Securing Internet of Things – recent developments and some advice!
Standards and regulations are another set of concerns (excuses!) for not being able to secure the IoT footprint. The good news is a lot happened in the past week. NIST (National Institute of Standards and Technology) has published the draft on International Cybersecurity Standardization for the Internet of Things (IoT) – NISTIR 8200.
Siemens has formed a consortium of industrial giants (Airbus, Allianz, Daimler Group, IBM, MSC, NXP, SGS, and Deutsche Telekom) to form a Charter of Trust to build greater cyber security.
“We need tangible use cases on how to defend a power plant or how to defend a mobile system or the traffic lights,” - Siemens CEO Kaeser.
EU General Data Protection Regulation (GDPR) that will come into effect from May 2018 will also force organizations to look in to deployment and monitoring of IoT devices and applications. Being closer to the data origination, several devices carry personally identifiable and privacy information, that requires differential treatment under GDPR. Breaches against this regulation carry severe penalties for organizations, and will reinforce the focus on IoT security..
Regulatory organizations, standards bodies and private organizations are globally coming together to fast track product standardization, regulation and certification process. This is a welcome development and will further boost IoT rollout.
Organizations went through a big cycle (circus?!), not long ago securing all the smart phones, BoYD etc., and there were several options tried, re-tried and retired. We can definitely take some learning from that experience. Now multiply that device footprint with many thousands, you will see IoT looming large. Yes it is difficult and back-breaking to secure such devices that have taken the shapes of everything we see on a day-to-day life - embedded sensors in industrial equipment, HVAC, facility management systems, physical security systems, supply chain, medical devices, wearables etc.
Fortunately when it comes to security, the approach need not to be path breaking, we can always rely on the approach of break up and secure (micro segmentation) and layered security (defense-in-depth).
The IoT security threat map from Beecham Research (http://www.beechamresearch.com/) as shown below, clearly depicts the attack surface and establishes the fact that there is no silver bullet available when it comes to security.
Now what are our options? I will reinforce what I have stated previously in my articles.
Establish IoT security framework with Confidentiality, Integrity, Availability and Safety with the core objectives. We talked about in the previous article why Safety is now a core consideration when it comes to IoT, as sensors and actuators play a vital role in human and equipment safety.
Authenticate, Authorize and Audit -
When the device is plugged into the network, it should authenticate itself prior to receiving or transmitting data. The teams should evaluate the products for secure booting capability, key based authentication, encrypted data store in the device etc. based on the risk-impact assessment. Unlike typical enterprise networks, IoT devices must be finger printed by automated mechanisms, RFIDs, digital certificates and immutable solutions like blockchain.
Auditing and secure analytics capability provides the visibility into each and every sensor on what they did, how did they perform, and provides vital insight into potential failures due to exploitation of vulnerabilities etc.
Network Security ensures endpoint traffic is securely transported over the infrastructure, whether it is control, management or actual data traffic. Controls should include rule based access controls (RBACs), encryption, segmentation based on need-to-know, firewall, intrusion preventions systems (IPS) etc.
Cloud Security is paramount in today’s IoT implementations. Major cloud service providers, Amazon, Microsoft, and Google are providing IoT as a stack and organizations are leveraging the same in their IoT rollout plans. But organizations should carefully evaluate their requirement against what is needed from these stacks. Often there is a tendency to subscribe or leverage functionalities and APIs than needed, and then left orphaned. Orphaned services, devices, ports are the major sources for most of the hacks and data loss. Also segmentation and need-to-know based restrictions should be expanded to cloud instances as well. Otherwise cloud will provide the much-needed bypass for potential intruders.
All IoT implementations should be preceded by a risk management framework, where one should tabulate all the risks – internal, external, device based, vendor specific, network, platform, human factors, skills, and awareness and so on. These risks should be validated against the impact to the core objectives – Confidentiality, Integrity, Availability and Safety. Security framework should be adjusted based on the outcome of this assessment.
Well thought out security framework and control measures will ensure adequate protection of critical infrastructures and sensitive data while maintaining continuous business operations. Security is not an afterthought anymore. It’s a critical factor in the success of the digital economy.
Regulatory organizations, standards bodies and private organizations are globally coming together to fast track product standardization, regulation and certification process. This is a welcome development and will further boost IoT rollout.
Organizations went through a big cycle (circus?!), not long ago securing all the smart phones, BoYD etc., and there were several options tried, re-tried and retired. We can definitely take some learning from that experience. Now multiply that device footprint with many thousands, you will see IoT looming large. Yes it is difficult and back-breaking to secure such devices that have taken the shapes of everything we see on a day-to-day life - embedded sensors in industrial equipment, HVAC, facility management systems, physical security systems, supply chain, medical devices, wearables etc.
Fortunately when it comes to security, the approach need not to be path breaking, we can always rely on the approach of break up and secure (micro segmentation) and layered security (defense-in-depth).
The IoT security threat map from Beecham Research (http://www.beechamresearch.com/) as shown below, clearly depicts the attack surface and establishes the fact that there is no silver bullet available when it comes to security.
Establish IoT security framework with Confidentiality, Integrity, Availability and Safety with the core objectives. We talked about in the previous article why Safety is now a core consideration when it comes to IoT, as sensors and actuators play a vital role in human and equipment safety.
Authenticate, Authorize and Audit -
When the device is plugged into the network, it should authenticate itself prior to receiving or transmitting data. The teams should evaluate the products for secure booting capability, key based authentication, encrypted data store in the device etc. based on the risk-impact assessment. Unlike typical enterprise networks, IoT devices must be finger printed by automated mechanisms, RFIDs, digital certificates and immutable solutions like blockchain.
Auditing and secure analytics capability provides the visibility into each and every sensor on what they did, how did they perform, and provides vital insight into potential failures due to exploitation of vulnerabilities etc.
Network Security ensures endpoint traffic is securely transported over the infrastructure, whether it is control, management or actual data traffic. Controls should include rule based access controls (RBACs), encryption, segmentation based on need-to-know, firewall, intrusion preventions systems (IPS) etc.
Cloud Security is paramount in today’s IoT implementations. Major cloud service providers, Amazon, Microsoft, and Google are providing IoT as a stack and organizations are leveraging the same in their IoT rollout plans. But organizations should carefully evaluate their requirement against what is needed from these stacks. Often there is a tendency to subscribe or leverage functionalities and APIs than needed, and then left orphaned. Orphaned services, devices, ports are the major sources for most of the hacks and data loss. Also segmentation and need-to-know based restrictions should be expanded to cloud instances as well. Otherwise cloud will provide the much-needed bypass for potential intruders.
All IoT implementations should be preceded by a risk management framework, where one should tabulate all the risks – internal, external, device based, vendor specific, network, platform, human factors, skills, and awareness and so on. These risks should be validated against the impact to the core objectives – Confidentiality, Integrity, Availability and Safety. Security framework should be adjusted based on the outcome of this assessment.
Well thought out security framework and control measures will ensure adequate protection of critical infrastructures and sensitive data while maintaining continuous business operations. Security is not an afterthought anymore. It’s a critical factor in the success of the digital economy.
Do you know about IT how data will be stored in future and how much of IT budget spending in the world.
ReplyDeletego to this site and read the interesting thing that you must need to know.
www.digitaltechnologyreview.com