*By André Bitencourt
IoT (Internet of Things) is a concept that refers to the digital interconnection of everyday objects with the Internet, connection of objects more than of people. Thus, the Internet of things it is nothing more than a network of physical objects capable of gathering and transmitting data.
To bring security in IoT environments has become a major challenge with the increasingly technologically connected world. Many risks arise all the time, which is a major concern for IoT developers.
To get a better understanding of how this issue is being addressed, 10 of the biggest challenges to keeping the IoT safe are listed below:
1- Protect restricted devices
There are a wide variety of devices that make use of IoT, some have storage and processing limitations. Thus, stronger encryption protocols are unfeasible, as they are not able to perform these processes quickly. So, they use lighter encryptions and multiple layers of defenses such as: separating devices into distinct networks and making use of firewalls. This makes up for the limitations present in these types of devices.
2- Authorize and authenticate devices
Authentication and authorization are of utmost importance as so many devices can have access to an IoT system. some like smartwatch, card machines, tablets and others, need identifiers before accessing services and applications, but many of these have problems related to authentication. This is the case with weak passwords or passwords with unaltered patterns.
So, to help mitigate these authentication deficiencies, an IoT platform that provides security by default must be adhered to. As it provides 2-factor authentication (2FA), enforcing strong passwords and criteria. Furthermore, IoT platforms provide authorization services, controlling which services, applications or resources can be accessed.
3- Manage Device Updates
Apply updates including patches of security in the software and firmwares on IoT devices and gateways present great challenges. It's important to check what updates are available and apply them synchronously across heterogeneous environments (environments that rely on different types of systems and devices). With this scenario, it is also important to create a rollback strategy in cases of failed updates.
Many devices are no longer compatible with all updates, either because they are old or because they no longer receive support from the manufacturer. Also, there may be devices that are unable to be updated so over-the-air (over the air) or updates without downtime. In these cases, devices must be physically accessed or taken out of production for updates.
Updates are at the owner's discretion and responsibility, however it is critical to maintain device management. Often, the management systems send updates automatically (they can only opt for legitimate updates), in addition to managing in cases of rollbacks due to failed updates.
4- Protect communication
In addition to securing devices, one of the biggest challenges is securing the entire communication network between cloud services and applications.
A management must be implemented, since not all devices encrypt messages before transmitting over the network, therefore, a transport encryption is necessary. Other measures such as restricting physical access and disabling unnecessary operating system features become good practice to maintain security. The use of separate networks also helps to keep the information transmitted confidential.
5- Ensure privacy and data integrity
To ensure that data maintains its privacy and integrity, an important point is that it is processed and stored securely. Data privacy includes any type of editing or anonymization of sensitive data before it is stored or shared. Data that is no longer needed must be safely disposed of and if there is a need to keep this data, legal and regulatory compliance must be guided.
To ensure data integrity, the use of Blockchain (system of record that contains all transactions processed in the application) used as a distributed and decentralized “ledger” for IoT data, offers an approach to how the data should be treated. In addition, those responsible must make use of checksums to ensure that the data has not been modified.
6- Protect applications from web, mobile and cloud
The applications of web, mobile and cloud are used to access, manage and process IoT devices and data. All practices for the protection of mobile apps and web must be followed. In addition to making use of multi-layered protection to maintain security.
At the application development stage, it is extremely important to use secure engineering to avoid security related issues. The implementations of systems such as MFA are important (Multi factor authentication) in accesses to applications and password recovery system in a secure way. Thus, the result brings more security for users and applications.
7- Ensure high availability
With each passing day, we rely more on IoT, so one of the biggest challenges in development is how to maintain high availability of IoT data.
There are several ways that availability can be interrupted in some way, examples: connectivity failures or denial of service attacks. An interruption in this availability would bring the most diverse consequences to users, from loss of revenue to loss of life. For this reason, there is rigorous work to protect this availability, as services such as traffic control and hospital are often dependent on IoT data. Points such as defense in cyber attacks and physical tampering must be a priority in the treatment to maintain the high availability of the devices. Systems must be designed with fault tolerance, so that they can adapt and correct problems, in addition to ensuring redundancy in combating single points of failure.
8- Preventing incidents by detecting vulnerabilities
Although there is a lot of work to prevent incidents and detect vulnerabilities, services will never be fully protected. As IoT systems encompass many services, devices, applications and communication protocols, this leads to complexity in detecting vulnerabilities. In this way, a monitoring of network communication and logs activities, in addition to having a team of pentest to carry out attacks on systems to identify possible vulnerabilities and thus apply the appropriate fixes and implement an incident detection and notification system.
9- Manage vulnerabilities
It is a big challenge to manage how a vulnerability can be rebounded and how a breach can be impacted due to the complexities of IoT systems. Before anything else, it is necessary to identify which users and devices were affected, which services were accessed or compromised and after this analysis, take immediate mitigating actions. Devices can be temporarily disabled or isolated by “device management” until the problem is remedied. This feature is indicated in case of essential devices of gateway, thus limiting potential damages or service interruptions. It can also be automatically applied a rules engine with rules based on vulnerability management policies.
10- Predict and avoid security issues
In IoT, applying effective security intelligence becomes a major challenge, as this intelligence not only helps in detecting and mitigating problems, but is also used to proactively predict and protect security threats. Which proves to be a very effective tool in combating system breaches.
Other approaches are also used, such as tools for:
- Monitoring – that through them it is possible to identify the actions that are taking place within the IoT systems in real time and;
- Analysis – which can help managers in making strategic decisions. The objective of these approaches is to maintain as little human contact as possible and to make use of algorithms to adapt it. Since maintaining manual services in a continuous and controlled manner, it becomes a very difficult task.
It is concluded that maintaining the security of IoT systems can generate some challenges, but applying approaches that help to keep the environment safe is extremely important in combating vulnerabilities, risks, breaches and incidents. In addition, it cannot have space for negligence related to safety, it must be analyzed as a priority factor, aiming to create a structure and processes to ensure that the risks are corrected and mitigated prior to their materialization. For this reason, it is essential to have a management with an aligned strategy, make use of best practices and keep systems in compliance, as it will help in the effectiveness of secure services and control in maintaining high availability.
Remember, the challenges do not stop, many new things will come and with them many other efforts.
— André Bitenourt is a GRC Trainee at [SAFEWAY]
THE SAFEWAY is an Information Security company, recognized by its clients for offering high added value solutions, through Information Security projects that fully meet the needs of the business.
During these years of experience, we have proudly accumulated several successful projects that have earned us credibility and prominence in our clients, which constitute in large part the 100 largest companies in Brazil.
Today through more than 23 strategic partnerships with global manufacturers and our SOC, SAFEWAY is considered a one stop shopping with the best technology solutions, processes and people.
SAFEWAY can help your organization through SAFEWAY SECURITY TOWER a complete service chain so that your operations continue to be monitored and protected by a highly specialized team. Our SOC works on a 24×7 basis, with a high-performance technical team and tools to assist your organization in identifying and responding to incidents in a predictive and reactive manner, keeping your business safe and monitored at all times.
Let's make the world a safer place to live and do business!
