The promise, benefits, and value of the Internet of Things have been documented extensively, but with it also comes a whole host of concerns about IoT security. There have been a number of widely publicized IoT attacks that can easily leave the impression that the Internet of Things is deeply insecure. What is often not mentioned is that many of these attacks originated in failures to implement even the most basic protections.
Take the Mirai botnet denial of service (DoS) attack on Internet infrastructure in the U.S. and Germany. They involved video cameras with factory-embedded, hardcoded passwords that attackers scanned online, attempted to log in, and where successful, added the devices to the botnet. In another case, two hackers developed a tool that could hijack a Jeep Cherokee over the Internet. Just as with the Mirai cameras, the jeep was connected to public networks without encryption, or even a required password. Even where the vendor has taken reasonable precautions, but is using new protocols that are more designed for interoperability than IoT cybersecurity, things can go horribly wrong, as can be seen in a – literally - fly-by attack on smart lighting.
We should not base our opinion on the state of Internet of Things security on such examples.
It is not surprising that many of the privacy and security failures in IoT are in the consumer space. There is still a sense that consumers won’t pay for robust security features. But the biggest factor by far is a lack of knowledge about modern security practices by the consumer products manufacturers adding Internet connectivity. The failure to implement basic protection features – ones we would expect in our smartphones, tablets, and laptops – should not lead us to conclude that IoT is inherently unsafe and impossible to secure. In industrial IoT, the operator has a substantially higher level of control than consumers do. The industrial operator can place demands on vendors and make educated choices about which Internet of Things devices to deploy. We have decades of experience in IT and enterprise security that has resulted in best practices we can apply to IoT landscapes. Your personal laptop in 2017 is substantially more secure than it was 10 years ago, let alone 20 years ago.
At the same time, we have to recognize that IoT security must address several unique challenges. First is that the devices are deployed “where the action is” – whether that’s on the factory floor, on oil platforms or public roads, or in offices, stores, and moving vehicles, or in cities running over wireless networks.
That means that they are often physically accessible by employees, contractors, and even the general public. If we compare that to modern cloud data centers where only authorized personnel can enter, that is a substantial difference. With more people having potential access, the risk of compromise goes up, so we may need to ensure the device itself is physically protected against tampering.
And depending on where your connected devices are deployed, environmental factors and physical constraints also need to be considered. They may need to run under adverse conditions or include protection against the weather. Battery-powered devices may need to perform as little computation as possible to preserve battery life. And some devices may not even be capable of the complex math required for encryption – or need to communicate over low power networks that don’t provide enough security.
But these are not insurmountable obstacles. The question is less one of not knowing what to do to protect IoT environments, but one of how to implement and apply security measures to keep the solution safe.
Here are five key recommendations for securing the internet of things:
Manage risk: Modern security practices follow a risk-based approach that considers both the ease of an attack and the impact should one happen – giving a strong indicator of how much security you’ll need. The reality is that an IoT solution that monitors, manages, and optimizes operations in a chemical factory requires much tighter security protocols than one that simply turns off the light in a conference room when sensors detect nobody is present. In the former, a successful attack could lead to a catastrophic industrial accident including injury and loss of life. In the latter, the worst that could happen is that an electricity bill is a little higher.
Limit device-to-device communication: There is a misconception that the Internet of Things by definition means that many devices are connected to many other devices – increasing the risk that a successful attack leads to catastrophic failure or to the take-over of a substantial portion of your IoT infrastructure. In many cases, devices have a single purpose and only need to send the data they collect to a single location. By limiting the number of IoT devices that talk to each other, we can better secure each one and limit the damage should any breaches occur.
Retain control over your IoT infrastructure: The risk is yours, any failure in security is your responsibility, and you will be held accountable for the result – so it is important to maintain control. This starts with device selection: Make sure that they either have the security features you need, or, preferably, are “open” so you can analyze and understand how they work, and then add any features you need to fill security gaps. This includes the ability to update devices in an automated and secure way and to control that process yourself.
Use encryption from end-to-end: It’s critical to encrypt communication between devices and data ingestion points to make sure nobody can listen in, tamper with sensitive data in transit, or recover enough information to spoof or impersonate the device and feed the system manipulated data. Modern encryption techniques work in much the same way as HTTPS does to protect information online. Encryption also needs to be tied to device identity to ensure the data we think comes from a particular device actually does.
Leverage existing expertise: Apply proven security technologies, tools, and best practices used in traditional IT landscapes. In many cases, they can be implemented directly: by using digital certificates or equivalent, by restricting what IoT devices can do and which they can communicate with, and by adding protection and monitoring mechanisms. In other cases, with microcontrollers and low-power networks for example, we may need to apply new techniques, but we can draw on existing principles and concepts.
IoT adoption is still in early days. Unfortunately, that means that there aren’t many established standards yet, and while the number of devices brought to market is quickly rising, certification schemes and regulations are lagging. As a result, adopters still need to carefully plan and build-in security from the start, and properly evaluate any IoT equipment brought in-house.
As large technology providers that recognize the security challenges introduce new IoT technologies and software solutions, the situation is rapidly improving. At SAP, we’re also committed to both describing the pitfalls and providing clear guidelines to overcome them – and we are happy to assist you in this area.
But we also need your help.
We need to hold vendors of Internet of Things products accountable, ensuring they’ve either implemented strong security mechanisms or will allow us to add them should we wish. Device security will improve dramatically when vendors understand there won’t be a buyer for their product otherwise.
You can find a lot more detail on IoT hacking and other security threats, as well as how to address them in these SAP Community articles: