by: Eng. Muhammad Haleem Junejo
Highlights from a business perspective
Internet of Things (IoT) technology allows organizations to optimize processes, enhance product offerings, and transform customer experiences in a variety of ways. Although business leaders are excited about the way in which their businesses can benefit from this technology, it is important for them to consider the complexity and security risks associated with deploying IoT solutions. This is due, in part, to a lack of understanding of how to adopt security best practices to the new technologies, as well as a struggle with disparate, incompatible, and sometimes immature security offerings that fail to properly secure deployments, leading to an increased risk for customer or business owner data. This article provides guidance on how to understand, approach and meet your security, risk and compliance objectives when deploying IoT solutions.
Objective to Improve Quality of Life with help of IoT.
Organizations are eager to deliver smart services that can drastically improve the quality of life for populations, business operations and intelligence, quality of care from service providers, smart city resilience, environmental sustainability, and a host of scenarios yet to be imagined. Helping to protect the confidentiality, integrity, and availability of customer systems and data, while providing a safe, scalable, and secure platform for IoT solutions is a priority for any organization.
Well-Architecture Framework, the design principles for the organization in today’s are,
- Manage device security life-cycle holistically – Data security starts at the design phase and ends with the retirement and destruction of the hardware and data. It is important to take a complete approach to the security life-cycle of your IoT solution to maintain your competitive advantage and retain customer trust.
- Ensure least privilege permissions – Devices should all have fine-grained access permissions that limit which topics a device can use for communication. By restricting access, one compromised device will have fewer opportunities to impact any other devices.
- Secure device credentials at rest – Devices should securely store credential information at rest using mechanisms such as a dedicated crypto element or secure flash.
- Implement device identity life-cycle management – Devices maintain a device identity from creation through the end of life. A well-designed identity system will keep track of a device’s identity, track the validity of the identity, and proactively extend or revoke IoT permissions over time.
Current Security challenges and focus areas.
Security risks and vulnerabilities have the potential to compromise the security and privacy of customer data in an IoT application. Coupled with the growing number of connected devices, and the data generated, the potential for security events raises questions about how to address security risks posed by IoT devices and device communication to and from the cloud. Common customer concerns regarding risks focus on the security and encryption of data while in transit to and from the cloud, or in transit from edge services to and from the device, along with patching of devices, device and user authentication, and access control. Another class of security risks stem from protecting physical devices.
Hardware-based security, such as using Trusted Platform Modules (TPMs), can protect the unique identities and sensitive data on a device and protect it from manipulative events such as probing of open interfaces on the device.
Addressing these risks by securing IoT devices is essential, not only to maintain data integrity but to also protect against security events that can impact the reliability of devices. As devices can send large amounts of sensitive data over the internet, and end-users are empowered to directly control a device, the security of “things” must permeate every layer of the solution. This article walks through the ability to integrate security into each of these layers using cloud-native tools and services.
The foundation of an IoT solution must involve security throughout the process or else risk costly recalls or expensive retrofitting when poor security implementations lead to customer issues or downtimes. Getting the right foundations in place makes it easier to adjust to changing conditions and makes it possible to layer on services capable of continuously auditing IoT configurations to ensure that they do not deviate from security best practices and respond if they do. After a deviation is detected, alerts should be raised so appropriate corrective action can be implemented—ideally, automatically.
To keep up with the entry of connected devices into the marketplace, as well as the threats coming from online, it is best to implement services that address each part of the IoT ecosystem and overlap in their capability to secure and protect, audit and remediate, and manage fleet deployments of IoT devices (with or without connection to the cloud). In addition, with the accelerated adoption of Industrial IoT (IIoT) connecting operational technologies (OT) such as industrial control systems (ICS) to the internet, new security challenges have arisen. OT environments are leveraging more IT solutions to improve productivity and efficiency of production operations. This convergence of IT and OT systems creates risk management difficulties that need to be controlled. Operational technology controls physical assets and equipment such that if there is unintended access, it could impact outages of critical services. To address these emerging concerns, customers must evaluate the unique considerations these bring, and apply the appropriate security considerations.
Key IoT security takeaways
Despite the number of best practices available, there is no one-size-fits-all approach to mitigating the risks to IoT solutions. Depending on the device, system, service, and environment in which the devices are deployed, different threats, vulnerabilities, and risk tolerances exist for customers to consider. Here are key takeaways to help incorporate complete security across data, devices, and cloud services:
Employ security in the design phase.
The foundation of an IoT solution starts and ends with security. Because devices may send large amounts of sensitive data, and end users of IoT applications may also directly control a device, the security of things must be a pervasive design requirement. Security is not a static formula; IoT applications must be able to continuously model, monitor, and iterate on security best practices.
A challenge for IoT security is the lifecycle of a physical device and the constrained hardware for sensors, microcontrollers, actuators, and embedded libraries. These constrained factors may limit the security capabilities each device can perform. With these additional dynamics, IoT solutions must continuously adapt their architecture, firmware, and software to stay ahead of the changing security landscape. Although the constrained factors of devices can present increased risks, hurdles, and potential tradeoffs between security and cost, building a secure IoT solution must be the primary objective for any organization.
Build on recognized IT security and cybersecurity frameworks.
Applying globally recognized best practices carries several benefits across all IoT stakeholders including:
- Repeatability and reuse, instead of re-starting and re-doing
- Consistency and consensus to promote the compatibility of technology and interoperability across geographical boundaries
- Maximizing efficiencies to accelerate IT modernization and transformation
Focus on impact to prioritize security measures.
Attacks or abnormalities are not identical and may not have the same impact on people, business operations, and data. Understanding customer IoT ecosystems and where devices will operate within this ecosystem informs decisions on where the greatest security risks are—within the device as part of the network or physical component. Focusing on the risk impact assessment and consequences is critical for determining where security efforts should be directed along with who is responsible for those efforts in the IoT ecosystem.
Start with using zero-trust security principles.
Zero-trust principles are intended for an organization’s infrastructure, which includes operational technology (OT), IT systems, IoT, and Industrial Internet of Things (IIoT). Traditional security models rely heavily on network segmentation and give high levels of trust to devices based on their network presence. In comparison, zero trust requires your users, devices, and systems to prove their trustworthiness, and it enforces fine-grained, identity-based rules that govern access to applications, data, and other assets.
Along with exponential growth in connected devices, each thing in IoT communicates packets of data that require reliable connectivity, storage, and security. With IoT, an organization is challenged with managing, monitoring, and securing immense volumes of data and connections from dispersed devices. But this challenge doesn’t have to be a roadblock in a cloud-based environment. In addition to scaling and growing a solution in one location, cloud computing enables IoT solutions to scale globally and across different physical locations while lowering communication latency and allowing for better responsiveness from devices in the field.