By: Sudhir Kamble, Practice Head, Security, Tata Communications Transformation Services Limited
The biggest challenge in ensuring security in IoT network is the lack of standardization regarding security in IoT, leaving service providers unsure about the path ahead.
It is easy to overlook the security gaps in the upcoming technology of Internet of Things (IoT) because it promises to fundamentally transform the way we live and work. Imagine asking your gas stove to prepare a cup of hot steaming coffee as you ask your self-driven car to park after a day at work! All this and more is possible with IoT. The number of connected IoT devices worldwide will jump 12% annually from nearly 27 billion in 2017 to 125 billion in 2030, according to IHS Markit.
The economic impact and benefits of IoT will also be huge. Gartner predicts that the aggregated value and economic benefits of the IoT will exceed $1.9 trillion in 2020.
Even so, the security challenge in IoT can hardly be pushed under the carpet. Each and every sensor or device on the network is a potential weak link in the chain opening the system to a cyber attack by miscreants. The very nature of IoT means that even a small attack can potentially wreak havoc causing unimaginable financial damage and loss of reputation. Besides, privacy is a crucial factor to consider. It is the responsibility of the service provider to make the consumer feel confident that his/her personal information will not be compromised.
In our quest to connect everything and to think of innovative use cases it is essential to secure every component of the IoT ecosystem. As more and more devices connect, the security threat is only going to increase. The biggest challenge in ensuring security in IoT network is the lack of standardization regarding security in IoT, leaving service providers unsure about the path ahead. Apart from that the other issue is the absence of more stringent regulatory measures and industry compliance. Segregation of IoT security services based on the criticality and risk factors is also needed.
It is imperative to include the security considerations right from the beginning. A key reason for this is that IoT network security is a lot more challenging than traditional network because there is a broader range of communication protocols and device capabilities, posing challenges and increased complexity. Here are a few must incorporate security measures:
Insist On End-to-End Security
The management should realize that the ad-hoc way of implementing security is unlikely to work in IoT era. Security needs to be part of the discussions right from design or architecting stage. This strategy is not just a better way of ensuring safety but is also cost-effective. Introducing security measures at a later date is likely to increase the cost and might demand considerable changes in the network.
End-to-end security approach means that all the different components of the network, including IoT endpoints, IoT network, and IoT platform, are secured providing a safe and reliable network to the end consumer.
Encryption Is The Way To Go
Encryption at both network level and application level is required to plug all the security gaps. There are different levels of attack and usually IoT network provider is different from IoT service or application owner. Encryption for both network and application level will create a more robust system. A crucial component of IoT encryption is that it must be accompanied by robust key lifecycle management processes since poor key management will create more problems and might even bring down overall security.
Another point, which is usually overlooked, is that it is always better to use industry standard encryption and avoid proprietary encryption, which is sometimes found in end point devices.
The Question Of IoT Authentication
Device authentication is crucial to the flawless functioning of the IoT network mainly because of the humongous number of devices connected. IoT authentication is not as simple as regular authentication. Managing multiple users of the same device, like connected car means that simple password/pins are unlikely to be effective. Mutual authentication is a norm for improved authentication of the user.
On the user authentication front, weak basic password authentication or using passwords unchanged from their default values is a sure shot recipe of a security nightmare. Adopting an IoT platform that insists on two-factor authentication and enforces the use of strong passwords is a crucial step to provide security of the network.
Patch It Up
Heterogenous devices using multiple networking protocols means that the IoT network is increasingly complex and applying updates, including security patches to firmware or software on IoT devices and gateways is not all that easy. Many times the devices may need to be physically accessed or temporarily pulled from production to apply updates. Secure patching after deployment of the network needs to be ensured. As such patching is required whenever zero-day vulnerability is discovered. Even the firmware upgradation needs to carried out in an extremely secure way to ensure that no malware is injected in the system during the process.
Besides, sometimes security patches themselves may come with vulnerabilities. The fact of the matter is that the users tend to procrastinate or postpone the software update, so the service providers need to include this as part of SLAs to ensure that the software is regularly and timely updated on all devices.
Test, Test And Test Some More
Stringent level of testing is vital to safeguard the IoT network. The problem is that while the manufacturers usually do test the IoT sensors and devices, they are not subject to stringent testing by the service providers for security.
Essentially this means that the service provider is equally responsible to test the IoT device and infrastructure for security. The IoT service should not rely only on the vendor for such testing as they may intentionally or unintentionally provide outdated firmware or kernel. Besides, all the vulnerabilities may not be closed or some default configurations or ports may remain open. The IoT service providers can avoid such issues by conducting in-house security testing or getting a third party expert to thoroughly test the equipment.
Ensuring Protocol Level Security
The IoT security is incomplete without securing the protocol level security. Protocol vulnerabilities, misconfiguration, protocol manipulation attacks are the few. Like Constrained Application Protocol (CoAP) is one of the widely used protocols in IoT and comes with the secure DTLS option to avoid spoofing attacks. Unfortunately, this is the not the default option and hence service providers need to commit security at all levels. Both the manufacturers and operators must focus on protocol fuzz testing to ensure that the IoT ecosystem and network is secure from all possible angles.
There is little doubt that IoT promises exciting times ahead with huge benefits. Adopt these key security measures to realize the full potential of the technology and to ensure that the security threats do not derail your IoT vision.