IoT Security Challenges Simplified
5 minutes read

Introduction
The disruptive market of the IoT span over multiple distinct industries and solutions, sharing a common technological concept and thus sharing its challenges. Understanding the concept’s basics shall assist in identifying their security challenges. So, what does a present indicator sensor, an electronic field recording device and a WiFi based thermostat have in common? (1) They provide valuable and private data that, once installed, became crucial to the business (2) They control hardware that effect the business daily operations (3) Their install base usually has an exponential spawn for a single business, expanding its network with each connected device (4) They are installed/ spread on multiple locations within the premises of its owner (field, city, industrial compound) (5) They are connected to the business network in various ways, via cellular datalink, WiFi, LAN and transmit/ response over the internet or directly to the intranet (6) The devices are permanently on and connected.
The Challenges
In accordance with the aforementioned bullets, we can identify the following security challenges: (1) Data loss or theft — sensitive data that didn’t have a ‘presence’ within the network is now being gathered and analyzed (2) Unauthorized commands to the device’s — devices that had a manual or dedicated control protocols are now part of the network (3) Security measures are ‘pushed aside’ over operational efficiency — network security should support its growing magnitude from day one (4) Devices can be an ‘easy target’ — mass installation of devices with default configuration that remains unchanged (admin user/pass for example) that have access to the network (5) Opening the network makes it more vulnerable — there’s a need to define new entry points and interfaces to/from the organization network to communicate with the devices (6) Devices have minimal or no security at all — the devices are designed to run permanently on low power consumption, with minimal HW and SW to enable ‘just what is needed’ at, utilizing dedicated open source operating systems such as TinyOS and RIOT that doesn’t have (as of this report) dedicated anti-malware/ anti-virus. While the devices manufacturers focus is on low cost and longer lifetime they often compromise on security measures.
A simplified view of the security challenges can be merged into the following elements:
Data protection — As the devices gather sensitive data, the transmission, storage and processing require to be secure for both business and regulatory reasons.
Attacks on IoT processes — Disrupting a given business’s activities will have more infrastructure, devices and applications to target. For example, DoS attacks, compromising and/or disabling individual devices that were not connected before.
Expanded network — There are more devices on the network for attackers to probe as possible entry points to broader IT infrastructure. Unlike user endpoints, IoT devices are permanently on and connected, making them prime targets.
Device hacking — Poorly protected IoT devices may be ‘recruited’ to botnets, degrading their performance or spamming the network.
Existing Solutions
The solution landscape can be breakdown into the following:
Network Security — E2E Protection and securing of the network. Can be further break into:
- Unified Threat Management (or next gen. firewalls) — An integrated package that provides firewall, intrusion detection, antimalware, spam and content filtering, VPN and antivirus. The main advantage of such product is the ability to reduce complexity as all managed under the same product.
Solution providers (Government/Business): Barracuda, Check Point, Cisco,
Dell SonicWall, Fortinet, Juniper, Sophos, WatchGuard, Firebox
Solution providers (Consumer): Comodo, Luma, F-secure- Intrusion Detection/Prevention System (IDS/IPS) — An IPS tool search the network and data and alerts in case it detects a malicious activity or policy violation. An IDS tool shall also take action and will try to prevent a malicious activity for a certain time period. There’s some overlapping between the two as IDS runs on Passive mode (provide alerts) will behave in a similar manner to IPS.
Solution providers: Barracuda, Check Point, Cisco, eEye, Juniper, McAfee,
Radware, Sourcefire, Thirdbridge, IBM- Distributed Denial of Service (DDoS) Protection — A set of techniques/ tools for resisting or mitigating impact of such attacks on networks attached to the Internet by protecting the target and relay networks.
Solution providers: Arbor, Radware, Corero, F5, Neustar, Akamai, Cloudflare,
Fortinet, CheckpointNetwork Security Analytics — Collecting and analyzing data from IoT devices and alerting/ preventing malicious activity or policy breach. Can be further break into:
- (Cyber) Threat Intelligence — Threat analysis is the process of acquiring knowledge, via multiple resources about threats to an environment along with an actionable advice on how to mitigate them. Its resources can be IP’s, URL’s, Files, Mobile apps and the data, its context and their relations.
Solution providers: FireEye, Infoblox, LookingGlass, McAfee, RSA,
SecureWorks, Symantec, Verisign, webroot (gateway TI), Qualys, Check Point,
Bayshore Networks,Darktrace- Network Forensics — A tool to monitor and analysis network traffic and events in order to discover the source for a certain attack or malicious activity. As network traffic is submitted and then lost network forensic is often a proactive investigation.
Solution providers: Symantec (Bluecoat), IBM, LogRhythm, Niksun, RSA,
Bayshore NetworksIdentity and Access Management (IAM) — Management of the identity life cycle, governance, and authentication of IoT devices within a network.
Solution providers: AWS (Amazon), CA, Covisint, ForgeRock, Xively,
Micro Focus, Microsoft, Symantec, Ping Identity and UnboundID, GemaltoEncryption — Encrypting the data at rest and in transit between the devices and the back-end to maintain data integrity and prevent data sniffing.
Solution providers: Globalsign, Digicert, Entrust, Verisign, RSA,
Maximintegrated, Idquantique, Gemalto, Vormetric (Thales), Venafi,
Akana, Axway, CA, MAshery/ TIBCODevice Security — Any SW/HW that is built in or added to the device in order to protect it from hacking, virus or malware.
Solution providers: Gemalto, Senrio, Iredato
Android OS has many providers such as 360 Security, Avast, Avira, AVG,
AndroHelm, TrustGo, Bitdefender, PreEmptive SolutionsDevice Management — IoT devices should be treated as any end-point, with constant updates to ensure its SW/ Firmware is up-to-date and unharmed. Constant or periodical FOTA (firmware over the air) updates can assure the device’s functions as expected and can alert on malfunction or hacked devices.
Solution providers: Barefoot solutions, Gemalto, RedBend
Summary
It is important to understand that the IoT have introduced a new type of entity to the network — the actual device, which differs from traditional end-points. For example, an organization running an IoT network comprised of 1,000 IoT devices and 10 end-points that will look for a UTM solution will find out quickly that the antivirus or anti-malware does not protect its IoT devices, leaving 99% of its network exposed. Solution providers will have to integrate new technologies and tools to their offering and amend their marketing and prices accordingly in order to become attractive to IoT oriented networks. A good example for a new and focused product is Webroot BrightCloud TI for IoT gateways — it provides TI as a service to the gateway, recognizing it as a vulnerable junction that bridges between the ‘outside world’ where the devices are, to the organization network.
To summarize, As IoT continue to expand, conquer new frontiers and apply to more and more sectors, the complexity of its installation and network will have to be reduced. A farm, an industrial factory or a simple consumer will have trouble to define or manage an IoT network. The expectation from the customers would be for a full solution and it will probably be expected from the device manufacturers/ resellers to provide an E2E solution that will encompass a security measures and tools. As we already have dedicated cloud based services for IoT such as AWS for IoT, Azure IoT suite, WSo2 or Mulesoft we will see more and more security offerings on top/ as part of these platforms.
If you find it useful please like or share so others can enjoy it as well.
Thank you for reading,
Tal Yahav
