about as we work together to increase IoT security and resiliency by enhancing solutions and promoting improved IoT device security best practices.
1. The Process for How We Patch Devices is as Important as Ensuring That Devices Can Be Patched
Today, most IoT gateways, modules and other connectivity devices can be upgraded with new firmware to fix security vulnerabilities as they emerge. However, without proper planning, it may be difficult, impossible or too expensive to deploy these patches to thousands or millions of devices in the field, resulting in critical gaps in IoT device security.
Local updates are very expensive because they require a technician to visit each device. Over-the-Air (OTA) updates are more scalable but require investment in a network management solution. OTA updates can also consume a lot of bandwidth, which can make it very expensive if, for example, the devices are deployed with a data plan only allowing 5MB/month while each security update is several times that size.
Even if bandwidth is not a concern, power might be. Battery-powered devices designed to last for years (because they transmit and receive very little data) can have their entire power reserves depleted by a single security update, necessitating expensive technician visits to replace batteries or the devices themselves. In some cases, so-called “Deep Edge” devices, which live in fringe coverage areas or deep inside buildings or underground, may be able to achieve data rates only in the hundreds of bits per second, making a multi-megabyte download impossible. There are solutions to these issues, but they may require not only policy changes, but also the deployment of new technologies and changes to the business models of IoT market participants.
Some out-of-the-box thinking is needed. For example, mobile network operators could be required to provide customers with free or discounted bandwidth for security updates. Another possibility is that, where OTA updates are not feasible, operational workflows could be utilized to update firmware through local interfaces. For example, smart lighting firmware could be updated when changing a bulb. Perhaps sensors deep inside buildings could be updated over Wi-Fi utilizing a distribution server in a janitor’s cart.
In addition, a Defense in Depth strategy as discussed below may offer sufficient protection for some use cases, eliminating the need for many firmware updates.
2. IoT Security Is Not One Thing – It Requires Defense in Depth
Defense in Depth improves IoT security by forcing an attacker to breach multiple security layers in order to compromise an IoT solution. When a vulnerability is detected in one layer, the other layers protect the integrity of the system until the breach can be detected and contained and the vulnerability can be corrected. For example:
- A private cellular gateway, called an Access Point Name (APN), implements a network-level firewall restricting the hosts that can reach a device.
- A device firewall performs the same function in the event an attacker is able to penetrate the private APN.
- Using secure authentication on the services that the firewall needs to leave accessible ensures that only authorized users may connect, creating another obstacle should an attacker compromise a device permitted to traverse the APN and device firewalls.
- Role-based access privileges limit what can be seen and done should an attacker compromise the credentials of an authorized user on a device permitted to traverse the APN and device firewalls.
- Up-to-date firmware helps ensure there are no vulnerabilities that allow an attacker to bypass the role-based access privileges.
- Cloud management and network operations platforms monitor device behavior for anomalies that may indicate the IoT device’s security has been compromised by an attacker despite all the above protections.
3. IoT Security Depends on IoT Solution Owners Following Security Best Practices
Even the strongest safe will not stop a robber if the owner forgets to lock it. IoT devices, networks and cloud software can be built using the world’s best security technologies, but if users do not take advantage of these IoT security solutions by following best practices, overall security will be compromised.
However, even here some responsibility falls to the IoT device, network and cloud software providers. In addition to integrating security technologies into their products, they should not assume users will always follow security best practices. Instead, they should ensure their devices, networks and software are “secure by default.”
- Devices should use cryptographically secure unique random default passwords instead of global shared passwords. This enhances security should users not change the default password.
- Device firewalls should default to blocking all traffic on network interfaces in order to force users to properly configure devices before use – and to protect the device should it be turned on and connected to the network using default settings.
- All non-essential services and/or ports should be disabled by default to minimize the attack surface should the device be deployed in its default state or reset to defaults in the field.
Still, there is only so much that IoT device, network and cloud software providers can do. A strong security posture is possible only if IoT solution owners and users also follow security best practices. How can we increase the adoption of security best practices by IoT owners and users?
The most important step is education and training. One possible strategy involves Computer Assisted Training materials. These could be developed by vendors or a group of security experts and provided for free (or minimal expense) to customers. After a user completes the training, a security “certificate” could be issued and kept on file by the user’s organization.
4. Nothing Can Be Made 100 Percent Secure, So We Need IoT Resiliency as Well
Even if IoT solutions use devices that are patched with all the latest security updates, have security deployed in depth, and have users who are carefully following security best practices there is still the possibility that the solution could be hacked – if not by an external threat actor, then by an internal one. Given this reality, developers, users and owners of IoT solutions need to plan for the worst – that, at some point in the future, their solution will be hacked, despite all their efforts. This means they must have a resiliency strategy for recovering from the attack as quickly and fully as possible.
This might, for example, involve backing up data from their IoT solutions, so that, if necessary, they can wipe the devices and then restart them with the backed-up data. In addition, IoT solutions used in mission-critical applications, such as for first responder communications or the control of critical infrastructure, failover systems should be deployed to take over in the event the primary system is compromised.
We hope that policymakers and IoT device manufacturers, solution developers and customers will consider these issues, while also offer their ideas on how we can all work together to make the IoT more secure. While some may think discussions sow fear that slow the growth of the IoT, we believe that we need to be open about IoT security, and constantly be working to improve it – because good security is foundational to the success of the IoT.
Questions / More Information Contact USAT: