The Internet of Things (IoT) represents how far technology has come over the years. No longer are computers and tablets the sole devices connecting to the internet. Now numerous devices, including kitchen devices and temperature monitors, connect to the internet. The coronavirus fueled this trend further by reducing the human contact necessary, and the work from home boom increased consumer demand for such products. However, if not properly secured, these interconnected devices can place families and businesses alike at risk of a cyberattack. Consequently, the Internet of things (IoT) security is a growing concern for businesses of all shapes and sizes. Here’s what IoT device monitoring is and how it can protect your networks and data.
What Is the IoT?
IoT comprises multiple interconnected devices, with the internet serving as the thread between them all. IoT devices aren’t just computers; they include mechanical and digital machines, and everything from animals’ tags to fitness bands. Two key factors determine if a device is part of the IoT:
- Does it have a unique identifier?
- Can the device automatically transfer data over the network?
The Challenge of IoT
The most significant benefit of IoT devices, their connectivity, is also a weakness and part of why the IoT is so difficult to secure. Gartner and other institutions estimate that by 2025, there will be more than 30 billion “things” connected to the internet. The universal applicability of the IoT leads to rapid growth. David Evans, CIO/VIP of Technology at the Computer History Museum, explained how far-reaching the IoT has become, even connecting seemingly innocuous things:
“Today, literally anything can be connected, including tennis rackets,
diapers, clothing, vehicles, and, of course, homes. And although people may find
this unsettling, the network is also starting to include biological things:
Today, pets, crops, livestock, and the clothing on your body can be connected.
We’re not far from an Internet link you can actually swallow as a pill.”
With that in mind, companies and society must understand how to secure their IoT networks.
IoT Device Monitoring
Monitoring the IoT is a multifaceted task. There’s the endpoint, the internet connection, and the connection to corporate or other networks, to just name a few concerns. Begin with an inventory of your assets to know what’s on your network. Identify the device’s purpose and log its use. Here are three ways to start improving the organization and security of your IoT network:
With so many devices connected to a typical IoT network, it’s unrealistic for humans to monitor manually. Take advantage of the SIEM and auditing tools available to monitor traffic, data flow, and the pings between devices and networks. Many of these tools allow you to set up custom alerts and alert you in the event of a suspicious traffic pattern or if another defined metric deviates from the expected result.
With the IoT, connection turnover is high. In other words, many devices are connecting and disconnecting regularly. Consequently, it’s prudent to run frequent device inventories. Just as companies conduct asset inventories, they need to conduct IoT device inventories through a physical inventory like asset tagging or a network discovery scan. A discovery scan is a way to go for larger companies, as the scan finds and creates a network map. Another benefit of an automatic discovery scan is identifying if a device accidentally goes offline quickly. However, a company chooses to conduct a physical inventory; it should document the cadence of the manual inventories, who is responsible for them, and ensure the inventory list is updated as required by internal policy.
When choosing a tool and configuring it to run automatic device scans, make sure it includes the following information:
- Model ID
- Serial number
- Hardware or software
- Firmware versions
- Chassis ID
- Module inventory
Notably, the ease of use for scanning tools will depend significantly on the subscription type. More expensive versions will likely offer perks such as grouping devices by type, applying group configuration settings, and setting up automatic discovery scans.
Defining Device Roles
Most mid to large companies employ some sort of separation of duties (SoD). SoD means that employees only have access to what they need to fulfill the responsibilities of their position. Similarly, each device has a role and, in many cases, does not require full access to the entire network. By defining device roles, you enable the monitoring tool to assign pre-defined configurations for that group/type of device. For best security, all devices need to be configured correctly before adding them to the network.
IoT Device Vulnerabilities and Challenges
- Large attack surface – broad interconnectivity; a large number of entry points (e.g., phishing scam serves as a means of getting through one of those entry points.
- Resource allocation – In general, there is a lack of resources to secure IoT devices, but widespread use improves efficiency. What if IoT is compromised? Would your company operations come to a halt, or do you have alternative services to fill in if IoT devices go down? Do IoT devices have too much access?
- Bluetooth – IoT includes Bluetooth devices that have become prime targets in recent years (e.g., wireless key fobs vulnerability).
- Architecture – The IoT includes both digital and physical components, so that any architecture security plan will require a multi-pronged approach. Best practices include using antimalware, firewalls and intrusion detection systems/intrusion prevention systems, patching, and closing ports that do not need to be open.
- Integrating Operating Systems – IoT devices do not always run on iOS, Linux, or Microsoft. However, many endpoint monitoring solutions are designed to work with these operating systems. As a result, it’s recommended that companies test the IoT firmware before incorporating the devices.
IoT Endpoint Security
The European Groupe Speciale Mobile Association (GSMA) developed an IoT Guide for Endpoint Security, providing best practices, models, frequently asked questions, and priority practices. In particular, the document outlines 20 critical recommendations that can serve as the stepping stone for securing IoT endpoint devices. Below are 4 of the 20 recommendations to get you started, but be sure to read the complete guide for a more in-depth look at IoT endpoints.
