Open in app

Sign in

Write

Sign in

Managing Security in the IoT space

Marcelo Lorenzati
Globant
Published in
13 min readJul 29, 2020

Are you in control of your IoT devices? Have you invested in their security or will they turn against you?

July 29th, 2020
Marcelo Lorenzati

IoT security

Introduction

In this article we will talk about the conception of IoT, its adoption and growth, and how security has been a recurring concern for their use at industry, home, health and IT, mainly due to major security flops seen on the news. We will show the security risks and how the industry has started to invest in mitigating them systematically from edge to cloud with the different platforms and security components.

Ready or not, IoT is here now

IoT is an umbrella term for connected digital and physical components coined by Kevin Ashton in 1999. A lot has happened from where it started as an embedded single purpose connected to the internet system to a complex growing network of connected objects that collects and exchanges data, rules and actions coordinated with cloud platforms.

According to Gartner and Leftronic, there are around 20 to 26 billion active IoT devices as of August 2019, and estimates are 41 billion by 2027, with 127 more added every second. Its market size for 2021 is projected to be around $520 billion.

In addition to that, focus has to be placed in the Hype cycle for the IoT. Since the days of toying with the technology has moved towards adoption, with 65% as of 2020 and an estimation of 90% for enterprises, 80% for manufacturing and a concerning 90% of cars connected.

As seen in Gartner Hype Cycle figure, even though IoT has reached productivity stages, security is in the peak of inflated expectations and Mobile Device Management is yet in innovation stages.

Image source: Gartner Hype cycle 2019

In addition to this, according to Gartner IoT Security Spending is not growing at the same rate as the device Growth, which means less efforts in securing the IoT systems that are being left connected.

Image source: TelecomTV, IoT Security spending vs Device Growth

These conditions prepare for the scenario of a potential risk that needs to be mitigated or managed.

Present security Risks on IoT

According to OWASP (Open Web Application Security, a nonprofit foundation that works to improve the security of software) the Top 10 Vulnerabilities on IoT haven’t changed much since 2018 and quite little since 2014.

  1. Weak, guessable, or hard coded passwords
    Most IoT systems have a default “admin” password that requires to be updated and can be easily brute forced.
  2. Insecure or unneeded network services
    IoT providers leave enabled services like “bonjour” that might not be in use and compromise confidentiality and authenticity.
  3. Insecure ecosystem interfaces
    Insecure backend api, cloud and mobile interfaces in their ecosystem that allows compromising the device.
  4. Lack of secure update mechanism
    No updates to critical widely known issues, insecure or unnotified updates.
  5. Use of insecure or outdated components
    Outdated protocols such as FTP compromises privacy and authenticity.
  6. Insufficient privacy protection
    User personal information stored on device or ecosystem used insecurely or improperly without permission.
  7. Insecure data transfer and storage
    Lack of encryption on transit, when is processed or at rest.
  8. Lack of device management
    Lack of asset management for updates, decommission and monitoring.
  9. Insecure default settings
    Devices shipped with insecure settings, without means to make the system safe.
  10. Lack of physical hardening
    Lack of countermeasures to avoid tampering on the device to gain sensitive information or take control of the device.

Some up to date attacks and vulnerabilities

The IoT world shows us exciting new opportunities in many market segments such us banking, retail, healthcare, manufacturing, transportation and telecommunications, but it is required to face some of the current security shortcomings that the industry has.

There are plenty of examples:

  • The hacked smart gun that can be fired without approval (2017) or the car engine that can be killed remotely (Two clear cases on OWASP IoT #2 / #5/ #7)
  • The major British NHS Ransomware attack, majorly due to thousands of outdated IoT devices connected to the IT network (OWASP #4 / #5)
  • BotNet of Hundreds of thousands of IP cameras used in to shape a DDoS to major ISP and DNS providers (mainly due to OWASP #1 / #4 / #5)
  • The fitness tracking app that exposed sensitive information of a military base location (OWASP #6 / #9)
  • Vulnerable smart irrigation systems from the urban water services that can be distributedly activated impersonating the cloud service, potentially leading to water shortage using a Replay Attack (OWASP #2 / #3 / #5)

The reality is that we are still surrounded by IOT devices that might have been at least 4 years from the last firmware update and there are new vulnerabilities discovered every day in the critical components these devices use. A question to the reader: When was the last time you updated your router or wireless printer firmware?

