This article was originally published in the ISACA Journal Volume 3, May 2017. Most of the IoT issues are still relevant but a lot has changed since and warranted an update. The updates are highlighted (Gray boxes) throughout the post, but if you are interested in the ongoing regulatory, industry and/or voluntary initiatives in IoT security, please feel free to dive right into the final section.
Before we begin, here’s a little refresher on the term IoT: Kevin Ashton coined the term “Internet of Things” in 1999. Bruce Schneier considered this system of systems to be a composition of the internet, things, and us. Hence considered “Internet+“ to be more relevant in his 2018 book “Click Here To Kill Everybody“. Hod Fleishman in 2020 suggests to move away from the term “IoT” altogether.
The resolve to address IoT device security at various levels—hardware and software, government and enterprise, consumers and services—is widespread. This soaring resolve is primarily due to the sheer quantity of IoT devices that are available and the ease with which these devices can be compromised and converted into thingbots. Thingbots are botnets of infected IoT devices which can be used to launch attacks that are like the 2016 Dyn attack, which affected more than one million devices, of which about 96 percent were IoT devices1,2.
The primary issue is with IoT device hardware which is manufactured mostly outside of the United States and needs to be regulated3. The retail industry sector has been the leading adopter of IoT technology because it reaches out directly to numerous customer bases, unlike the health care sector, which does not have benefits that are transparent immediately to the end user and has higher risk.
IoT Security—The Game Plan
The game plan for IoT security provides and overview of the IoT ecosystem and addresses standards, frameworks and regulatory proposals that have developed recently. Figure 1 below depicts an IoT ecosystem in which the information security forms an integral part.
IoT can be categorized into three major areas – Consumer IoT, Commercial/Enterprise IoT, Industrial IoT.
Figure 1—IoT Ecosystem
IoT Standards and Framework Developments
A positive repercussion of the 2016 Dyn DDoS attack5 was the US Department of Homeland Security (DHS) release, in 2016, of principles and guidelines for securing the IoT6. These guidelines are not legally mandatory, but are definitely a sign of a good start toward IoT device security. Some of these guidelines are well-known mantras to most security professionals in the game:
- Leverage security from the feasibility phase
- Apply security updates, patching and vulnerability management
- Follow proven security practices
- Prioritize controls based on the magnitude or impact
- Provide oversight and proper governance of the IoT
- Plug the device off of the network if there is no absolute business need
Also in 2016, exemptions to the US Copyright Law were approved that allow independent researchers to be able to hack almost any IoT device7. Although numerous limitations apply to the exemptions, they were granted for two years. This will help researchers unlock software for their research without any legal implications. The intentions are right, but the impact of this change, positive or negative, is yet to be seen.
The Industrial Internet Consortium, primarily comprised of IoT-related enterprises, rolled out the Industrial Internet Security Framework (IISF), which outlines best practices to assist developers and end users with gauging IoT risk and possibly defending against this risk8. In early 2017, the US Federal Trade Commission (FTC) announced that it is granting prize money to anyone who develops an innovative tool that detects and protects home devices from software vulnerabilities9.
Another recent development in IoT security is the Sigma Designs S2 security framework, which will be part of every Z-Wave-certified IoT device that is manufactured after March 2017 and is backward-compatible on existing Z-Wave IoT chipsets, making the devices more secure10.
Cyber security researcher and Harvard University lecturer Bruce Scheiner recently proposed a more regulated IoT industry in a meeting with two US House of Representatives subcommittees—the Subcommittee on Communications and Technology and the Subcommittee on Commerce, Manufacturing and Trade11. He presented the comparison of the cost versus the incentive and drive for IoT device manufacturers to patch vulnerabilities periodically. Scheiner pointed out that most IoT devices provide lower profits and that the more frequently replaced devices, such as smartphones, are patched frequently, compared to devices that are seldom replaced, such as thermostats and refrigerators. Smart cars and Blu-ray players fall in between. IoT thermostats and refrigerators that are not likely to be replaced are at a higher risk, if they are not patched. If there is not a profit or cost benefit for the manufacturer to patch a less frequently replaced product, there is no drive for the manufacturer to patch it regularly, hence, it should be regulated. The other side of this argument is that regulation of the IoT industry would stunt the growth of innovation.
The US Food and Drug Administration (FDA) has been providing some guidance to manufacturers on the best practices to build security into medical devices since October 2014. In December 2016, the FDA added a guide that lists the best ways to secure medical devices after they enter the consumer’s hand, primarily to prevent any harm to patients. The guide also states that the IoT device manufacturers need to report to the FDA if the use of a device had resulted, or can result, in any kind of serious harm or the death of a person. Reporting to the FDA is waived only if customers and device users are notified about the vulnerability in the device within 30 days, the device is fixed within 60 days and this information is shared with the Information Sharing and Analysis Organization (ISAO)12,13. The premise is somewhat similar to the optical character recognition (OCR) sanctions on US Health Insurance Portability and Accountability Act (HIPAA) violations, but the difference is that the FDA guides are just recommendations and are not legally binding. It is believed that these guides will eventually lead to legislation, as in the case of HIPAA.
FDA has added a new draft guidance documents to the initial publication in 2016 to mitigate Cybersecurity risks in medical devices. This is also listed in the final section for convenience.
Most recently, the strategic DIGIT Act (Developing Innovation and Growing the Internet of Things) that was initiated in March 2015 may come to fruition after being approved by the Senate Commerce Committee in early January 2017. This is currently waiting on approval from the full Senate14. To begin with, the DIGIT Act creates a working group that would focus on the security, privacy and other issues around IoT.
The DIGIT act was finally passed by the US Senate in January 2020.
The Game of IoT Security
The number of IoT devices is estimated to reach 200 billion by 202015. Similarly, it is estimated that approximately four-billion people will be online by 202016. The online exposure increases multifold by 2020 for the simple reason that human-to-machine (H2M) interactions increase along with the machine-to-machine (M2M) interactions.
Juniper Research has revealed that the number of IoT connected devices will reach 38.5 billion in 2020. Another useful resource for various estimations of IoT growth is published by Oxford University Professor Phil Howard in his book website Pax Technica.
The IoT Arena
Figure 2 shows a conceptual IoT architecture. The IoT devices fall generally into one of two categories—one type of device interacts with a gateway and the other that has a gateway built into the device. The second category of devices includes mostly devices that need to be in constant motion, e.g., smart cars and fitness wearables.
Figure 2—Conceptual IoT Architecture
The defense starts at the chip or hardware level. The hardware on which the IoT device is built forms the basis for a robust and secure IoT device. This is like laying a strong foundation for a house to ensure a stable and sustainable end product.
Referring to the IoT ecosystem in Figure 1, the chip and hardware of the IoT device is where the lifecycle of an IoT device starts and also the right time to steer the process in the right path while still in the nascent stage.
Primary threats to an IoT device at the hardware level are that it can be stolen, physically modified, replaced and cloned. Hardware vulnerability examples include pre-built weak default passwords or hard-coded credentials and counterfeit integrated circuits.
The nonprofit Internet of Things Security Foundation (IoTSF) aids all IoT manufacturers, vendors and end users to help secure IoT devices17. Nevertheless, the best countermeasure to combat the hardware vulnerabilities is to regulate the process of manufacturing an IoT device. The manufacturers of IoT devices need to be accountable for not adhering to the appropriate IoT regulatory standards (there are not any standards at the time if this writing), industrial standards and/or guidelines. Today, there are no legal implications for not following the standards, but there can be a push back at the enterprise level in adopting a substandard IoT device from a manufacturer.
The above quote on no legal implications for not adhering to standards is not true anymore. This is evident from all the new regulations and directives that are evolving each day, and also from the breaches caused due to insecure IoT.
This push back can prevent most hardware vulnerabilities and software weaknesses that may be inherently available in IoT devices. If hardware vulnerabilities are not mitigated, the rest of the controls, methodologies, frameworks, time, resources and investment to make IoT devices secure cannot be effective. Some of the regulations and push back need to be driven by the respective governments, with assistance from the security community.
Major threats to the software or firmware on IoT device are that the software can be modified or decompiled to extract credentials and leveraged to perform the DDoS attacks. The vulnerabilities at the software level are:
- Insecure code
- Hard-coded default passwords
- Improper software testing leading to backdoors
- Absence of strong authentication during M2M, H2M and machine-to-human (M2H) interactions
The Open Web Application Security Project (OWASP) helps IoT manufacturers to build secure IoT software and periodically categorizes the top 10 IoT software vulnerabilities.