Trusted Computing Base (TCB)
GSMA defines a TCB as” a suite composed of hardware, software, and protocols that ensures the integrity of the Endpoint performs mutual authentication with network peers and manages communications and application security.” The core of the TCB stores and processes Pre Shared Keys (PSK) or asymmetric keys and is known as the Trust Anchor. Trust anchors assist with authentication and may store endpoint security data relevant to an application. The TCB bridges the gap between the OS and the endpoint’s applications. The key is selecting the right TCB and Trust Anchor. The following points are examples of aspects a good TCB should address:
- Executable image validation
- The mutual authentication of network peers
- Separation of Duties within the IoT security architecture
- Provisioning and Personalization
- Isolated Environment security (or connectionless site security)
As noted above, a Trust Anchor handles authentication and verifying the integrity of devices connecting to the network. It is a physical component, either a separate physical chip or a secure core inside a CPU. For, examples UICC or eUICC with IoT SAFE can be implemented as a secure Trust Anchor. Anchors store, verify, process, and update authentication data and then communicate with the TCB. For lightweight endpoints that are too small to house a standard Trust Anchor, the ETSI TS 102 671 form factors “MFF1” and “MFF2” can be added to the UICC smart card.
Trust Anchor with Tamper Resistant
Not all Trust Anchors are the same. They may offer similar base options, but you should also look for FIBs, side-channel analysis, and glitching-resistant options. While Trust Anchor safeguards may not completely inhibit attacks, they make attackers work harder and spend more resources, less lucrative targets. Federal Information Processing Standards (FIPS) is also becoming an option with some Trust Anchor manufacturers; however, validation is not widespread.
Utilise an API for the TCB
After selecting your Trust Anchor, you need to make sure it integrates appropriately with the TCB, a process usually handled by the API. The API you select, likely from a software library provided with the Trusted Anchor, should allow the TCB to complete the following actions:
- TCB performs signature verification
- TCB protects against the exposure of private keys
- The TCB performs Key exchange
- TCB performs decryption and encryption
- TCB signs messages
- TCB uses secure message padding
- Ensure confidentiality and integrity between the TCB and the application
Keep in mind that a TCB should never interact with untrusted, third-party applications running on an endpoint.
Defining an Organizational Root of Trust
An organizational root of trust is a set of cryptographic policies and procedures that govern how identities, applications, and communications can and should be cryptographically secured. The cryptography will depend on what works with the TCB and Trust Anchor and how the engineering team chooses to implement it. Trusted machines should generate a root key and additional keys for different hierarchies of the devices. For example, subkeys may be code signing keys or peer-to-peer communication keys.
Endpoint Password Management
Passwords are a critical element to securing your IoT network. In particular, you should make sure you follow password best practices, minimum complexity requirements, disable default passwords, implement brute-force attack mitigation (on the server-side or via the secure storage on mobile devices), hide credentials on the login screen, and limit the number of incorrect password attempts (e.g., increasing time between attempts and lockout). In addition to IoT end-users, administrators should not “back door password” into the IoT system.
Because IoT’s “emerging” status, compliance frameworks aren’t as well known or well established as standard cybersecurity frameworks. However, there are several best practices and ways you can ensure compliance with existing rules and recommendations.
Most firmware incorporates protocol requirements, but it’s essential to check that IP standards are followed (e.g., use of IPv6). It is also recommended to use Wi-Fi HaLow (802.11ah) with IoT devices. Because of its low energy consumption, Wi-Fi HaLow signal cooperation becomes easier among an extensive network. Wi-Fi HaLow offers high data rates and wide coverage, making it an ideal choice for IoT networks, including machine-to-machine (M2M) networks. Other protocols explicitly designed with IoT devices include Zigbee, Thread, and Z-Wave.
Bluetooth Smart, also known as Bluetooth Low Energy, offers more speed using less power. The technology, developed by the Bluetooth Special Interest Group, originated as part of Bluetooth 4.0 specifications and gained popularity due to its low cost to output and its easy deployment.
IEEE P2413 Standard
This standard provides architecture guidelines for the IoT. Rather than providing a one size fits all framework or an industry-by-industry framework, P2413 focuses on how industries are interconnected and how to build a secure architecture subsequently. The standard provides IoT domains and domain abstractions, a quality “quadruple” trust structure, multi-tier system integration recommendations, and documentation guidelines. This standard went through several drafts starting in 2018 and underwent working group scrutiny to become approved in 2020 (although it is still undergoing continuous review). Notably, the framework is not free to download, but if your company heavily integrates IoT devices, it’s an excellent place to start for reference when determining your IoT network architecture.
It’s clear the IoT is still emerging, but it’s never too early to start thinking about how best to secure it. With the increasing trajectory of IoT devices used within the office, manufacturing, and homes, understanding the current guidelines will help set your company apart and lay the foundation for a secure future. If you need help determining the next steps for securing your IoT network, contact RSI Security today for a consultation.
Get A Free Cyber Risk Report
Hackers don’t rest, neither should you. Identify your organization’s cybersecurity weaknesses before hackers do. Upon filling out this brief form you will be contacted by one of our representatives to generate a tailored report.