IoT security from the outside in and inside out

The Internet of Things (IoT) is a confusing concept. It implies that interconnecting devices is a new concept (it’s well worn), IoT devices are always connected to the Internet (they’re not), and the centre of attention is the IoT device (it’s not). IoT is about converting data to action by extracting and exploiting information from devices around us.

That means the integrity and trustworthiness of the data must be beyond reproach, otherwise the results and processes are at risk of being manipulated, intentionally or otherwise writes Anthony Smith.

Security must play an integral role throughout the lifecycle of IoT data, while the data is in motion and at rest. And it is here that we hit the ‘Achilles heel’ of most IoT implementations: they’re untrustworthy due to poor or no security. That’s why IoT network penetrations and data breaches arise in every industry – enterprise, retail, healthcare and consumer.

A recent global study, ‘The Internet of Things: Today and Tomorrow’, commissioned by Aruba, a Hewlett Packard Enterprise company warns that connecting thousands of things to existing business networks will open up new security challenges. Signs of this are already evident, with 42 per cent of Australian businesses currently leveraging IoT admitting to suffering a malware security breach in the past.

The reason is simple. The engineers who design IoT devices are typically trained on process reliability and application-specific architectures. These fall under the remit of operations technology (OT), the goal of which is to make products work as reliably for as long as possible. Cybersecurity expertise sits with information technology (IT) engineers.

The study also found that 88 per cent of organisations in Asia Pacific have experienced at least one IoT-related security breach, the highest in the world. More than half of respondents in Australia (51%) declared that external attacks are a key barrier to embracing and adopting an IoT strategy. This confirms that a holistic IoT security strategy, built on a strong network access control and policy management, will not only protect enterprises but also simplify the security approach for IoT.

Until IoT security can shift from the devices that generate the data to the applications that consume them, neither the devices nor the data should be trusted. And if they can’t be trusted, then they shouldn’t be used for business applications.

That lends some urgency to the task of IoT security. According to Gartner, by 2020, IoT devices will outnumber users with laptops, tablets or smartphones by more than three times. It is predicted that there will be 21 billion IoT devices in use worldwide by this time. But addressing the shortcomings isn’t a trivial task. The diversity of installed legacy devices is vast, and finding suitable replacements may not be either technically or economically viable, not to mention the disruption that upgrades would cause to on-going operations.

The solution is to build trust where it doesn’t exist today by incorporating security features into new IoT devices, and by enveloping legacy devices within a protective bubble. This task can be accomplished by moving the demarcation point for trust as close to the origin of the data as possible by applying layers of protective services within and/or around IoT devices.

Essentially, you want to create a defensive framework in which no device or user is trusted until proven otherwise. The framework should leverage contextual information from a multitude of sources to scrutinise user and device security posture before and after they connect. Doing so helps overcome the limitations of fixed security perimetres tied to physical boundaries, which break down in the face of IoT devices that can connect and work from practically anywhere.

The IoT security framework should include the following protective mechanisms:

  • Authenticating source/destination devices and monitoring traffic patterns;
  • Encrypting data packets using commercial and, where applicable, government encryption standards;
  • Enveloping the packets inside a secure tunnel to ensure they go only to their intended destination;
  • Fingerprinting IoT devices to determine if they are trusted, untrusted or unknown, and then applying appropriate roles and context-based policies that control access and network services;
  • Inspecting north-south traffic with application firewalls and malware detection systems to monitor and manage behavior; and
  • Leveraging enterprise mobility management (EMM), mobile application management (MAM) and mobile device management (MDM) systems to monitor behavior and protect other devices in the event of a policy

Legacy IoT devices can be identified as known or unknown upon connecting to the network using their MAC address in an external or internal database. The profiling data should flag if a device changes its mode of operation or masquerades as another IoT device, and then automatically modify the device’s authorization privileges. For example, if a Programmable Logic Controller tries to masquerade as a Windows PC, network access should be immediately denied.

Policies are only as effective as the information used to build them, and the enforcement tools available to protect them. Applying a systems approach to the problem will help identify the IoT threat vectors and the security technologies needed for remediation.

In time-critical IoT deployments such as oil platforms and industrial pumps, it’s necessary to collect IoT data and process it instantaneously on site to avoid unacceptable latencies that come from backhauling to a data centre for analysis. These edge IoT processors also need protection, because like data center servers, edge processors are often the targets of attacks.

VPNs and firewalls provide some measure of protection, but do little to addresses attacks targeting an edge processor’s BIOS and operating system. Here, a secure boot feature will ensure that each component launched during the boot process is cryptographically signed against a set of trusted certificates embedded in the BIOS. Secure boot also validates the software identity of the drivers, shell applications, and boot loaders. If a violation is detected, then a secure backup copy will be loaded and the process restarted.

The end game with IoT is to enable business transformation by exploiting the rich sources of data locked inside of IoT devices. Most IoT devices and the data they generate are untrustworthy, but with the right security measures you can level the playing field so the extraordinary benefits of the Internet of Things can be realised without incurring unacceptable risk.

With three out of four Australians businesses expecting to use some form of IoT by 2019, according to the Aruba study, now is the time to embrace this immense change, but do so with caution and with appropriate security measures in place. BFM

Anthony Smith, General Manager South Pacific at Aruba, a Hewlett Packard Enterprise company.



Business First is a peer-to-peer magazine: written by CEOs and other high level executives, with interviews with some of the country’s best leaders.