March 19, 2018

Secure by Design: Security Products vs Secure Products in IoT

Back in April 2017, Device Authority’s CTO Rao Cherukuri wrote a blog titled “IoT Security is too critical to be an optional extra – Security by design, from the beginning” – detailing key recommendations for securing IoT devices.

We continue to see a distinct difference between security products and secure products. Which is also the difference between detect/respond and protect/prevent. Prevention is better than cure.

Why is this important?

Mostly due to economic and social changes, and increasingly it is a now a safety issue – not just data loss.

Now, the UK government has published a report called “Secure by Design” which aims to shift the burden of IoT security from the consumer or end user to other parties including device manufacturers, IoT service providers and application developers in an effort to improve security and ultimately safety. The report focuses on the need for security, privacy and safety for individuals and personal data, while also recognizing the threat of cyberattacks launched from IoT devices.

There are 13 sections within the report’s proposed code of practice, which the first three carry a higher priority. We’ll review these in more detail.

1. No default passwords

This is forever an issue with IoT devices. Weak credentials are the holy grail for hackers. If devices use a default password such as ‘admin’ then it only takes seconds for a hacker to infiltrate. We understand the pain of managing passwords for hundreds, thousands or even millions of devices – which is why we developed our Automated Password Management(APM) solution aimed specifically at IoT devices. APM automatically sets and manages local account passwords from manufacturer default on devices. Password rotation policies are enforced which dramatically reduces the attack surface of using static passwords.

2. Implement a vulnerability disclosure policy

Having a process for reporting vulnerabilities is important – this will allow for them to be acted up sooner rather than later, and to notify consumers of risks.

3. Keep software updated

Once an IoT device is delivered to the user, with software installed – that’s not enough. Updates are required to fix any bugs or vulnerabilities within devices. It’s important that the updates are pushed to devices in a secure way, ensuring only trusted software is installed. The security management plane must be able to control access to devices for updates, verify the source and integrity of the update image, and validate the integrity of the updates themselves.

4. Securely store credentials and security-sensitive data

Focus on secure credentials and use a solution which has secure storage. Device Authority APM implementation uses our Dynamic Device Key Generation(DDKG) technology, that doesn’t store the passwords on the devices. The DDKG based agent provides secure storage for any credentials including certificates.

5. Communicate securely

Encryption is crucial for sensitive data. That’s why KeyScaler has a crypto agent for policy based end-to-end encryption. To secure the sensitive information from devices, the data needs to be encrypted as close to where it’s generated as possible. Typical transport level security models do not provide end-to-end security and privacy of the data. Another dimension to consider is to protect the sensitive data at field level as newer protocols like MQTT delivers the content to multiple subscribers.

6. Minimise exposed attack surfaces.

KeyScaler’s APM solution enforces password rotation policies which dramatically reduces the attack surface of using static passwords.

7. Ensure software integrity

Integrity of IoT devices includes the software – it’s important any unauthorized changes are prevented, and if they do occur they should be alerted. KeyScaler performs integrity validation checks to solve this challenge.

8. Ensure that personal data is protected

Data privacy and security prevents negative consequences from hacks and data loss. That’s why policy-based encryption is an ideal solution. Our DDKG based encryption makes it easy as the crypto keys are not stored anywhere or exchanged over the network making it easier to implement and deliver at IoT Scale.

9. Make systems resilient to outages

10. Monitor system telemetry data

11. Make it easy for consumers to delete personal data

12. Make installation and maintenance of devices easy

Simplify security through easy installation and management of devices. Device Authority recognizes that this an important impediment for IoT adoption because of the scale and unique IoT Device characteristics. We have implemented “Zero touch provisioning” working with our partners. Watch our video with Intel here.

13. Validate input data

It is important for certain control and command data devices need to validate the input data before taking an action that may have negative impact. Device Authority Delegated Security Management model and data integrity features verify the source and integrity of the data.

It is, as it says, a set of guidelines that the government hopes organizations will adopt. The challenge is of course that many organizations file this under the “nice to have” heading instead of the “essential” heading. When stacked up against the pressures of cost and time to market, the rigor of security by design (to use the government tag line) becomes the poor loser, often being relegated to a secondary or even tertiary consideration. When you take the extreme view of attempting to retro fit solutions to products after they have shipped, you are 90% of the time attempting to apply a band aid to a severed limb.

The guidance and recommendations provided are supported by Device Authority. Our KeyScaler platform can help with the majority of the 13 points. In fact, we have recently developed our Enterprise IoT Security Blueprint which provides an architecture for best practice IoT security.

Rao Cherukuri