How we address security, leveraging available technology advances, balancing spending on mitigating risk, is what will level the equation to an acceptable level.

Options to tackle security

Prior to the use of many of the technologies to manage security, it is necessary to understand the Defence in Depth concept, which is a security based on a layered protection that administers and mitigates risk and seeks to reduce the damage by providing more opportunities to contain a threat between layers.

Many of the security tools will be located in specific locations of the aforementioned layers, focusing on rejecting what is known as the Cyber Kill Chain, which is based on a military definition of the stages of an attack, updated to the cyber warfare. Each of those actions has countermeasures to mitigate it.

Image based on: Lockheed Martin Cyber Kill Chain

Additionally to this, is important to understand some considerations that affects the security management of these systems:

  • IoT interacts with the physical and the digital world in ways conventional IT devices do not (e.g.: public irrigation systems shown above).
  • Many IoT devices lack centralised access, management or monitoring as in IT devices by nature.
  • Many IoT devices relegate availability, efficiency and effectiveness for security as a tradeoff to his primary goal
  • Now with the understanding of the layered approach and the countermeasures for each stage we can focus on the specific solutions from different vendors.

IoT Platform solutions

These solutions are responsible for managing the whole complexity of connecting hardware, sensors, things and devices into the cloud with multiple services and communication protocols to allow securely collecting and visualising data, executing rules and actions with effects on the targets.

The security on these following solutions are managed systemically in each of the parts honouring a defence in depth strategy.

AWS IoT

Image source: AWS IoT Cloud Stack

Presented in 2015 re:Invent event, AWS IoT is a managed cloud platform focused on easy and secure things connectivity and interoperability, such as sensors, actuators, embedded systems and smart appliances to the cloud services.

It’s comprised of several core component such as Device Gateway, Device Shadow, Device Provisioning Service, Device Registry, Device Defender, that will be explained below:

  • Device gateway
    This is a backbone for Access Management effort, by securing the communication of mid to low end connected devices to the cloud capabilities with an edge device allows secure, low-latency, low-overhead, bi-directional communication. Low end devices can connect to the device Gateway with relaxed security protocols.
    Additionally it can leverage features like Rule engine to allow local monitoring Vulnerability Management and Device Security Incident Detection.
  • Device Shadow
    This functionality target’s Data Security and Protection allowing access to a cloud representation of the device data so it can be safely accessed having in mind privacy concerns such as PII (Personal Identifiable Information)
  • Device Provisioning Service
    One of the main sources of vulnerability is outdated software, and since vulnerabilities are fixed on a periodic base is fundamental to provide a mechanism to update parts or the full software stack. The device provisioning manages templates of the software resources a device requires, and certificates and policies to apply those templates.
    The means to execute the policy are OTA (Over the Air) updates that allow sending firmware and application software to the device. The device requires to run an OTA Update Manager Service to receive the payload.
  • Device Registry
    In order to allow policy management in the devices, it’s important to be able to associate each device to a specific inventory. This happens in device registration and association where every device is assigned with an specific ID. This allows the combination of the Fleet Indexing Service to execute batch jobs of policies to a group of devices.
  • Device Defender
    The main role of this fully managed service is to audit the devices events, identify security issues, alert and respond. It’s known as a Security Information and Event Management (SIEM). It also has a local presence on the target devices firmware such as in FreeRTOS AWS.
  • Green Grass
    Is software that lets run and extend core AWS IoT Services capabilities locally to a device on the Edge. It has multiple security features as Identity and Access Management (IAM) , compliance validation and configuration and vulnerability analysis

Azure IoT

Image source: Azure IoT Cloud Stack

On February 3, 2016 Microsoft unveiled his strategy to compete in the Iot management unveiling his solution, a collection of Microsoft-managed cloud services that connect, monitor, and control billions of IoT assets.

Their main components are the IoT Hub, Azure Sphere and Azure IoT Edge, and Azure Sentinel that will be detailed below.

