by Gorav Arora
In the latest example of the growing public awareness of IoT-related security risks, Consumer Reports recently announced plans to begin factoring cybersecurity risks and privacy safeguards into its product scoring. The development is a sign of slow but significant progress toward an important goal, and it comes in no small part from consumer demand.
The news followed a prior major development – the National Institute of Standards and Technology (NIST) releasing a special guidance for securing the IoT. This long-awaited move was another sign of the urgency of the challenge – the announcement was actually moved up because of the much-publicized Mirai botnet, the first prominent illustration of the IoT’s vulnerability to large-scale malicious behavior.
Subsequently, the president’s recent executive order further elevated NIST’s role in defining cybersecurity requirements—not just guidelines. Although NIST’s guidelines do not carry regulatory weight, the office does provide an authoritative voice, and many companies look to the office for its guidance. NIST’s guidelines on IoT security are pragmatic, essential, and companies have begun to take notice.
So will the current pressure from consumers and guidance from government be enough to usher in a widespread upgrade to IoT security?
Whether the impetus comes from consumers, government or from the private sector, the question now relates to the execution – when will better safeguards be put into place, and how might they be enforced? In the EU, the General Data Protection Regulation (GDPR) provides an example of what that might look like. GDPR revolves around holding the privacy of the individual paramount and has significant impact on IoT vendors. As a penalty of failing to meet GDPR, businesses will be fined €20M or 4% of annual revenue.
The United States is a different political environment, where government cybersecurity mandates affecting the private sector may be received unfavorably. It is however possible that U.S. government agencies will implement security requirements for the IoT-related technologies that they acquire, and these requirements will end up being implemented across industries and geographies. Federal Information Processing Standard (FIPS 140-2), which is widely used outside of the public sector, is a great example.
Or, perhaps, due to the large negative economic impact of getting security wrong, the next major development will come from the private sector. Currently, there are a number of industry consortiums collaborating to develop IoT security frameworks. However the security frameworks/guidelines for IoT ecosystems evolve and play out on a broad level, businesses can still take steps now to ensure that their IoT solutions are not propagating undue risk.
This is most effectively done by evaluating the IoT system through the key security principles of Confidentiality, Integrity, Availability, Accountability and Auditability (CIAAA). An effective way to do this is with a persona-based approach. This involves identifying every distinct persona involved in an IoT system – including the buyer, the device manufacturer, the cloud provider, developers, other vendors and the hacker – to ensure the five key security principles are upheld through all their interactions.
Each persona will likely need to be assigned a digital identity, to serve as the cornerstone for achieving the above key principles. Access to the data should be based on the principle of least privilege, so any given persona is able to touch only the data that it needs for legitimate purposes. Appropriate tools should be employed to achieve the required level of assurance for authenticity, such as certificates stored in hardware roots of trust, and multi-factor authentication.
All data related to the system should be categorized by business value/impact and given the appropriate level of protection it requires. Broadly speaking, sensitive data should always be encrypted at rest or in motion to make it impervious to theft or manipulation. Access to sensitive data should be securely recorded and made available.
Finally, special attention must be paid to the basics – network monitoring, vulnerability patching, using tamper detection for the devices and code signing to validate what they’re doing.
Above all, it is important to evaluate the security solutions through the user experience of the persona, to ensure that friction for all, except the hacker persona, is minimized. Any area of friction will foster the search for an alternative, easier means, introducing weakness in the system.
IoT risk goes beyond just privacy concerns, and even beyond the fact that it presents a large attack surface. The primary risk it presents is the large volumes of data that can be stolen, whose future value is fundamentally not well understood today—and thus neither is its breach impact.
Moreover, there’s a risk of data integrity attacks, which seek to alter data, rather than steal it, and affect decision making systems and processes, causing business disruption and/or financial loss. This problem goes all the way to the IoT edge, where manipulation of sensors can lead to faulty data being ingested by intelligent upstream systems, causing them to make unfavorable decisions. Such attack(s) have the potential of spreading widespread havoc on financial markets, power grids, traffic management systems, utilities, and more.
At the end, given the sheer revenue potential of IoT, proper security within IoT is inevitable. The only unknown is the number of casualties of people, devices and businesses it will take to get there. Hopefully, the ramped-up pressure from consumer and government will accelerate the process.
Gorav Arora is the data protection CTO at Gemalto.