[BreachExchange] Securing the Insecure: Security Challenges Posed by the Internet of Things

[Audrey McNeil]

http://www.iotevolutionworld.com/iot/articles/437453-
securing-insecure-security-challenges-posed-the-internet-things.htm

Many organizations are experimenting with IoT deployments, ranging from
automation systems and sensor networks to critical connected healthcare
solutions, connected vehicles, and industrial robotics. Such deployment
scenarios can automate device management, improve efficiencies and reduce
operational costs, while improving the customer experience. Opportunities
exist in every business sector, and early adopters are racing to secure a
first-move advantage.

However, IoT brings several security challenges with far-reaching
consequences. These challenges differ from those present in more
conventional technology infrastructures. Unlike traditional cyber security,
which often results in data compromise, security challenges resulting from
real-time IoT networks can have serious implications on human security and
safety.

IoT system security challenges
IoT security challenges are categorized into a three-tier architecture:

- Security of Devices: It’s vital that each device only does what it’s
intended to do, eliminating the opportunity for infiltration and
reprogramming. Over-The-Air update capabilities for software and firmware
updates are essential for speed and efficiency, but can compromise the
security of the system.
- Security of Communications: IoT communications occur over public,
private, industrial and IT networks, and because several IoT devices have
sensors with low computational power, providing data and network-based
encryption falls on Gateways. This results in the need to secure vast
amounts of structured and unstructured data, while supporting various types
of connections and device architectures.
- Security of Cloud/Data Center: IoT devices connect to the cloud remotely,
and data from these devices are stored in the cloud. Securing these
connections is critical, but requires one to secure every data packet
individually – rather than the entire data store – because there are
innumerable sources with varying levels of security.

IoT device security challenges
As more devices populate IoT networks, the security challenge grows.
According to Gartner, around 26 billion IoT devices will be connected by
2020. Key IoT device security challenges include:

- Limitations of traditional ring-fence concept: A significant proportion
of the security challenges surrounding IoT deployments stem from the nature
of connected devices. Since these devices are periodically transmitting
data, the traditional ring-fencing model (intermittently connecting roaming
personal devices like smartphone, tablets, etc.) is proving to be a
challenge. The small size, large-scale and distributed nature of IoT
devices overwhelms such cybersecurity models.
- Irregular Communication Patterns: The sheer volume of IoT devices with
irregular communication patterns can overwhelm many security tools. For
example, the IoT goes beyond simple connectivity to connecting vast
networks of increasingly smarter and more sophisticated devices which
trigger contextually adaptive communication patterns. The conventional
static models deployed in today’s infrastructure are bereft of this context
and hence unlikely to correctly handle such dynamic situations. In
addition, the knee-jerk reaction of cybersecurity experts to deny access to
ring-fenced assets further aggravates the situation.
- Limited Compute Capability of IoT Devices: Sensors and other monitoring
devices have limited computational capabilities, meaning security tools on
computers cannot be installed, due to a lack of CPU power and data storage
capacity. Additionally, many of these tools are not designed to readily
accept updates and patches, or, have configuration and security settings
that cannot be updated.

The following examples illustrate the security challenges with IoT
deployments:

- A critical condition may cause a medical IoT device to send an atypical
pattern of data transmissions. This can trigger a traditional security
system to quarantine the device, and prevent the data from reaching the
doctor.
- A sensor network monitoring water quality of a water supply source may
only communicate in result of altering conditions. If central controlling
systems expect to receive data only in variable bursts, spotting malicious
communications from hacked devices proves difficult. Malicious devices can
replay legitimate communications to trick threat detection systems.
- Another security challenge stems from the many legacy systems still
implemented within organizations. How can a company securely and
efficiently link its 50-year-old mainframe and associated applications -
that send unencrypted credentials and/or data using legacy protocols - to a
new IoT infrastructure that draws from the cloud?

A new strategy is required
IoT projects require IT teams to take a fresh, cautious approach to
security, as conventional perimeter-based approaches have serious
limitations, and deployment of sophisticated monitoring tools are unable to
address all vulnerabilities. For this reason, new suites of trust models,
detection heuristics, adaptive remediation techniques, and tools, must be
sourced, deployed and managed.

The sheer scale of IoT devices requires real-time remediation following a
detected threat. Significant changes must be made to threat
detection-response technologies and procedures so that security staff
remain informed, without being deluged by inconsequential alerts.

On the regulatory front, an IoT-specific risk and governance framework is
required for successful rollout of IoT deployments. Government agencies
must work with the private sector to ensure that suitable guidelines and
laws are in place to guide deployments. As IoT devices permeate more areas,
particularly sensitive places such as schools, hospitals, and homes,
following security guidelines is vital.

IoT has the potential to revolutionize the way many organizations function
and transform the services and products they deliver to their customers. By
addressing factors such as security, or invest in Secure by Design
refactoring, the infrastructures created will be able to deliver on the
large promises technology offers, without compromising safety and security.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180316/08992321/attachment.html>