OWASP last updated the IoT Top 10 list in 2018.
Like other network devices the most common IoT device threats at the enterprise/network level are eavesdropping, man-in-the-middle (MITM) attacks and bandwidth theft. The suggested three steps to protect against these threats are:18
- Identify and inventory the IoT devices in the enterprise and make sure they are integrated into the enterprise asset management program.
- Define standards and baselines for the IoT device security based on enterprise policies and standards.
- Implement the necessary security controls to mitigate IoT risk.
Segmentation of all of the IoT devices onto a separate network zone is recommended, which makes it easier to quarantine the entire IoT zone in the case of a breach19. The rest of IT can continue its operations without any major impact.
If segmentation and zoning are not feasible, adopting a software-defined networking (SDN) model that not only improves IoT security, but also helps with identifying the location of the breach is suggested20.
Other commonplace controls that need to be implemented for IoT devices are the same controls that apply to most of the IT infrastructure today. They are two-factor authentication, stronger passwords or key-based authentication.
It is of paramount importance to realize that the key to having these defense methodologies work as expected it to secure the IoT devices and the network from the day that they are introduced into the network. If not, the possibility is high that these IoT devices are hackable forever and they will not be able to be patched and secured. If such a rogue IoT device is detected, it should be replaced immediately21.
IoT devices need to be able to carry out a multifactor authentication, e.g., phone the human user/owner of the IoT device, before the user/owner performs the security update.
Public key infrastructure (PKI) authentication for communication between IoT devices and gateways is a recommended countermeasure to prevent an IoT device from being jailbroken to install unauthorized software. Only certified software should be permitted to be installed during upgrades and patching. Frameworks are being introduced that can help to implement a robust security model for IoT devices.
The KeyScaler 5.0 product from Device Authority offers certificate and key provisioning specifically for IoT devices during the registration process22.
The best defense always starts with a good offense. Early detection and preventing attacks in real time is the priority for security teams and has become the new mantra. Many recent breaches happened months ago or in some instances years ago (e.g., Yahoo breach), before they were detected and the response processes began23.
Quality testing of the IoT software is altogether different from traditional software testing. Autonomy, connectivity and momentum are the three factors that make IoT software quality testing different from traditional software testing24. The concept that security is a process and not an add-on feature is well-known. The IoT software testing for weaker passwords, buffer overflow vulnerabilities, etc. must follow the OWASP best practices. IoT devices should also be tested on universal serial bus (USB) ports for vulnerabilities. The key is to reduce the attack surface of the IoT device to the maximum extent possible. Additionally, like any other IT system that is close to the Internet, store, transmit and process only the minimum amount of sensitive information25.
IoT Risk Management
Forescout categorizes IoT devices into three levels26:
- Disastrous —IP-connected devices that are hooked directly to the Internet are at high risk. They can cause damage to the enterprise by gaining access to sensitive information or cause critical infrastructure impairment.
- Disruptive—Interconnected systems, such as the voice over Internet protocol (VoIP) phones and printers, can result in disruption in business operations.
- Damaging —Devices such as smart bulbs and refrigerators can be used to snoop around the enterprise network to possibly gain access to metadata about the network.
IoT Cybersecurity Alliance put together an instructive guide on an IoT risk categorization framework. A holistic analysis of IoT cyber risk assessment frameworks, risk vectors, and risk ranking process is presented in the EURASIP Journal on Information Security.
FDA guidance recommends that device manufacturers form or join an information sharing and analysis organization (ISAO), which is similar to the information sharing and analysis centers that exist today. An ISAO can help participating organizations by sharing looming security threats and risk in real time and devising appropriate responses in a timely manner.
Analytics and Detection
Recent advancement in data analytics improvises the actionable intelligence metric for security. Products such as Adaptive Defense not only provide security teams with information on the executables that enter the network, but also proactively confirm an incident, rather than just alerting for all suspicious events27. PatternEx combines artificial intelligence (AI) with analyst intuition to offer a threat prediction platform that detects current and emerging threats in real time across the enterprise. This will be and should be the trend going forward, especially with the limited resources and analysts, continuous monitoring, security budgets and more devices being added to the network creating still more ways to get hacked. Determining the point at which an intrusion actually happened after detecting that it happened is the key. AI can, hopefully, reduce the time and resources that are needed to detect an intrusion soon.
