IoT Systems are Complex, and so is Securing Them

Brian Russell is Chief Engineer, Cyber Security Solutions at Leidos.  In this role, he defines and implements cyber security controls for Internet of Things (IoT) and cloud products and systems. Russell is the co-author of “Practical Internet of Things Security” and is Chair of the Cloud Security Alliance (CSA) IoT Working Group.

OPAQ: How do security risks for IoT devices and applications differ from mobile security or web app security?

BR: Some of the risks related to IoT devices are similar to risks we’re already familiar with, such as those identified by the Open Web Application Security Project (OWASP): security misconfigurations, sensitive data exposure, using components with known vulnerabilities, and privacy risks.  Where we run into differences compared to mobile and web app security relates to the physical nature of IoT devices, acquisition and deployment models for IoT devices, enablement of automation across IoT devices and privacy associated with IoT devices.

For example, we might see IoT products deployed across a city such as smart parking meters or road-side units (RSUs).  These devices need comprehensive physical protections built into them to prevent theft and extraction of firmware for further security analysis.  It’s also important that access controls for these devices are explored thoroughly.  We’ve already seen plenty of scenarios where product makers have used shared credentials across a family of devices.  These configurations make it unnecessarily easy on malicious actors.

The IoT is similar also in some instances to the concept of BYOD in that employees or customers may bring connected products, such as smart watches into the organization.  Or, employees might install smart TVs on corporate networks, and those devices could send data out to the manufacturer.  Security teams need to be on the lookout for these connected devices and make sure that they don’t open avenues to export company data to the outside.

As relates to new acquisition models, a company may decide to lease an expensive connected asset instead of purchasing it. Often, the asset is remotely managed by the vendor.  This opens new interfaces to the organizations’ networks that must be locked down.

OPAQ: What are the top enterprise risks from IoT?

BR: First, it’s useful to understand the core ways that enterprises are using IoT data. We are seeing that manifest in two ways:  the IoT device feeds data into analytics systems that companies rely upon for decision making purposes and secondly, the IoT systems could enable automated decision making within control systems, such as sensors that collect system status data to decide whether to continue or stop a running process.

From an analytics perspective, we must protect against data tampering.  If we do not have confidence in the provenance of the data then decisions made based on that data must come into question.  So, we must apply lifecycle security protections to the data to enforce data integrity. This can be accomplished through cryptographic hashing algorithms for example.  Organizations that collect sensitive data from individuals must not only protect it such as with encryption, but they must recognize that they are collecting sensitive data in the first place. If for example, you’re collecting blood pressure data from your patients, that piece of data alone isn’t necessarily sensitive.  But, when combined with identifying information, the aggregate data is subject to regulatory compliance rules.

If a malicious actor gains access to an IoT-enabled industrial control system, then they can cause unexpected physical actions to occur, which put the safety of the enterprise’s stakeholders at risk.  For example, by increasing the pressure in an oil pipeline, attackers could cause an explosion.  That’s why I usually like to recommend performing at least a rudimentary safety analysis for any IoT system being implemented.

OPAQ: Is security a barrier right now for the adoption of/broader potential of IoT?

BR: What is a bit concerning is that I don’t necessarily know that security is a barrier right now for the adoption of IoT solutions.  IoT-based innovation continues at a rapid pace, even in safety-critical industries.  Connected and autonomous cars are already on the road, medical devices are being connected, control systems are being connected, and the home /consumer IoT market continues to expand.  It seems that many of us are willing to take a chance on new technologies enabled by the IoT and then update those devices when we find that a security flaw has been discovered.

OPAQ: What kind of advice would you give IT departments regarding implementing IoT security plans – whether that’s from employees bringing in personal IoT devices and apps– or from the company having business IoT technology in place?

BR: First, sit down and think about what policies you might need to institute, such as what devices people can bring into a space and what they can connect to the network.  Also, keep track of IoT-related vulnerabilities and make sure to tune your detection processes based on what might be in use in your organization.  For organizations putting business IoT technology in place, make sure that you aren’t infringing on anyone’s privacy with these systems (e.g., conduct a Privacy Impact Assessment) and make sure that you aren’t jeopardizing the safety of users, either. Perform a threat model to identify the high value assets and the data flows within your system and lock them down appropriately.  Apply integrity controls to your data at all points within your systems.  Keep track of all of the IoT assets in your enterprise, which includes tracking the physical locations of your assets and the versions of firmware/software running on these assets.  And, of course, put a plan in place to keep all of your IoT assets updated.