  • IoT Hub
    This is the cornerstone of the solution, focusing on secure connection, provisioning and monitor and update of the devices.
    Some security aspects:
    - Bidirectional communication between device and backend with extensible protocol support through the Azure IoT Protocol Gateway
    -     Per device mutual authentication with strong credentials (device attestation) through Token base per device and X509 certs.
    - Access right revocation management to allow system sanitisation
    - Strong monitoring of device events to identify threats and operational issues (detect & destroy)
  • Azure Sphere
    This is a high level application that allows communication and security features for the interconnected devices. It cover the OS (Azure Sphere OS) for hardware that runs with secured silicon chips such us MediaTek MT3620 that implements the Azure Sphere-certification and also the Azure Sphere Security Service (AS3) which is a cloud-based service that enables maintenance, updates, and control for Azure Sphere-certified chips.
    This ensures, secure boot, communication between other devices and services. It can cover both greenfield and brownfield implementations.
  • Azure IoT Edge
    Allows moving cloud business logic to the edge, locally managing things connectivity and data, reducing bandwidth cost and high data transfers to the cloud.
  • Azure Sentinel
    As stated by Microsoft, is a scalable, cloud native SIEM and Security Orchestration Automated Respond (SOAR) solution with threat investigation capabilities through AI.
    It covers the whole requirements for a Detection and Response Team (DART) detecting and responding to events.

Google Cloud Platform IoT

Image source: GCP IoT Cloud Stack

Google vision of IoT is conformed by an IoT Core and multiple services and components

  • The Cloud Pub/Sub system which allows to connect devices into the cloud
    It manages basic security recommendations such as using Certificate based authentication (mTLS) where the device identifies itself with a certificate that was priorly signed by the GCP Cloud Authority. This is an improvement over TLS that ensures only secure data transit, over a secure identification of both ends and revocation of rejected devices but increases the logistics of delivering certificates to each device.
  • Device Manager lets you create and configure device registries and the devices within them. The device manager can be used through the Cloud Platform Console, gCloud commands, or the REST-style API.
    The Device Manager is responsible for the identification, configuration, access control and state of the device
  • Dataflow AI and ML allows data transformation, representation and actions
  • Android Things is Google’s OS approach for Edge Computing. It provides a Secure OS that runs only on certified Hardware. It bundles applications for On Device Intelligence and connection to all the Cloud IoT Platform

IoT Target solutions

In order to ensure a certain level of security of the whole IoT system, every link on the chain must be secured and the most critical is the security on the device.

This will be more exposed to threats like tampering and surface attacks that will require countermeasures to secure the assets on the device.

  • Crypto Solution
    A crypto solution allows delegation of trust and authentication separated from the manufacturing process of the device.
    Also allows the use of pre-provisioned private keys, HW accelerated cryptography and a secure crypto store. This covers tampering, spoofing and information disclosure protection.
    Some examples are the Trust & GO ATECC608A from Microchip with Secure Element for Google IoT Core Secure Authentication, the Crypto Acceleration Unit present in NxP ColdFire or the TI Sitara AM335x Cortex with hardware based security accelerators
  • Secure enclave
    A secure enclave is a separate MCU or engine that is isolated from the main processor core and peripherals that require a secure communication mechanism based on cryptography, and example of this is the ARM iSIM that defines a secure tamper resistant enclave for a SIM (subscribe Identity module) device, as the heart of a device SoC, to become IoT SAFE standard compliant (IoT SIM Applet For Secure End-2-End Communication), allowing secure transfer, data protection, and spoofing protection.
  • Secure Boot
    The root of trust and a cornerstone of an electronic device’s trustworthiness is starting the OS with a well known condition. For that matter having trusted software that the MCU can validate the signature of the applications is fundamental and also continuously checking the integrity of the software.
    MAX32590
    This MCU bundles OTP memory to perform critical missions, a secure boot loader with Public Key Auth, Crypto acceleration, AES Key Storage, secure keypad controller and Real time external memory encryption to avoid memory tampering.
Image source: Maxim Integrated MAX32590 functional diagram

CEC1702
This ARM cortex M4 MCU has cryptographic acceleration and firmware validation with digital signature both for internally running programs and externally as a crypto coprocessor that monitors other SoCs that are running trusted software.

Image source: Microchip CEC1702 solution integration

Edge Security Solutions

These are the solutions and practices to secure network nodes that are outside the network core. The edge requires the same fundamental security principles as the core network. All the network must be visible and manageable to administrators, with restriction assurance on access to manipulate data and network resources.
There are several aspects that can be covered in edge security, such as:

  • Perimeter security
    which manages not only a secure communication channel but also adding firewalls and access control. Nowadays it is covered by a category called Secure Access Service Edge (SASE).
  • Application security
    Edge applications must be controlled on its integrity, validity and change prevention, to mention one McAfee offers SolidCore solution that integrates to the OS to monitor file integrity, change and reconciliation.
  • Threat detection
    Threat intelligence tools use global security intelligence to detect malicious activity inside a private edge network.
  • Vulnerability management
    This is the practice of identifying known and unknown (zero day) vulnerabilities and actuating them to mitigate them.
  • Automatic patching cycle
    This involves software inventory management, monitoring of versioning on the devices connected to the edge device.

