10 Steps to Securing Your IoT Device
Hackers are using all sorts of devices to launch their dirty DDoS attacks. Don’t let your security camera, DVR or nanny cam become part of a botnet.
In a recent document called Strategic Principles for Securing the Internet of Things 2016, the Dept. of Homeland Security explained that security for the Internet of Things hasn’t kept pace with innovation. As the nation’s critical infrastructure becomes networked – and we become more dependent on network-connected technologies – vital processes that were formerly handled manually are now digital – and vulnerable to attack.
There’s just as much risk for private companies. Compromised devices can impact your operations, costing you time and money. In addition to lost business, you may be hit with a whopping charge for the data used by those bots.
IoT attacks also can make you look bad. Even though some big and respected companies have been hit recently, there’s a perception of incompetence when a company is hacked. Shouldn’t they have known better?
Read on to learn steps you can take now to secure your Internet of Things application or services and tips to creating an IoT system that’s secure by design.
Boosting security on existing IoT
With some 6.4 billion IoT devices already deployed in the field, experts estimate that as many as 80 percent of them don’t have adequate security. Because of the need to keep them as small and inexpensive as possible, many are manufactured without the ability to be encrypted or updated – and lots don’t even have traditional interfaces. They don’t necessarily verify cryptographic signatures properly. They may or may not have secure encryption key exchange.
These factors make security a daunting problem. If you have concerns about already-installed devices, here’s what you need to do:
1. Keep updated (when possible).
In many cases, hackers exploit well-known vulnerabilities in devices’ operating systems or software. While devices such as servers and hardware can be regularly updated, that’s not so easy for the smaller, embedded devices that make up so much of the IoT.
Your first step should be to find out whether devices in your deployment do have known vulnerabilities and, if so, whether it’s possible to patch them. If you identify vulnerable hardware or software that can’t be patched, these should ideally be replaced with more modern, secure devices. If this isn’t possible, look to secure your system higher up the stack.
2. Impose security on cellular communications.
If your system uses cellular connectivity, it’s inherently more secure, because it doesn’t rely on a local network that’s shared with other devices that might be compromised. Because your device is not visible on the public internet, it’s less vulnerable to attack.
To increase security, ask your provider about imposing default levels of security on your devices such as a firewall. There are platforms and service providers that enable not only connectivity but also device management, diagnostics, and baked-in security.
For example, Hologram transmits data using the 256-bit Advanced Encryption Standard and HTTPS, the security standard used by the U.S. government for protecting top-secret information. Network-level security can also be updated regularly even if device-level security cannot.
3. Communicate with your vendors.
It’s important to keep in touch with your vendors and to give them clear guidance on your security goals and how they may be impacted by financial or business considerations. Vendors may be able to increase security at the network level, for example, rather than at the device level.
Create a secure new deployment
In its Strategic Principles document, the Dept. of Homeland Security said that security should begin with the initial design process. This approach is known as “security by design.” Incorporating security from the get-go is cheaper and easier than trying to bolt on security solutions later. In addition, this can be a differentiator in the marketplace.
While the IT world has traditionally seen security as a trade-off with usability, this does not need to be so. When you approach security and usability holistically in the early design phase, it’s often possible to make huge gains in security without impacting usability.
IoT security needs has four layers, according to Microsoft Azure:
Hardware manufacturer or integrator
- Solution developer
- Solution integrator
- Solution operator
Each of them plays a role in designing and deploying the most secure system feasible.
Homeland Security identified these best practices:
1. Make security the default.
Many manufacturers ship hardware or software with generic usernames and passwords like 1234, assuming that these will be changed by the installer or end user — but this often never happens. Meanwhile, botnets scan the Internet of Things for these known, factory-default usernames and passwords: It’s an easy entry point.
Make sure your systems integrator or internal IT staff checks passwords and usernames and changes those that are not secure.
2. Use the most recent operating system possible.
Many IoT devices use Linux OS, but they don’t necessarily use the most up-to-date version. The advantage of open-source software is that it’s constantly improved by contributors, and these improvements include changes to remove vulnerabilities. That doesn’t make the current OS invulnerable, but at least it will not include well-promulgated holes.
3. Select hardware with security features.
When economically and technically feasible, choose hardware that does include security features, for example, computer chips that integrate security at the transistor level or embedded in the processor that provide encryption and anonymity.
4. Plan for disruption.
System designers should understand the consequences of the failure of a device or part of the network. The best practice is to create a system in which the failure of one IoT device doesn’t disrupt the rest of the system. When this is not possible, understanding the consequences can lead to better decisions about risk.
5. Design in the ability to update and patch.
Even when security is included at the design stage, vulnerabilities may be discovered later on. When devices are upgrade-capable, they can be maintained with the latest security and flaws can be patched as new information is discovered and understood. This results in a system that can adapt to new and changing threats or attacks.
It’s also important that the updating mechanisms themselves are secure, tested and use cryptographic signatures because the updating process itself is vulnerable to attack.
6. Plan for the end of device life.
At some point, devices may no longer be able to be patched and will need to be replaced. It’s much better to create a schedule for replacing old devices before they fail instead of waiting until they conk out. Also be mindful of when support for hardware and software ends.
7. Participate in information sharing.
You should develop a policy regarding the disclosure of information from your company and form a computer security incident response team (CSIRT) that includes your developers, manufacturers and service providers.
You can also get information and alerts about vulnerabilities and major incidents from the US Computer Emergency Readiness Team (US-CERT); the Industrial Control Systems (ICS)-CERT; and the Department of Homeland Security’s National Cybersecurity and Communications Integration Center (NCCIC). There are multi-state and sector-specific information sharing and analysis centers (ISACs) and information sharing and analysis organizations (ISAOs), as well as industry-specific Community Emergency Response Teams (CERTs) and Computer Security Incident Response Teams (CSIRTs) that share information about cybersecurity incidents.
Protection begins at the manufacturing stage, with every device needing a unique cryptographic key that doesn’t get leaked.