Team IoT Governance
The risk of an insecure IoT device is relative based on the domain in which it is operated and the jurisdiction in which it thrives. For example, privacy is at utmost risk when the device handles protected health information (PHI), compared to when it is in an industrial set up, in which the infrastructure or services are at risk. The geography of where the IoT device operates also matters because the legal and regulatory bindings can differ from place to place.
The governance of IoT devices needs to be handled separately, but under the IT governance umbrella. The four critical success factors that contribute to an effective IoT project are an efficient IoT project management team, a project stakeholder who has the authority to drive the IoT project, data and telecommunication infrastructure to support IoT, and subject matter experts to maintain high data quality and integration issues28.
At a project-management level, the eight steps29 that can help enterprises to put in place a sustainable IoT security program are:
- Identify information
- Prioritize the devices
- Evaluate data loss risk
- Evaluate IoT access risk
- Perform IoT incident response planning
- Formulate a big data strategy to manage the vast amount of IoT data generated
- Devise policies for privacy of sensor data
- Protect IoT devices
The IoT footprint will vary in size based on the industry vertical. As enterprises move forward on the IoT bandwagon to be more profitable and to be able to reach out to an extended customer base, they need to have an IoT strategy that encompasses the entire IoT device lifecycle (from procurement to end of life) in place. Enterprises need to build an IoT risk strategy that evaluates and manages risk. Consider IoT as part of the overall security and risk management portfolio and have a dedicated focus on continuously evaluating and monitoring IoT risk. Early adoption of security into the IoT device lifecycle, at the hardware and software level, is the best practice.
Notable Developments in IoT Security Initiatives Since 2017
Below is a list of initiatives (both government and industry) that have developed since the above article was published in 2017. It is helpful to note that in the United States a bill has to be reviewed by a committee and it was appropriate to must be approved by both the House and Senate before it’s signed by the President to become a law.
- Developing Innovation and Growing the Internet of Things (DIGIT) Act was finally passed by the US Senate in January 2020. This bill requires the Department of Commerce to convene a working group of federal stakeholders to provide recommendations regarding the Internet of Things (IoT), and it establishes a steering committee composed of stakeholders outside the federal government to advise the working group. The bill will need to be approved by the House.
- Cyber Shield Act was initially introduced in 2017 and was re-introduced again in 2019. The purpose of this bill was to establish a voluntary program to identify and promote internet-connected products that meet industry-leading cybersecurity and data security standards, guidelines, best practices, methodologies, procedures, and processes, and for other purposes.
- Internet of Things Cybersecurity Improvement Act of 2019 that is under review that requires devices purchased by the U.S. government meet certain minimum security requirements. The Committee has reviewed the bill and a report was published.
- NIST’s Cybersecurity for the Internet of Things (IoT) program developed guidelines NISTIR 8259 and NISTIR 8259A promise to have a lasting impact on IoT device cybersecurity.
- NISTIR 8259 provides foundational recommendations for IoT Device Manufacturers
- NISTIR 8259A outlines the IoT device cybersecurity capability core baseline
- California’s IoT law (SB327) became effective on January 1, 2020 that requires all IoT devices sold in California to be equipped with reasonable security measures.
- UK’s new law devised by the department for Digital, Culture, Media and Sport (DCMS) enforces all consumer smart devices sold in the UK adhere to rigorous security requirements for the Internet of Things (IoT).
- FDA published guidance to help mitigate Cybersecurity risks in medical devices.
- The International Medical Device Regulators Forum (IMDRF) is a global voluntary group of medical device regulators with a goal to harmonize the regulatory requirements for medical products that vary from country to country.
- US National Telecommunications and Information Administration (NTIA) drafted documents to address key aspects of Internet of Things (IoT) security.
- The IoT Security Foundation (IoTSF) is non profit organization that composes, maintains and promotes a comprehensive Compliance Framework of recommended steps for creating secure IoT products and services.
- The Industrial Internet Consortium produced an Industrial Internet Security Framework (IISF) technical report.
I plan to update this list as changes happen, so continue to keep an eye on this space if interested. And finally, please feel free to reach out to me if there are any missing references or content updates.