IoT Security: It's All About the Process
With IoT security, complicated dependencies demand complementary processes.
By Mark Baugher, Greenwave Systems
Not long ago, nearly a thousand globally dispersed CCTV cameras were revealed to be enslaved to an IoT botnet for launching DDoS attacks. This news followed research indicating that several baby monitor products were laden with vulnerabilities exposing connected-home systems to a breach. And let’s not even get started on the YouTube Tea Kettle hack video.
These recent examples show how little effort is required for hackers to exploit unsecured devices, and they rightly renew fears about how the rise of the Internet of Things (IoT) is being outpaced by a rise in risks to user data, privacy and devices. According to a recent survey by QuinStreet Enterprise (owner of this site), more than 40 percent of respondents cited security concerns as the top barrier to IoT initiatives.
We can expect more and worse IoT security failures in 2016, so it's a good idea to take a measure of the current IoT security landscape, map out the known vulnerabilities and review best practices for avoiding malicious intrusion.
This article discusses how company IT, product and operational processes are interdependent and play a critical role in IoT security.
IoT Security: What Can Go Wrong?
The aforementioned vulnerabilities were exploited from unsecured or improperly secured IoT products and services. In an end-to-end IoT service, data (say, video surveillance footage) must travel between apps, data centers, gateways and devices and can be attacked at any of those points or exposed en route. The products used require good security and "process assurance" so they can resist, detect and recover from attacks.
Security-aware development starts by determining what needs to be protected from whom and for whom. This analysis identifies the risks to assets that are critical to operation.
A data asset that needs protection might reside or travel between an app, cloud server, gateway or end device. Securing end-to-end services depends on how well each vendor engineered their product. For example, are product access controls (like login) sufficient and properly implemented? Does product development safeguard against backdoors and poor practices? Does product operation detect and recover from attacks? Let’s look at the case of a backdoor attack.
Using a product backdoor, an attacker implements a method of access to bypass the documented device access controls, such as user login. This backdoor might be added surreptitiously by one or more people who program, build or distribute the product. Such a backdoor is a purpose-built vulnerability waiting to be exploited.
Product backdoors are dangerous and any reasonable security policy bans them. But they do creep into development and cannot always be found through penetration and other tests. Best practices for code review, code logging and operations monitoring are needed to prevent backdoor insertion during product development or deployment.
Thus, ensuring product security is about a lot more than which version of Transport Layer Security (TLS) is used or the length of cryptographic keys. Product security depends on secure product development processes, and both depend on zealous adherence to engineering and operational best practices.
Securing the IoT Process
Best IoT practices rest on security policies, or rules, that are properly implemented in hardware, software and protocols for protecting data at rest and in transit, end-to-end. Thus, these policies must extend across the IoT service to each user app, data center server, network gateway or IoT device depending on the particular policy. If any part of the service handles secrets improperly or lacks proper access controls, for example, the security of the entire service is compromised.
Product security features such as logins and passwords are important, therefore, but the processes by which they are specified, designed, implemented and operated are also critical. Four such processes must be continuously cultivated.
Product Security Functions
IoT product security depends on appropriate and user-friendly access controls for IoT requests, responses, notifications, telemetry data, personal identifying information and other critical assets. The type of controls that are needed in any part of an IoT service must be pre-determined by security analysis at the commencement of product development and evaluated by security audits during the process.
Thus, good product security builds on secure product design and implementation for user login, IoT device introduction and administration. These practices must be built into the product development lifecycle and cannot be tacked on in the final stages prior to release.
Secure Product Development
Security-aware product development starts with a well-documented and auditable development process, which extends through to operations, update and eventual retirement. The process includes analysis of the physical and information assets that the product handles, the risks to those assets and the threats that may realize the risks.
Compliance with secure product development benchmarks and coding standards (such as CERT C, ISO 27034, ISO 27001 or the NIST Cybersecurity Framework) are worthwhile goals. At the very least, an analysis of the gaps between requirements and capabilities using one or more benchmarks is critically important for IoT service development. Even the best software development process and product security features have vulnerabilities, however, and effective operations monitoring is needed to detect attacks and recover from them.
Security operations encompass the obvious things (such as password or credential refresh) as well as the extraordinary (like premeditated compromise of software or hardware). An IoT service also needs a security incident response plan (such as a CSIRT Plan) and intrusion detection.
Given the critical nature of IoT services in arenas like transportation and health, more security attention is justified. Effective security operations stem problems that can arise from interdependencies, such as the linkage between the product development build system and the business IT system.
The organization that releases and maintains a product, IoT or otherwise, usually needs to maintain Web services, email, document systems, wikis, build systems, firmware updates and business systems. Each such service is a potential opening for a direct attack on the organization's IT and an indirect attack on the products that the organization deploys.
The interfaces among the organization’s business, product development and operations are critical dependencies where weaknesses in one complex system provide a gateway to another. Business IT security is therefore fundamental.
An IoT service's interdependencies are illustrated in the IoT process "stack" illustrated below.
The figure shown presents the IoT processes that rely on one another as a list that does not break out the myriad dependencies among the systems, which is beyond the scope of this short article.
Above the stack and dependent upon it is the "security user experience," which is as important to security as the choice of access controls and protocols: A poor security user experience can lead the user to disable or circumvent security features and completely undo the security of the product or service.
But of all the processes shown in the figure, the business IT system is foundational; the business information system often has crucial links to build, deployment and operational systems, making IT the first process to consider when considering weak links in the IoT service chain.
In an end-to-end IoT service, it ultimately falls to the service operator to ensure that product features are correct and the processes for designing, implementing and maintaining the product protect privacy, resist attacks, detect attacks when they do occur, and ensure that the system can recover.
Starting with a gap analysis for secure, reproducible and continuously improved process standards (available from the SANS Institute and similar organizations), IoT service operators can take a measure of the current threat landscape and their position in it. No single standard is likely to fit the needs of all, but many are excellent for identifying process issues. (Security auditing firms also perform gap analyses and can advise process owners.)
IoT services and products have security requirements that rise above and beyond other services: Users need to be able to trust their IoT services and the services need to be worthy of that trust. To achieve that goal and prevent more incidents of failures, it would seem obvious that collectively implemented security processes to correct flaws, assure common mistakes are avoided and verify attack resistance are mandatory for all participants in developing and operating any IoT service.
Mark Baugher is the Principal IoT Engineer at Greenwave Systems, an IoT software and services provider working with Verizon, TCP, NXP, IBM, E.On and more. Mark is a highly regarded IoT security engineer, having created and patented multiple technologies that played a major role in driving a smart connected future. He is also a well-respected thought leader and speaker at industry events such as Fall Comdex, IEEE Conference and ACM International Conference.