How can we thwart the cyber-attacks on IoT?

By Mayank Lau

Internet power to connect, communicate and remotely manage millions of networked devices is becoming pervasive. The market and nations are gung-ho about IoT phenomena globally, and so does India. As per pundits, the IoT devices count would reach to 20 to 30 billion by 2020. McKinsey global institute research estimated the probable impact of the IoT on the global economy might reach $6.2 trillion by 2025. Along with it, the Indian market is poised to reach $15 billion by 2020 as cited by a NASSCOM study “IoT in India - The Next Big Wave”. Consumers and organizations both are feeling the IoT gravitational pull in their respective ecosystems. Consumers are adopting the wearables and consuming services with the help of networked devices at public place or at home. Classic examples are smart watch, smart apparel, internet-based glucometer etc., Industry has also experienced the transition from closed networks to enterprise networks to public internet to deliver its business leveraging industrial internet of devices (IIoT).

Industry use cases which are gaining traction are such as but not limited to:

• (I) Oil, Gas and Mining, millions of IoT devices would be used at the extraction sites to provide insights into environmental metrics.
• (II) Manufacturers are expected to leverage sensors for machine-to-machine communications, remote maintenance, worker tracking and workload optimization, etc.
• (III) Agriculture where sensors would be placed underneath soil to check acidity levels, temperature and other variables that can help farmer in improving the crop yields.
• (IV) Retail in which sensors on trolleys and CCTVs are used to track consumer behaviour.
• (V) Healthcare where operating devices are available to the doctors from remote places to conduct surgeries without physical presence in the hospital or with the help of robots.
• (VI) Smart buildings where organizations globally are already demonstrating IoT-based energy efficient solutions to connect and monitor rooftop HVAC systems.
• (VII) Energy conservation to reduce carbon level emissions at home and industry via robust energy management systems leveraging smart grid devices, water quality management, controlled waste management and so on, all equipped with internet enabled sensors and gateways.

IIoT uses cases underlying IoT architectural components such as protocols, networks, sensors, associated IT systems and gateways warrant robust cyber security architecture to achieve the objective of end-to-end protection. One cannot imagine a non-secure future in which IoT devices surround us, optimizing time, furthering our well being, improving our health and transforming workplace productivity. The trends in IoT security landscape by 2020 are, but not limited to, IoT security market is expected to reach nearly $29 billion by 2020, as per a report published by Markets and Markets, 50 percent of manufacturers would not be able to patch vulnerabilities in IoT devices, 2.5% of attacks in an enterprise would be on IoT/IIoT, discovery, provisioning and authentication would eat significantly into IoT security budget and 50% of large IoT implementation would require cloud security services.

IoT landscape is changing at a blink of an eye and also the cyber threat landscape associated with it. IoT devices are exposed to cyber-attacks such as denial of services, identity theft, jamming, tampering, eavesdropping, side channel attacks, stolen keys of encryption and devices acting as bots etc. In case of a cyber-attack on IoT devices, life may come to a standstill or it may cause harm to humans which is different when compared with risk landscape of IT environment in which the consequence is limited to data leakage or services not being available etc. The counter measures against cyber-attacks which need to be deployed by the organizations globally, have an arduous task cut out to achieve objectives such as integrity and confidentiality of data, availability, safety and resiliency of IoT systems.

The burning question is, how we can find a silver bullet for thwarting the cyber-attacks on IoT? The answer is we don’t, because securing IoT ecosystem would evolve with time, learnings from failures, and with data availability for the analysis. Now is the opportune time to understand in detail the security challenges landscape of the IoT ecosystem. The indicative challenges are, but not limited to, guarding program logic controllers (PLCs) embedded in the devices, patching industrial control systems without impacting its functional safety, prevention of unauthorized usage of private information hosted on plethora of IoT devices, anomaly detection in the behaviour of IoT devices functioning and to counter remote hijacking of IoT devices etc.

The journey of secure implementation in IoT ecosystem is not a cakewalk hence it warrants focused attention. Stages which need consideration from security and privacy aspect during implementation are design, implementation, deployment, operations and disposal. Each stage is to be given fair consideration so that there are no loose ends left while on the journey of end-to-end secure IoT implementation. The first stage is a ‘Design Phase’ which may involve building safety & security considerations such as threat modelling, conducting privacy and safety impact assessments, conceptualizing compliance engineering, writing processes & agreements for secure acquisitions & updation, managing SLAs and it is to be accompanied by robust technology selection for components such as hardware, software, third party libraries, authentication, authorization, edge & security monitoring etc., Second stage which is actual ‘Implementation’ consists of stitching elements such as security awareness training, system testing, secure system integration, system configurations and lastly to roll out IoT incident management procedures etc.

The third stage is when organizations actually take a leap of faith for ‘IoT Deployment’ which may consist of foundations such as red & blue teaming, asset management system, security provisioning, verification of security controls and monitoring & reporting etc. Fourth stage is when the organizations should wake up again and re-energise themselves to bear the fruits of all three stages completed till now. It is the stage of ‘operating’ IoT ecosystem, which is to manage eclectic mixture of systems that can continuously deliver compliance assessment, forensics, monitoring, device health management, incident management, etc. Fifth stage is where organizations retire IoT systems as implemented, it is the ‘Disposal Stage’ consisting of elements such as secure device disposal, inventory removal, data purging, data archival and records management etc.

The architectural layer of IoT ecosystem which is of paramount importance are the protocols on which it operates and functions. The protocols such as MQTT, CoAP, ZigBee and Bluetooth etc warrants distinctive cryptography techniques for its protection. The traditional cryptographic methods is a starting point but may not prove to be sufficient in the future. Another architectural layer which is one of the critical components of IoT ecosystem is its Identity Access & Management (IAM). Its sub-element are identity lifecycle, authentication and authorization. Organizations need to take into considerations that next generation IoT devices need to be secured with techniques, which may involve evaluation of context of transactions, application of dynamic authorization policies, leveraging registration authorities, deploying token based authentication and developing non IP-based device protection techniques etc.

The conundrum of IoT cyber security is not confined only to the organizational boundaries. The problem statement is also applicable for the nations working towards building smart cities & towns. The ambition to build smart nations brings new set of cyber security challenges. Some indicative challenges on national level are such as, but not limited to, building IoT/IIoT sectoral inventory, formulation of technical standards to integrate IoT & IT systems, absence of robust field firewalls, field controllers, light weight encryption capabilities, techniques for auto-discovery and device authentication, ineffective threat analysis & intelligence sharing and not able to deliver secure interoperability in use cases integration etc. A national charter for IoT cyber security has to take a deep dive in the ocean of problem statements. The starting points could be building national policy on IoT implementation and its cyber security, funding R&D to build robust IoT technologies, conduct studies on its threat landscape and gaps to extract the directions needed for its future, building assurance ecosystem for IoT products & services and doctrine for health monitoring of IoT devices. The charter on IoT cyber security is recommended to be a live document that may change with technology developments and evolution of cyber-risks.

Do we want to wait until the rise of weaponization of IoT, cyber-attacks leading to loss of human lives and chaos in the social order? The fictional part of our life had demonstrated the same in movies such as Die Hard 4.0, Swordfish and recently released Blackhat. It’s time to rise before it is too late for the organizations and nations to prepare for the omnipresent cyber threats. The grave security and privacy issues of IoT need to be addressed before we miss our train. Factors such as but not limited to end users & clients demanding more secure products, government intervention, regulations and hackers activities may drive this ecosystem preparation. One should take cognizance and remember IoT/IIoT devices will remain targets due to its underlying design and gaps which we might leave unpatched. To end, cyber security quote for this would be “Prepare well or Perish”.

The topic will be deliberated in detail at DSCI Best Practices Meet 2017

The author Mayank Lau is Senior Consultant, Data Security Council of India (DSCI)