Providing useful information to stakeholders with varying degrees of experience and perhaps very different environments may seem a fool’s errand, but let’s start with these three assumptions:
- The Internet of Things is like a pocketknife: Useful, potentially harmful, and not going away.
- At least 25 Billion IoT devices are online in 2020, most with security and privacy risks
- You don’t have a lot of time to sift through many sources to gain the knowledge you require
This blog-set is the first part of a three-part series. It will take you on a journey of definitions and concepts regarding the Internet of Things (IoT), Communications Protocols, Edge Computing, and so on in order that the reader will clearly understand what is being discussed. Then, this blog will unpack a detailed set of factors showing why, exactly, IoT is inherently insecure. The next phase is to review current practices for IoT Discovery and Threat Assessment to include Reverse Engineering of firmware to identify risks by likelihood and severity. Finally, the challenge will be to serve varying environments to address IoT risks comprehensively and continuously.
What’s clear is that it is not a perfect world and never will be so orderly as to be connected in such a way as to be invulnerable. So, what kind of approach is adaptive enough, complete enough, and practical enough to stave off potential risks in a cost-effective manner?
Cloud and Edge/Fog Computing
It is important to understand the concepts of Cloud and Edge/Fog architectures as they relate to IoT devices in order to ensure that implementation, administration, and resilience are guided by optimal security policies.
- Cloud computing in the context of IoT is an enabling paradigm. However, IoT devices are mostly resource-constrained regarding just about every aspect of a compute environment: processor power, memory, and data storage notably, with continual incremental gains.
- When coupled with Big Data, Blockchain and other enabling technologies, the prevailing tactic for ingestion, processing and storage of data emitted by IoT devices was to transmit the information to an application on a remotely-located server that could be in a private, public or hybrid data center. The indiscriminate forwarding of every bit of data that an IoT sensor can generate unnecessarily saps bandwidth and is subject to congestion during peak periods. IoT devices are not inherently capable of advanced networking to ensure Quality of Experience (QoE).
- With limited processing power at the IoT device, encryption of the data is rarely possible.
- Around 2014, developers, vendors and network architects began to seek alternatives to direct-to-cloud processing and transmission to meet the burgeoning demands.
- Edge computing (Fog Computing in Cisco terms) for IoT leverages the distributed nature of the devices for robustness and efficiencies regarding bandwidth. The idea is to place compute power close to the source where data are generated by the IoT sensors and embedded devices. As less data travels over the network to centralized compute resources, security is somewhat incremented, and bandwidth is somewhat decremented.
- Data may be processed before it is sent to the cloud so that only the actionable or most relevant data is traversing the network. The signal-to-noise ratio can be greatly reduced such as when a sensor generates information about a process that is working properly a thousand times per second. The ICS receives only anomalies or trends that are of importance for efficient control and exception handling.
- The real-time decisions that are most important do not need to be sent across the network as the Edge compute capabilities allow for decisions to be made at the point of ingestion.
Through numerous books, articles, websites and interviews with IT professionals, we have assembled a list for your consideration.
- Time-to-market pressures are responsible for expedient shortcuts in development, testing and maintenance of IoT devices that may pose the risk of security breaches.
- Lack of authentication
- Absence of encryption
- Information assets across IoT architectures can be undervalued and therefore insufficiently protected and monitored. IoT sensors can be quite inexpensive, are always on, and often “out-of-sight-out-of-mind”.
- Lack of codified provisioning; many IoT devices connect to networks without authorization
- Rusting firmware: The fact is that IoT devices are often a “set and forget” proposition and are sometimes even completely forgotten. When checking for firmware updates is a manual process, it is more likely to be overlooked.
- IoT devices are often placed for convenient usability as opposed to the most appropriate network segment with sufficient security measures
- Insufficient security regulations and guidelines from Governments and Industry, respectively
- Security training for developers is often incomplete or inconsistent
- Insufficient code testing during development
- Supply chain dynamics can assume unwarranted trust to upstream and downstream component providers
- Various components of an IoT solution are tested discretely as opposed to the entire device architecture (which may lead to less robust security due to supply chain issues as well)
- Introduction of insecure code into a secure product using packages and libraries that were not tested for interaction with other components.
- Lack of threat modeling
- IoT are susceptible to
- Cyclical redundancy checking
- Man-in-the-middle attacks
- Denial of service
- Radio signal jamming
Summary
Devices of all types may be in our networks. When they are provisioned and managed, the risks can be continually mitigated through policies, controls, processes, and procedures. This blog will deal mostly from here in the realm of unmanaged devices as IoT integrates into, and possibly infects, our networks.
In our next blog post, we will cover the discovery of IoT devices in your network and current practices for IoT Discovery and Threat Assessment to include Reverse Engineering of firmware to identify risks. The first step in solving problems is always to recognize them.