Last month (November 2017), the European Union Agency for Network and Information Security (ENISA) published a report on ‘Baseline Security Recommendations for IoT in the context of Critical Information Infrastructures’ which included input from ARM, Kaspersky Lab, Symantec, Huawei, Siemens, IBM, Microsoft and many more. The report provides insight into IoT security, looking at the various attack surfaces and threats, and proposing best practices and security recommendations to protect IoT devices, data and systems.
Following on from the U.S. Congress where the Senate – Commerce, Science, and Transportation Committee introduced the “Developing Innovation and Growing the Internet of Things Act” or “DIGIT Act”. The DIGIT Act creates a working group that will address some of the most pressing challenges facing the Internet of Things, such as ensuring federal agencies are prepared to adopt the Internet of Things and recently “Internet of Medical Things Resilience Partnership Act of 2017”, H. R. 3985 was introduced. The goal of the bill is to establish a working group of public and private entities to develop recommendations for voluntary frameworks and guidelines to increase the security and resilience of networked medical devices sold in the United States. Could 2018 see official legislation, going beyond just recommendations?
The ENISA study spans 103 pages including details of security standards and indicative IoT security incidents, addressing key fundamental challenges in IoT security, which we discuss further below. Section 4 looks at security measures and good practices including security and privacy by design, end-of-life support and Technical Measures (4.3) which highlight the need for trust and integrity management, data protection, authentication and much more.
Several approaches are being proposed to onboard devices to IoT platforms and applications. Unlike user onboarding, enrolling or registering headless devices involve API driven automated steps without human intervention. Typically, a trust anchor is required at the device, either provisioned by the manufacturer or added as an agent by distributors, solution providers or customers. The trust anchor based approach allows secure registration, provisioning and updating of devices through active, policy-based security controls which are designed to protect IoT applications and services. The IoT platforms must support suitable whitelisting and policy capabilities to automate this without human intervention.
Owner controlled security posture is very important for IoT. Manufacturers are promoting certain trust anchors; certificates provisioned in the devices during the manufacturing itself for strong security from the beginning. These could work well in closed platforms and applications but the open platforms need owner controlled and application specific security. Also, compliance and regulations are demanding the changing of manufacturer security model to owner controlled security.
In the user identity world, we have been applying the strong authentication models based on multi-factor and out of band approaches. These models are simply not suitable for IoT devices.
IoT calls for devices to authenticate themselves to other devices and to the IoT security management plane as per the application requirements. The methods might use a combination of:
Another big problem is making sure the credentials or certificates in the devices are not tampered or copied to another device. This requires secure storage at the device and strong binding of credentials with the device as part of authentication process.
In the user world, a device is used as an interface and the trust is established through multi-factor authentication. The trusted computing group has been promoting the attestation models for device integrity. These models have failed to achieve their goals as they remained as technologies, difficult to implement, and not suitable for IoT scale.
The IoT is not just about “things”, it’s also about data. Securing the sheer number of devices is a daunting task but the ever-increasing volume of data generated by IoT introduces an entirely new challenge. To secure the sensitive information from devices, the data needs to be encrypted as close to the source as possible. Typical Transport Level Security (TLS) models do not provide end-to-end security and privacy of the data. Adopting a data centric crypto approach would give you end-to-end security and privacy of the data, and allows you to design your system agnostic to your network architecture. Another big dimension to consider is to protect the sensitive data at field level as protocols like MQTT deliver the content to multiple subscribers.
An IoT security strategy should include software and firmware upgrades to remote devices while ensuring only trusted software is installed. The secure device authentication, data privacy and integrity at the device mentioned above form a pre-requisite for this to be successful. The security management plane must be able to control access to devices for updates, verify the source of updates, and validate the integrity of the updates themselves.
Device Authority continues to participate in IoT security regulations events and discussions on cyber security to bring to the forefront issues being faced and how Device Authority can assist in solving the challenges. Recently, I attended a symposium hosted by K&L Gates and Access Partnership in Washington DC focused on the rapidly changing global regulatory landscape surrounding connected cars/autonomous vehicles (pictured below).
Have you planned your IoT security strategy for 2018? We hope the above considerations help.
We can also provide more guidance on exactly how to protect your devices and data. Contact us today!
You may also be interested in our 2018 webinar series – register now.
Is cyber security an IT issue? Well – yes and no. Sure, the technical understanding of what needs to be done, how and why will always ultimately lie with a technology specialist, but the strategic understanding of why it matters and how it fits into wider business operations and culture should always lie with senior management. Cyber security needs to be taken seriously in the boardroom in order for it to truly permeate throughout the business, and therefore to be effective. So yes – cyber security is an IT issue, but it’s bigger than that.
Back in May 2017 the EU, through its Medical Device Coordination Group (MDCG) published the Medical Device Regulation (MDR) (EU) 2017/745, which came into effect on 25th May 2017. The regulation was put together to ensure high standards of quality and safety for medical devices being produced in or supplied into the EU. Manufacturers of currently approved medical devices have until May 26th, 2021 to meet the requirements of the regulations. Even if a product is Medical Devices Directive (MDD) compliant, they still need to meet these new regulations.