Some companies to worth mentions on IoT Edge Security are:
IBM, Akamai, Cisco, Cloudflare, Fortinet, Palo Alto Networks, Cato Networks, VMware, Zscaler, McAfee

Final Thoughts

In this article we tried to show a glimpse of how different tools, platforms and services can collaborate together in order to fulfil the vision of the Internet of Things without relegating or compromising security.

We covered with some examples the full stack with:

  • Platform solutions: AWS, Azure and GCP IoT
  • Edge Solutions with SIEM and AI
  • Target Solutions with crypto, enclaves and boot security implementations

We showed that IT security falls short in the needs of IOT, it has to include OT Security (Operation Technology) to cover it adequately.

Image source: IoT security defence in depth by Charles li showing the differences between the management layers in IT vs IoT

Also that a defence approach is necessary but not sufficient, is important to actively Identify, Protect, Detect, Respond and Recover (NIST 5) from any attack, and this has to be represented in their IoT System components.

IT security works on Corporate networks, related assets (printers, computers), software and their management and focuses on privacy, OT security works on industrial networks (SCADA, MQTT, AMQP) and their embedded firmware management and focuses on reliability. Both worlds have to coexist to avoid operation disruption and ensure an optimum level of security.

Each IoT solution provider will have to define which set of security components would fit best depending on the use cases and scenarios of the business, but is certain that is a fundamental and unavoidable cornerstone of any future IoT solution to include them.

Connected devices had outnumbered any capable effort of attending security management, it is critical to allow the system itself to fight threats back by providing them the means in a systemic way.

References

These are all the references used in this article, sorted by reports for technology adoption, known security attacks, security methodologies and finally security solutions.

Reports
Links to the business projections on IoT
https://www.businessinsider.com/internet-of-things-report
https://www.gartner.com/en/newsroom/press-releases/2019-08-29-gartner-says-5-8-billion-enterprise-and-automotive-io
https://leftronic.com/internet-of-things-statistics/
https://www.techrepublic.com/article/business-adoption-of-iot-is-rising-and-so-is-the-likelihood-of-attacks/
https://www.informationweek.com/mobile/mobile-devices/gartner-21-billion-iot-devices-to-invade-by-2020/d/d-id/1323081
https://securitytoday.com/Articles/2020/01/13/The-IoT-Rundown-for-2020.aspx
https://wiki.owasp.org/index.php/OWASP_Internet_of_Things_Project#tab=IoT_Top_10
https://www.telecomtv.com/content/iot/improving-iot-security-with-smart-edge-devices-13673/
https://owasp.org/www-pdf-archive/OWASP-IoT-Top-10-2018-final.pdf
https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html

Attacks & Vulnerabilities
Links of the aforementioned security breaches related to IoT
https://money.cnn.com/2017/07/27/technology/hack-smart-gun/index.html
https://www.cnbc.com/2015/07/21/hackers-remotely-kill-jeep-engine-on-highway.html
https://www.digitalhealth.net/2019/04/outdated-software-leaves-nhs-vulnerable-to-cyber-attack-new-research-says/
https://www.theguardian.com/technology/2016/oct/26/ddos-attack-dyn-mirai-botnet
https://www.theguardian.com/world/2018/jan/28/fitness-tracking-app-gives-away-location-of-secret-us-army-bases
https://in.bgu.ac.il/en/pages/news/water_attacks.aspx

Security
Links of the core basic on security, from governments and security foundations
https://owasp.org/www-pdf-archive/OWASP-IoT-Top-10-2018-final.pdf
https://nvlpubs.nist.gov/nistpubs/ir/2019/NIST.IR.8228.pdf
https://www.sans.org/reading-room/whitepapers/basics/paper/525
https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html
https://www.esecurityplanet.com/network-security/edge-security.htm
https://www.esecurityplanet.com/products/top-threat-intelligence-companies.html

IoT
Security
Owasp
Cloud

--

--

Marcelo Lorenzati
Globant

Written by Marcelo Lorenzati

8 Followers
Writer for

IoT Technical Director @ Globant

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams